14603 matches found
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder < 1.15.23 - Sensitive Information Exposure
Description The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.15.22 via the signature functionality. This makes it possible for unauthenticated attackers to extrac...
Everest Forms < 2.0.8 - Unauthenticated Server-Side Request Forgery via font_url
Description The Everest Forms plugin for WordPress is vulnerable to Server-Side Request Forgery via the 'fonturl' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify...
Animated Headline <= 4.0 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Description The Animated Headline plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'animated-headline' shortcode in all versions up to, and including, 4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possib...
Contact Form by BestWebSoft < 4.2.9 - Reflected Cross-Site Scripting via cntctfrm_contact_subject
Description The Contact Form by BestWebSoft plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘cntctfrmcontactsubject’ parameter in all versions up to, and including, 4.2.8 due to insufficient input sanitization and output escaping. This makes it possible for...
Revolut Gateway for WooCommerce < 4.9.8 - Missing Authorization
Description The Revolut Gateway for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the wcrevolutclearrecords and wcrevolutonboardapplepaydomain functions in versions up to, and including, 4.9.7. This makes it possible for...
Easy Social Feed – Social Photos Gallery – Post Feed – Like Box < 6.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'efblikebox' shortcode in all versions up to, and including, 6.5.4 due to insufficient input sanitization and output escaping on user...
affiliate-toolkit – WordPress Affiliate Plugin < 3.5.5 - Missing Authorization via atkp_import_product
Description The affiliate-toolkit – WordPress Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the atkpimportproduct function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with...
Easy Accordion – Best Accordion FAQ Plugin for WordPress < 2.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Easy Accordion – Best Accordion FAQ Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'accordioncontentsource' attribute in all versions up to, and including, 2.3.4 due to insufficient input sanitization and output escaping. This makes ...
Slider Responsive Slideshow – Image slider, Gallery slideshow < 1.4.0 - Authenticated (Contributor+) PHP Object Injection
Description The Slider Responsive Slideshow – Image slider, Gallery slideshow plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8 via deserialization of untrusted input to the awlsliderresponsiveshortcode function. This makes it possible for...
Wp Social Login and Register Social Counter < 3.0.1 - Missing Authorization to Unauthenticated Social Login/Share Status Update
Description The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wpsocial/v1/ REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated...
Categorify < 1.0.7.5 - Cross-Site Request Forgery via categorifyAjaxUpdateFolderPosition
Description The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxUpdateFolderPosition function. This makes it possible for unauthenticated attackers ...
Colibri Page Builder < 1.0.260 - Arbitrary Shortcode Call via CSRF
Description The plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the cpshortcoderefresh function, allowing unauthenticated attackers to execute arbitrary shortcodes via a forged request granted they can trick a site administrator int...
Formidable Registration < 2.12 - Contributor+ Arbitrary User Password Reset To Account Takeover
Description The plugin does not prevent users with at least the contributor role from rendering sensitive shortcodes, allowing them to generate, and leak, valid password reset URLs, which they can use to take over any accounts. PoC 1. ADMIN: Install Formidable Pro plugin 2. ADMIN: Install...
Easy Forms for Mailchimp <= 6.9.0 - Sensitive Information Exposure via logfile
Description The plugin stores its logs at a predictable path, making it easy for anyone to leak their content...
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin < 3.3.51 - Missing Authorization to Unauthenticated Events Export
Description The Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the exportdata function in all versions up to, and including, 3.3.50. This makes it possible for...
PPWP – Password Protect Pages < 1.9.0 - Protection Mechanism Bypass
Description The PPWP – Password Protect Pages plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.9 via API. This makes it possible for unauthenticated attackers to obtain post titles, IDs, slugs as well as other information including for...
ARMember < 4.0.25 - Improper Access Control to Sensitive Information Exposure via REST API
Description The ARMember plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.21 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's "Default Restriction" feature and view restricted post content...
ProfilePress < 4.14.4 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its reg-number-field shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
JetBackup < 2.0.9.9 - Directory Listing Exposing Backups
Description The plugin doesn't use index files to prevent public directory listing of sensitive directories in certain configurations, which allows malicious actors to leak backup files. A partial fix was released in 2.0.9.6, removing the ability to list the directory but still allowing direct...
Orbit Fox by ThemeIsle < 2.10.30 - Connected API Keys Update via CSRF
Description The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the registerreference function, allowing attackers to update the connected API keys via a forged request granted they can trick a site administrator into performing an action such as...
Photo Gallery by 10Web - Mobile-Friendly Image Gallery < 1.8.20 - Directory Traversal to Arbitrary File Rename
Description The plugin is vulnerable to Directory Traversal attacks via the renameitem function. This makes it possible for authenticated attackers to rename arbitrary files on the server. Note: By default this can be exploited by administrators only. In the premium version of the plugin,...
Shield Security < 18.5.8 - Unauthenticated Stored Cross-Site Scripting
Description The plugin is vulnerable to Stored Cross-Site Scripting via the getColumnContentPage function due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user...
AI Engine < 2.1.5 - Editor+ Arbitrary File Upload via add_image_from_url
Description The plugin is vulnerable to arbitrary file uploads due to missing file type validation in the 'addimagefromurl' function in all versions up to, and including, 2.1.4. This makes it possible for authenticated attackers, with Editor access and above, to upload arbitrary files on the...
Stripe Payment Plugin for WooCommerce < 3.8.0 - Unauthenticated SQL Injection
Description The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 3.7.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. Th...
GeneratePress Premium < 2.4.0 - Authenticated(Contributor+) Stored Cross-Site Scripting via Custom Meta
Description The GeneratePress Premium plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom meta output in all versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible fo...
