14603 matches found
Amazonify <= 0.8.1 - Cross-Site Request Forgery to Amazon Tracking ID Update
Description The Amazonify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.8.1. This is due to missing or incorrect nonce validation on the amazonifyOptionsPage function. This makes it possible for unauthenticated attackers to update the...
Up down image slideshow gallery < 12.1 - Authenticated (Subscriber+) SQL Injection via Shortcode
Description The Up down image slideshow gallery plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 12.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This make...
Better Elementor Addons <= 1.3.6 - Missing Authorization
Description The Better Elementor Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the beaadminajax function hooked via an AJAX action in versions up to, and including, 1.3.6. This makes it possible for authenticated attackers, wit...
Elementor Website Builder < 3.16.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via get_inline_svg()
Description The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the getinlinesvg function in versions up to, and including, 3.16.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
LayerSlider < 7.7.10 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The LayerSlider plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 7.7.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...
Weather Atlas Widget < 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description The Weather Atlas Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'shortcode-weather-atlas' shortcode in versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
AppPresser < 4.3.0 - Insecure Password Reset Mechanism
Description The AppPresser plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 4.2.5. This is due to the plugin generating too weak a reset code, and the code used to reset the password has no attempt or time limit...
Betheme < 27.1.2 - Missing Authorization
Description The Betheme theme for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on one of its functions in versions up to, and including, 27.1.1. This makes it possible for authenticated attackers, with contributor-level access and above, to...
Convertful – Your Ultimate On-Site Conversion Tool < 2.6 - Missing Authorization via add_woo_coupon
Description The Convertful – Your Ultimate On-Site Conversion Tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'addwoocoupon' REST function in versions up to, and including, 2.5. This makes it possible for unauthenticated...
video carousel slider with lightbox 1.0 - Cross-Site Request Forgery
Description The video carousel slider with lightbox plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing or incorrect nonce validation on the responsivevideogallerywithlightboxvideomanagementfunc function. This makes it possible for unauthenticat...
EasyRecipe <= 3.5.3251 - Cross-Site Request Forgery
Description The EasyRecipe plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.3251. This is due to missing nonce validation on several functions such as the saveStyle and updateCustomCSS functions. This makes it possible for unauthenticated...
Elementor Addon Elements < 1.12.8 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Contact form 7 Custom validation <= 1.1.3 - Unauthenticated SQLi
Description The plugin does not properly sanitise and escape the post parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated uers...
Auto Affiliate Links < 6.4.2.5 - Settings Update to Stored XSS via CSRF
Description The plugin does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...
Limit Login Attempts Reloaded < 2.25.26 - Admin+ Missing Authorization to Toggle Plugin Auto-Update
Description The plugin is missing authorization on the toggleautoupdate AJAX action, allowing any user with a valid nonce to toggle the auto-update status of the plugin. PoC As an Admin, open the Limit Login Attempts page in WP Admin and run the following code in the browser console: nonce =...
WordPress Backup & Migration < 1.4.5 - Subscriber+ Stored XSS
Description The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks. This was partially fixed in version 1.4.4 but it still allowed XSS attacks from Admin users. PoC fetch"/wp-admin/admin-ajax.php",...
Grid Plus < 1.3.4 - Subscriber+ Local File Inclusion
Description The plugin does not properly validate and sanitize shortcode attributes, leading to a Local File Inclusion vulnerability. This flaw could enable attackers to include and execute arbitrary PHP files on the server, potentially bypassing access controls, exposing sensitive data, or...
Open Graph Metabox <= 1.4.4 - CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Wp Ultimate Review <= 2.2.5 - CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Social Media Share Buttons & Social Sharing Icons < 2.8.6 - Arbitrary Settings Update via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Form Maker by 10Web < 1.15.19 - Unauthenticated Stored XSS
Description The plugin does not validate and escape some parameters, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks...
Magic Action Box <= 2.17.2 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...
Tiny Carousel Horizontal Slider <= 8.1 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WP-CopyProtect <= 3.1.0 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
Popup contact form <= 7.1 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Magee Shortcodes <= 2.1.1 - Contributor+ Stored XSS via shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC msalert...
Allow PHP in Posts and Pages < 3.0.4 - Authenticated Remote Code Execution (RCE)
Description The Allow PHP in Posts and Pages plugin for WordPress is vulnerable to Remote Code Execution via the 'php' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to execute code on the server...
Media Library Assistant < 3.10 - Unauthenticated Local/Remote File Inclusion & Remote Code Execution
Description The plugin is vulnerable to Local File Inclusion and Remote Code Execution in versions up to, and including, 3.09. This is due to insufficient controls on file paths being supplied to the 'mlastreamfile' parameter from the /includes/mla-stream-image.php file, where images are processe...
Newsletter < 7.9.0 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its newsletterform shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
DoLogin Security < 3.7 - Unauthenticated Stored Cross-Site Scripting
Description The plugin does not properly sanitize IP addresses coming from the X-Forwarded-For header, which can be used by attackers to conduct Stored XSS attacks via WordPress' login form. PoC 1. Put javascript payload on html.cafe. const url = 'https://s…t/wp-admin/user-new.php'; fetchurl...
Jupiter X Core Premium < 3.3.8 - Unauthenticated Arbitrary File Upload
Description The plugin does not validate files to be uploaded via the ravenformfrontend AJAX action available to unauthenticated users, allowing them to upload arbitrary files on the server...
Comments Like Dislike < 1.2.0 - Subscriber+ Settings Reset
Description The plugin does not have authorisation when resetting its settings, allowing ay authenticated users, such as subscriber to reset them via the restoresettings function hooked to an AJAX action...
IURNY by INDIGITALL < 3.2.3 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to the plugin's settings. 2...
ARMember (free and premium) - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some parameters, which could allow users with a role of Admin and above to perform Cross-Site Scripting attacks...
T1 theme <= 19.0 - Open Redirect
Description The theme is vulnerable to unauthenticated open redirect with which any attacker and redirect users to arbitrary websites. PoC https://www.example.com/wp-content/themes/t1/page-templates/applyredirection.php?file=240317005410now=http://google.comjs=https://www.evil.com?...
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin < 2.5.1 - Cross-Site Request Forgery
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Falang multilanguage < 1.3.40 - Cross-Site Request Forgery
Description Cross-Site Request Forgery CSRF vulnerability in Faboba Falang multilanguage for WordPress plugin = 1.3.39 versions...
Media Library Helper by Codexin <= 1.2.0 - Cross-Site Request Forgery
The plugin does not properly validate requests using nonces, making it susceptible to Cross-Site Request Forgery CSRF attacks...
WooCommerce Product Vendors < 2.1.77 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open a page with the code below html...
WooCommerce Product Vendors < 2.1.77 - Vendor Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as Admin Vendor and above PoC As an Admin vendor, open the URL below...
WP Sticky Social 1.0.1 - Stored XSS via CSRF
The plugin does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...
EventON < 2.1.2 - Unauthenticated Post Access via IDOR
The plugin does not validate that the eventid parameter in its eventonicsdownload ajax action is a valid Event, allowing unauthenticated visitors to access any Post including unpublished or protected posts content via the ics export functionality by providing the numeric id of the post. PoC...
All Bootstrap Blocks < 1.3.7 - Cross-Site Request Forgery
The plugin does not properly validate user requests, leading to a potential Cross-Site Request Forgery CSRF vulnerability...
ND Shortcodes < 7.0 - Subscriber+ LFI
The plugin does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacks PoC Run the below command in the developer console of the web browser while being on the blog as a...
WooCommerce Box Office < 1.1.51 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC tickets columns='111"...
WP EasyCart < 5.4.9 - Multiple CSRFs
The plugin does not apply proper nonce validation routines in multiple AJAX requests, which makes it possible for attackers to trick an unsuspecting administrator into activating and deactivating products...
Video Contest WordPress <= 3.2 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
JetFormBuilder < 3.0.7 - Cross-Site Request Forgery (CSRF)
The plugin does not protect some of its actions against CSRF attacks, allowing an unauthenticated attacker to perform actions on their behalf by tricking a logged in user to submit a crafted request...
Ultimate Dashboard < 3.7.6 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to "Ultimate Dashboard - Settings -...
Download Manager < 3.2.71 - Contributor+ Stored Cross-Site Scripting
The plugin does not properly sanitize and escape user-supplied attributes in 'wpdmmembers', 'wpdmloginform', and 'wpdmregform' shortcodes, leading to Stored Cross-Site Scripting vulnerabilities...