14603 matches found
Integration for Contact Form 7 and Zoho CRM, Bigin < 1.2.3 - Cross-Site Request Forgery (CSRF)
The plugin does not protect its settingspage action against CSRF attacks, allowing an attacker to update the plugin settings on their behalf by tricking a logged in admin to submit a crafted request...
Japanized For WooCommerce < 2.5.5 - Reflected XSS
The plugin does not sanitise and escape the tab parameter before outputting it back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC https://example.com/wp-admin/admin.php?page=wc4jp-options=a...
Accept Stripe Donation - AidWP < 3.1.6 - CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
ProfilePress < 4.5.5 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Clio Grow < 1.0.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WordPress Infinite Scroll - Ajax Load More < 5.6.0.3 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC Examples a lot of attributes are...
eVision Responsive Column Layout Shortcodes <= 2.3 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC bscolumns class='" onmouseover="alert1"...
GigPress <= 2.3.28 - Subscriber+ SQLi
The plugin does not validate and escape some of its shortcode attributes before using them in SQL statement/s, which could allow any authenticated users, such as subscriber to perform SQL Injection attacks PoC Run the below commands in the developer console of the web browser while being on the...
Hueman Addons <= 2.3.3 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC column size='" onmouseover="alert1"...
Page Builder: Live Composer < 1.5.23 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC dslcnotification color='red"...
TemplatesNext ToolKit < 3.2.8 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC txheading margin='"...
Post Category Image With Grid and Slider < 1.4.8 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Exploit...
miniOrange WordPress SAML SSO Standard < 16.0.8 - Open Redirect in SSO login
The plugin does not validate that the redirect parameter to its SSO login endpoint points to an internal site URL, making it vulnerable to an Open Redirect issue when the user is already logged in...
WP Social Widget < 2.2.4 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC wpsw facebook='" onmouseover="alert1"'...
Social Warfare < 4.4.0 - Post Meta Deletion via CSRF
The plugin does not have CSRF checks in some AJAX actions, allowing attackers, to make a logged in admin call them and delete arbitrary post meta as well as reset access tokens related to network via CSRF attacks PoC...
FL3R FeelBox <= 8.1 - Moods Reset via CSRF
The plugin does not have CSRF check when updating reseting moods which could allow attackers to make logged in admins perform such action via a CSRF attack and delete the lydlposts & lydlpoststimestamp DB tables PoC Make a logged in admin open a page containing the HTML code below...
User Verification < 1.0.94 - Authentication Bypass
The plugin was affected by an Auth Bypass security vulnerability. To bypass authentication, we only need to know the user’s username. Depending on whose username we know, which can be easily queried because it is usually public data, we may even be given an administrative role on the website. PoC...
OneClick Chat to Order < 1.0.4.2 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC 1. Instal...
Sassy Social Share < 3.3.45 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Insert th...
Search & Filter < 1.2.16 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin. PoC Insert the...
EU Cookie Law <= 3.1.6 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Enter the setting page of this plugin. 2...
Anti-Malware Security and Brute-Force Firewall < 4.21.86 - Admin+ PHP Object Injection
The plugin unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. PoC 1. To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void...
WP Pipes < 1.4.0 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin...
WordPress Filter Gallery Plugin < 0.1.6 - Admin+ Stored XSS
The plugin does not properly escape the filters passed in the ufggalleryfilters ajax action before outputting them on the page, allowing a high privileged user such as an administrator to inject HTML or javascript to the plugin settings page, even when the unfilteredhtml capability is disabled. P...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the cgmultiplefilesforpost POST parameter before concatenating it to an SQL query in 0change-gallery.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Host...
Chained Quiz < 1.3.2.3 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the dn parameter before outputting it back in the chainedquizlist page, leading to a Reflected Cross-Site Scripting...
Chained Quiz < 1.3.2.5 - Arbitrary Question Deletion via CSRF
The plugin does not have CSRF check when deleting questions, which could allow attackers to make logged in admins perform such action via a CSRF attack...