Image Compressor & Optimizer - iLoveIMG < 1.0.6 - Admin+ PHP Object Injection
Description The plugin is vulnerable to PHP Object Injection in all versions up to 1.0.6 exclusive via deserialization of untrusted input. This makes it possible for authenticated attackers, with admin access or higher to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a...
EazyDocs < 2.4.0 - Subscriber+ Arbitrary Posts Deletion and Document Management
Description The plugin re-introduced CVE-2023-6029 https://wpscan.com/vulnerability/7a0aaf85-8130-4fd7-8f09-f8edc929597e/ in 2.3.8, allowing any authenticated users, such as subscriber to delete arbitrary posts, as well as add and delete documents/sections. The issue was partially fixed in 2.3.9...
HTML5 SoundCloud Player <= 2.8.0 - Authenticated (Author+) PHP Object Injection
Description The HTML5 SoundCloud Player with Playlist Free plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.8.0 via deserialization of untrusted input. This makes it possible for authenticated attackers, with author-level access and above, to inje...
EventON (Free < 2.2.8, Premium < 4.5.5) - Reflected XSS
Description The plugins do not properly sanitise and escape a parameter before outputting it back in pages, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open a page with the code below...
Eazy Plugin Manager < 4.1.3 - Missing Authorization via update_options
Description The Eazy Plugin Manager – Powerful Plugin Management Solution for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'updateoptions' function in all versions up to, and including, 4.1.2. This makes it possible for...
TheGem < 5.9.2 - Reflected Cross-Site Scripting
Description The TheGem theme for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in all versions up to, and including, 5.9.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...
LightStart < 2.6.9 - Subscriber+ Page design Update
Description The plugin is vulnerable to unauthorized modification of data due to a missing capability check on the inserttemplate function, allowing authenticated attackers, with subscriber-level access and above, to change page designs...
WS Form LITE < 1.9.171 - Authenticated(Administrator+) SQL Injection
Description The WS Form LITE – Drag & Drop Contact Form Builder for WordPress plugin for WordPress is vulnerable to SQL Injection via an unknown parameter in all versions up to 1.9.171 exclusive due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...
WordPress Infinite Scroll - Ajax Load More < 6.2 - Contributor+ Stored XSS
Description The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks...
DeMomentSomTres WordPress Export Posts With Images <= 20220825 - Subscriber+ unauthorized data export
Description The plugin does not check authorization of requests to export the blog data, allowing any logged in user, such as subscribers to export the contents of the blog, including restricted and unpublished posts, as well as passwords of protected posts. PoC...
Post Grid Combo – 36+ Gutenberg Blocks < 2.2.65 - Authenticated (Contributor+) Cross-Site Scripting
Description The Post Grid Combo – 36+ Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS parameter in all versions up to, and including, 2.2.64 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
Login With Ajax < 4.2 - Missing Authorization
Description The Login With Ajax plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on an unknown function in versions up to, and including, 4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an...
Annual Archive <= 1.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Annual Archive plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inje...
WPPerformanceTester <= 2.0.0 - Cross-Site Request Forgery
Description The WPPerformanceTester plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.0. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform an unauthorize...
WP Booking System < 2.0.19.3 - Missing Authorization
Description The WP Booking System plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpbssavecalendardata function in versions up to, and including, 2.0.19.2. This makes it possible for authenticated attackers, with subscriber-level access and above...
Piotnet Forms < 1.0.29 - Unauthenticated Arbitrary File Upload
Description The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'piotnetformsajaxformbuilder' function in versions up to, and including, 1.0.28. This makes it possible for unauthenticated attackers to upload arbitrary file...
MyTube PlayList <= 2.0.3 - Reflected Cross-Site Scripting via addplaylistid
Description The MyTube PlayList plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘addplaylistid’ parameter in versions up to, and including, 2.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
Email Address Encoder 1.0.22 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Email Address Encoder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's eaeshortcode shortcode in version 1.0.22 due to insufficient input sanitization and output escaping on the 'link' user supplied attribute. This makes it possible for...
WP Forms Puzzle Captcha <= 4.1 - Cross-Site Request Forgery to Cross-Site Scripting
Description The WP Forms Puzzle Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.1. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to invoke this functio...
TextMe SMS < 1.9.1 - Subscriber+ Settings Update
Description The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them...
WP Mail Log < 1.1.3 – Contributor+ Arbitrary File Upload to RCE
Description The plugin does not properly validate file extensions uploading files to attach to emails, allowing attackers to upload PHP files, leading to remote code execution. PoC Run the following JS code in any page on the server, setting the id variable to a valid ID of a log entry on the...
Essential Addons for Elementor < 5.8.9 - Authenticated (Contributor+) Privilege Escalation
Description The Essential Addons for Elementor plugin for WordPress is vulnerable to privilege escalation in versions up to and including 5.8.8 due to a lack of restrictions on who can add a registration form and a custom registration role to an Elementor created page. This makes it possible for...
BackWPup < 4.0.2 - Authenticated (Administrator+) Directory Traversal
Description The BackWPup plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.0.1 via the Log File Folder. This allows authenticated attackers to store backups in arbitrary folders on the server provided they can be written to by the server. Additionally,...
MP3 Audio Player for Music, Radio & Podcast by Sonaar < 4.10.1 - Missing Authorization to Template Import
Description The MP3 Audio Player for Music, Radio & Podcast by Sonaar plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the importsrmp3template function in all versions up to, and including, 4.10. This makes it possible for authenticated...
ARI Stream Quiz < 1.3.0 - Contributor+ Stored XSS
Description The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks...