14602 matches found
WordPress 4.7 - User Information Disclosure via REST API
PoC http://www.example.com/wp-json/wp/v2/users...
Royal Elementor Addons and Templates 1.4.78 - Unauthenticated Arbitrary File Upload
Description The plugin does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE. Note that this vulnerability is identical to https://wpscan.com/vulnerability/281518ff-7816-4007-b712-63aed7828b34/ as it was introduce...
LearnDash LMS < 4.6.0.1 - User Account Takeover via Insecure Direct Object References
The plugin does not correctly manage access to system resources, resulting in Insecure Direct Object References. As a result, users can bypass authorization checks, leading to unauthorized changes to user passwords, potentially compromising administrator accounts...
BackupBuddy < 8.7.5 - Unauthenticated Arbitrary File Access
The plugin is affected by a Directory Traversal attack, allowing unauthenticated attackers to access arbitrary files on the web server, starting in version 8.5.8.0. PoC Install BackupBuddy v8.5.8.0 through v8.7.4.1. curl...
Themify - WooCommerce Product Filter < 1.3.8 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the page parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting PoC...
Avada < 7.8.2 - Arbitrary Plugin Instalation/Activation via CRSF
Description The theme does not have CSRF check when installing and activating plugins, which could allow attackers to make logged admins install and activate arbitrary plugins via CSRF attacks...
WP < 6.0.3 - Multiple Stored XSS via Gutenberg
Description The packaged Gutenberg does not escape data from some blocks before outputting ti back in pages, which could lead to Stored XSS issues. Affected blocks: Search, Feature Image, RSS and Widget...
WP < 6.0.3 - Stored XSS via wp-mail.php
WordPress does not properly sanitize some parameters when receiving a post by email, which could lead to Stored Cross-Site Scripting issue...
Unauthorised AJAX Calls via Freemius
Description The plugins and themes use an insecure version of the Freemius Framework, which is lacking CSRF and/or authorisation in some of its AJAX actions. As a result, any authenticated users, such as subscriber could access the debug logs. Unauthenticated attackers could also make a logged in...
The7 < 11.6.1 - Reflected XSS
The plugin does not sanitise and escape a parameter from the legacy DT Flickr widget before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Booking Calendar < 9.1.1 - PHP Object Injection
The plugin unserializes user data without being validated first, which could allow attackers to perform PHP object injection attack. If a timeline is published, unauthenticated attackers could perform such attack, otherwise any authenticated could. A suitable POP chain, from another plugin for...
Popup Maker < 1.16.5 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its Popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Popup Maker Create Popup Popup Settings Triggers Add New Cookie Add...
Gutenberg Template Library & Redux Framework < 4.2.13 - Unauthenticated Sensitive Information Disclosure
Some AJAX actions of the plugin, available to unauthenticated users and used for support features could allow attackers to obtain potentially sensitive information such as the PHP version, active plugins along with their versions, as well as the unsalted MD5 hashes of the site’s AUTHKEY and...
WooCommerce 8.8.0 - 8.9.2 - Reflected XSS
Description The plugin is vulnerable to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an...
Automatic < 3.92.1 - Unauthenticated SQL Injection
Description The Automatic plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.92.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to...
Easy Panorama < 1.1.5 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Fontsy <= 1.8.6 - Multiple Unauthenticated SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. PoC curl -i 'http://example.com/wp-admin/admin-ajax.php?action=getfonts' \ --data 'id=1 AND SELECT 1 FROM...
WP < 6.0.2 - Reflected Cross-Site Scripting
Description Plugin's deactivation and deletion error messages are not escaped when output in the plugins screen, which could lead to Reflected Cross-Site Scripting...
Multiple plugins - Unauthenticated Dompdf Local File Inclusion (LFI)
Multiple plugins were found to be vulnerable to the Dompdf unauthenticated Local File Inclusion LFI vulnerability CVE-2014-2383. PoC...
Salient Core < 2.0.3 - Reflected Cross-Site Scripting
Description The salient-core plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitra...
Gutenberg < 16.8.1 - Contributor+ Stored XSS via Navigation Links Block
Description The plugin does not escape some of its Navigation block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Sexy Squeeze Pages - Cross Site Scripting (XSS)
The instasqueeze WordPress plugin was affected by a Cross Site Scripting XSS security vulnerability...
Redirection for Contact Form 7 < 2.3.4 - Unauthenticated Arbitrary Nonce Generation
In the plugin, unauthenticated users can use the wpcf7rgetnonce AJAX action to retrieve a valid nonce for any WordPress action/function. PoC 'wpcf7rgetnonce', 'param' = 'ANY ACTION HERE' ; $output = curlexec$ch; curlclose$ch; printr$output; ?...
Theme Editor < 2.6 - Authenticated Arbitrary File Download
The plugin did not validate the GET file parameter before passing it to the downloadfile function, allowing administrators to download arbitrary files on the web server, such as /etc/passwd Edit WPScanTeam: The AJAX action wpajaxmkthemeeditorfileopen could also be used to achieve the same thing a...
WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation
...
PDF.js < 4.2.67 - Arbitrary JavaScript Execution
Description PDF.js is vulnerable to Arbitrary JavaScript Execution in versions prior to 4.2.67. This is due to a missing type check when handling fonts. This makes it possible for authenticated attackers, with contributor-level or above permissions, to execute arbitrary JavaScript if they can...
WooCommerce < 8.6.0 - Cross-Site Request Forgery
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
WPForms Pro < 1.8.5.4 - Unauthenticated Stored Cross-Site Scripting via Form Submission
Description The WPForms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form submission parameters in all versions up to, and including, 1.8.5.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
Backup Migration < 1.3.8 - Unauthenticated RCE
Description The plugin is vulnerable to Remote Code Execution via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated...
Jupiter X Core <= 2.5.0 - Unauthenticated Arbitrary File Download
Description The plugin does not have authorisation checks and does not validate file paths in the handlefiledownload function, allowing unauthenticated users to download arbitrary files from the server when the premium version of the plugin is activated...
WP All Import < 3.6.8 - Admin+ Arbitrary File Upload
The plugin accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE PoC As an admin upload a php file containing the palyload zipped along with a valid...
SEO Redirection < 4.3 - Stored Cross-Site Scripting (XSS)
The plugin was affected by a Stored XSS security vulnerability...
The7 Premium Theme < 2.1.1 - Cross-Site Scripting (XSS)
The the7 WordPress theme was affected by a Cross-Site Scripting XSS security vulnerability...
WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning
...
Automatic < 3.92.1 - Unauthenticated Arbitrary File Download and Server-Side Request Forgery
Description The WordPress Automatic Plugin plugin for WordPress is vulnerable to Server-Side Request Forgery and Arbitrary File Downloads in all versions up to, and including, 3.92.0. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from...
Popup Builder < 4.2.3 - Unauthenticated Stored XSS
Description The plugin does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks. PoC 1 Create a popup using the plugin 2 Run the following curl command, switching $POPUPID with that popup's ID: curl --url...
MonsterInsights < 8.12.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC As a contributor, add an "Inline Popular Posts" to...
Multiple themes - Unauthenticated Arbitrary File Upload
Multiple themes from ChimpStudio and PixFill does not have any authorisation and upload validation in the langupload.php file, allowing any unauthenticated attacker to upload arbitrary files to the web server. PoC Create a malicious file "backdoor.php", then curl...
Church Admin < 1.2550 - CSRF
The Church Admin WordPress plugin was affected by a CSRF security vulnerability...
Elementor < 3.19.1 - Authenticated(Contributor+) Arbitrary File Deletion and PHAR Deserialization
Description The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to arbitrary file deletions and PHAR deserialization in version up to, and including 3.19.0. This is due to the plugin not providing sufficient path validation on the 'tmpname' parameter...
WooCommerce < 8.3.0 - Cross-Site Request Forgery
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Bridge Core < 3.1.0 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Woocommerce 3.3 to 5.5 - Authenticated Blind SQL Injection
The plugin was reported to be affected by a critical Authenticated Blind SQL Injection vulnerability. PoC http://www.example.com/wp-json/wc/store/products/collection-data?calculateattributecounts0taxonomy=a%252522%252529%252520or%252520sleep%25252810.1%252529%252523...
WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
...
WPBakery Visual Composer < 7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title tag attribute
Description The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Title tag attribute in all versions up to, and including, 7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor...
Elementor Header & Footer Builder < 1.6.25 - Contributor+ Stored Cross-Site Scripting
Description The plugin is vulnerable to Stored Cross-Site Scripting via the flyoutlayout attribute in all versions up to, and including, 1.6.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to...
WordPress < 5.4.1 - Cross-Site Scripting (XSS) in wp-object-cache
Description WordPress' Object Cache that caches data from the database did not validate or encode the cache key. If an attacker managed to inject a malicious cache key that was then output in a third party plugin, it could lead to XSS...
Multiple Easy Digital Downloads Plugins - Cross-Site Scripting Issue
Some of the extension were also vulnerable, but could not determine their slug/fixed version, such as the edd-amazon-s3 fixed in ??...
All-in-One WP Migration <= 2.0.4 - Unauthenticated Database Export
Unauthenticated users can export a complete copy of the WordPress database, all plugins, themes, and uploaded files...
Contact Form 7 <= 3.7.1 - CAPTCHA Bypass
The Contact Form 7 WordPress plugin was affected by a CAPTCHA Bypass security vulnerability...