User Registration < 2.2.4.1 - Subscriber+ Arbitrary File Upload
The plugin does not properly restrict the files to be uploaded via an AJAX action available to both unauthenticated and authenticated users, which could allow unauthenticated users to upload PHP files for example. PoC The following Python script automates the exploitation of this plugin by...
Add Comments <= 1.0.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC POST...
miniOrange's Google Authenticator < 5.6.2 - Subscriber+ Settings Update
The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them...
Web Stories < 1.25.0 - Subscriber+ Server Side Request Forgery
The plugin does not validate the url parameter passed to the v1/hotlink/proxy REST endpoint, allowing any authenticated users to perform SSRF attacks...
YDS Support Ticket System <= 1.0 - Cross-Site Request Forgery
The plugin does not have CSRF check in some places, which could allow attackers to make logged in users perform unwanted actions...
WP Socializer < 7.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its Icons settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Activate the Share Icons feature of the...
Mega Addons For WPBakery Page Builder <= 4.2.7 - Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
WP-PostRatings < 1.90 - Ratings Tempering via Race Condition
The plugin is affected by a race condition allowing any authenticated user to tamper with ratings and decrease/increase their value...
Beaver Builder < 2.5.5.3 - Authenticated Stored XSS via Text Editor
The plugin does not sanitise and escape the Text Editor block, which could allow users with access to the plugin's editor to perform Cross-Site Scripting attacks...
Contest Gallery < 17.0.5 - Author+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as author...
ActiveDEMAND plugin <= 0.2.27 - Unauthenticated Post Creation/Update/Deletion
The plugin does not have any authorisation in some of its REST route, which could allow unauthenticated users to delete, create and update arbitrary post...
Download Manager < 3.2.49 - Multiple CSRF
The plugin does not have CSRF check in place in some places, which could allow attackers to make a logged in admin perform unwanted actions...
Enable SVG, WebP & ICO Upload <= 1.0.1 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameter, which could allow users with a role as low as author to perform stored Cross-Site Scripting attacks...
Product Slider for WooCommerce < 2.5.7 - Subscriber+ Arbitrary Options Deletion
The plugin has flawed CSRF checks and lack authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber to call them. One in particular could allow them to delete arbitrary blog options. PoC fetch"/wp-admin/admin-ajax.php", "headers": "content-type":...
Transposh WordPress Translation <= 1.0.8 - Subscriber+ Unauthorised Calls
The plugin exposes a couple of sensitive actions such has “tpreset” under the Utilities tab /wp-admin/admin.php?page=tputils, which can be used/executed as the lowest-privileged user. Basically all Utilities functionalities are vulnerable this way, which involves resetting configurations and...
WP-DBManager < 2.80.8 - Admin+ Remote Command Execution
The plugin does not prevent administrators from running arbitrary commands on the server in multisite installations, where only super-administrators should. PoC Use any WordPress plugin that allows the users to upload files with extension - ".php" is not required - for example: .jpg usually many...
Testimonials <= 3.0.1 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters available to users with a role as low as contributor, allowing them to perform Stored Cross-Site Scripting attacks...
User Private Files < 1.1.3 - Subscriber+ Arbitrary File Upload
The plugin does not filter file extensions when letting users upload files on the server, which may lead to malicious code being uploaded. PoC 1 Create a file named exploit.php, which contains:...
Advanced WordPress Reset < 1.6 - Reflected Cross-Site Scripting
The plugin does not escape some generated URLs before outputting them back in href attributes of admin dashboard pages, leading to Reflected Cross-Site Scripting PoC - Completely reset the site using the plugin - Visit https://example.com/wp-admin/tools.php?page=advancedwpreset&"...
WordPress Popup <= 1.9.3.8 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC On...
Name Directory < 1.25.3 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. Furthermore, as the payload is also saved into the database after the request, it leads to a Stored XSS as well PoC...
Custom Product Tabs for WooCommerce < 1.7.8 - Unauthenticated Toggle Content Setting Update
The plugin does not have proper authorisation in one of its REST endpoint, allowing unauthenticated users to update the "Toggle thecontent filter" setting PoC POST /wp-json/yikes/cpt/v1/settings HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type:...
Photo Gallery by Supsystic < 1.15.6 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC...