14603 matches found
Content Egg < 5.5.0 - Multiple CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in admins perform unwanted actions via CSRF attacks...
Advanced Dynamic Pricing for WooCommerce < 4.1.6 - Settings Import via CSRF
The plugin does not have CSRF check in place when importing its settings, which could allow attackers to make a logged in admin import them via a CSRF attack...
Accessibility < 1.0.4 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
3D Tag Cloud <= 3.8 - Stored XSS via CSRF
The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...
WP Cerber Security < 9.1 - Username Enumeration Bypass
The plugin does not properly validate the author was blocking request trying to enumerate usernames, which could allow attackers to bypass the protection offered...
Restricted Site Access < 7.3.2 - Access Bypass via IP Spoofing
The plugin prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTEADDR, which makes it possible to bypass IP-based limitations in certain situations. PoC Set HTTPCFCONNECTINGIP or any of the other headers in getclientipaddress to spoof the IP address...
Ajax Load More < 5.5.4.1 - Admin+ Arbitrary File Read
The plugin does not properly validates paths generated with user input in the almrepeatersexport function, which could allow high privilege users to read arbitrary files form the server even when they should not be able to have access to any, for example in multisite setup This is due to an...
Login No Captcha reCAPTCHA < 1.7 - IP Check Bypass
The plugin doesn't check the proper IP address allowing attackers to spoof IP addresses on the allow list and bypass the need for captcha on the login screen. PoC Set HTTPCLIENTIP, HTTPXFORWARDEDFOR or any other header in LoginNoCaptcha::getipaddress which is then checked against the whitelist an...
All-in-One Video Gallery 2.5.8 - 2.6.0 - Unauthenticated Arbitrary File Download & SSRF
The plugin does not validate the dl parameter which could allow unauthenticated users to download arbitrary files from the server, as well as perform SSRF attacks...
Feed Them Social < 3.0.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting PoC Both can be used against authenticated and unauthenticated users https://example.com/wp-admin/admin-ajax.php?action=ftsrefreshtokenajaxtoken=...
E Unlocked - Student Result <= 1.0.4 - Arbitrary File Upload via CSRF
The plugin is lacking CSRF and validation when uploading the School logo, which could allow attackers to make a logged in admin upload arbitrary files, such as PHP via a CSRF attack PoC The file will be uploaded to the /wp-content/uploads/result/rand.php, eg:...
Inspiro Premium < 7.2.3 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitize the portfolio slider description, allowing users with privileges as low as Contributor to inject JavaScript into the description. PoC Steps to reproduce: 1 As a Contributor, go to portfolio on the dashboard and add new item. 2 on the editing page that comes up, scroll...
AnyMind Widget <= 1.1 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check in place when updating the setWidgetId setting, and does not have sanitisation as well as escaping applied to it, which could allow attackers to make a logged in admin put a Cross-Site Scripting payload in it via CSRF attack...
Visualizer: Tables and Charts Manager for WordPress < 3.7.10 - Contributor+ PHAR Deserialization
The plugin does not validate the ‘remotedata’ parameter allowing contributor and above roles to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP objects when a POP chain is present...
Shareaholic < 9.7.6 - Information Disclosure
The plugin does not have proper authorisation check in one of the AJAX action, available to unauthenticated in v 9.7.5 and author+ in v9.7.5 users, allowing them to call it and retrieve various information such as the list of active plugins, various version like PHP, cURL, WP etc. PoC...
Import any XML or CSV File to WordPress < 3.6.8 - Admin+ Arbitrary Code Execution
The plugin allows high privilege users such as admin to import zip archives containing PHP files, which could allow admin of multisite setup to perform RCE attacks...
404s < 3.5.1 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape its fields, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Create/edit a new 404 via the plugin and put the following payload in the "Please enter th...
Best Contact Management Software <= 3.7.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payload in the "No Access Message" settings...
Rename wp-login.php <= 2.6.0 - Secret URL Update via CSRF
The plugin does not have CSRF check in place when updating the secret login URL, which could allow attackers to make a logged in admin change them via a CSRF attack PoC...
Login using WordPress Users < 1.13.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in the "IDP Metadata" "Id...
Mobile Browser Color Select <= 1.0.1 - Stored Cross-Site Scripting via CSRF
The plugin is lacking CSRF check in its adminupdatedata function, which could allow attackers to make a logged in admin call it, and perform Stored Cross-Site Scripting attacks due to the lack of sanitisation and escaping in the processed user input...
MailPress <= 7.2.1 - Arbitrary Settings Update & Log Files Purge via CSRF
The plugin does not have CSRF checks in various places, which could allow attackers to make a logged in admin change the settings, purge log files and more via CSRF attacks PoC...
Easy Pricing Tables < 3.1.3 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as author to perform Stored Cross-Site Scripting attacks...
Image Slider by NextCode <= 1.1.2 - Arbitrary Slide Deletion via CSRF
The plugin does not have CSRF in place when deleting slides, allowing attackers to make a logged in admin perform such action via a CSRF attack...
Slideshow, Image Slider by 2J <= 1.3.54 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in a page accessible to contributors and above, leading to a Reflected Cross-Site Scripting...
WP-CRM <= 1.2.1 - CSV Injection
The plugin does not validate and sanitise fields when exporting people to a CSV file, leading to a CSV injection vulnerability. PoC 1. Add new person and put the following CSV calculator payload into the Display Name, Phone Number and Description field and save the entry. payload : =cmd|' /C...
WooCommerce Green Wallet Gateway < 1.0.2 - Reflected Cross Site Scripting in checkout page
The plugin does not escape the errorenvision query parameter before outputting it to the page, leading to a Reflected Cross-Site Scripting vulnerability. PoC 1. Enable greenwallet-gateway as a woocommerce payment gateway 2. add something in your cart and visit the checkout page 3. visit...
WP JS <= 2.0.6 - Reflected Cross-Site Scripting
The plugin contains a script called wp-js.php with the function wpjsadmin, that accepts unvalidated user input and echoes it back to the user, leading to a Reflected Cross-Site Scripting...
Hermit <= 3.1.6 - Unauthenticated SQLi
The plugin does not sanitise and escape the id parameter before using it in a SQL statement, leading to a SQL injection...
Footer Text <= 2.0.3 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF in place when updating its settings, and is lacking sanitisation as well as escaping in them, which could allow attackers to make a logged in admin change them and perform Cross-Site Scripting attacks...
Sliderby10Web < 1.2.52 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitize and escape some of its settings, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed PoC Create/edit a slider, put the following payload in the CSS settings and save: The XSS wil...
3xSocializer <= 0.98.22 - Subscriber+ SQLi
Description The plugin does not sanitise and escape some parameter before using them in SQL statements, leading to SQL Injections...
WP Maintenance < 6.0.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape multiple of its settings, which could allow high privileged users such as admin to perform Cross-Site Scripting attack when the unfilteredhtml is disallowed...
Photo Gallery < 1.6.3 - Reflected Cross-Site Scripting
The plugin does not properly sanitize the $GET'imageurl' variable, which is reflected back to the users when executing the editimagebwg AJAX action. PoC...
Visual Form Builder < 3.0.8 - Entries Deletion/Restoration via CSRF
The plugin does not enforce nonce checks which could allow attackers to make a logged in admin or editor delete and restore arbitrary form entries via CSRF attacks PoC Single entry trash: https://example.com/wp-admin/admin.php?page=vfb-entries=trash=2 Since entry permanent deletion:...
Documentor <= 1.5.3 - Unauthenticated SQLi
The plugin fails to sanitize and escape user input before it is being interpolated in an SQL statement and then executed, leading to an SQL Injection exploitable by unauthenticated users. PoC curl https://example.com/wp-admin/admin-ajax.php --data 'action=docsearchresults==1 AND SELECT 6288 FROM...
Spam protection, AntiSpam, FireWall by CleanTalk < 5.174.1 - Reflected Cross-Site Scripting
The plugin does not not sanitise and escape the page parameter brief outputting it back in attributes in the /wp-admin/edit-comments.php?page=ctcheckspam and Users list dashboard, leading to Reflected Cross-Site Scripting issues...
Anti-Malware Security and Brute-Force Firewall < 4.20.96 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the QUERYSTRING before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting in browsers which do not encode characters PoC GET /wp-admin/admin.php?page=GOTMLSViewQuarantine=" HTTP/1.1 Cache-Control: max-age=0...
Books & Papers <= 0.20210223 - Admin+ Stored Cross-Site Scripting
The plugin does not escape its Custom DB prefix settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following payload in the Custom DB Prefix settings of the plugin: BooksnPapers"...
Donations <= 1.8 - Unauthenticated SQLi
The plugin does not sanitise and escape the nddonationsid parameter before using it in a SQL statement via the nddonationssinglecauseformvalidatefieldsphpfunction AJAX action available to unauthenticated users, leading to an unauthenticated SQL Injection PoC Create a new "Cause" and fill out the...
Easy Digital Downloads < 2.11.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed PoC Create/edit a Download and put the following payload in the File Name field: Download...
Page Security & Membership <= 1.5.15 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following payload in the "Force Public Pages" settings of the plugin...
Woo Product Table < 3.1.2 - Unauthenticated Arbitrary Function Call
The plugin does not have authorisation and CSRF checks in the wptadminupdatenoticeoption AJAX action available to both unauthenticated and authenticated users, as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or o...
Ad Injection <= 1.2.0.19 - Admin+ Stored Cross-Site Scripting & RCE
The plugin does not properly sanitize the body of the adverts injected into the pages, allowing a high privileged user Admin+ to inject arbitrary HTML or javascript even with unfilteredhtml disallowed, leading to a stored cross-site scripting XSS vulnerability. Further it is also possible to inje...
Yoo Slider < 2.1.0 - Arbitrary Slider Duplication/Deletion via CSRF
The plugin does not have CSRF in place when duplicating and deleting sliders, which could allow attackers to make logged in users perform such actions...
Image optimization & Lazy Load < 3.3.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its "Lazyload background images for selectors" settings, which could allow high privilege users such as admin to perform Cross-Site scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payload in the Media Optimole...
Advanced Booking Calendar < 1.7.1 - Admin+ SQLi
The plugin does not sanitise and escape the id parameter when editing Calendars, which could allow high privilege users such as admin to perform SQL injection attacks PoC Edit an existing Seasons & Calendars /wp-admin/admin.php?page=advanced-booking-calendar-show-seasons-calendars and tamper the ...
KingComposer <= 2.9.6 - Subscriber+ Stored Cross-Site Scripting
The plugin does not have authorisation, CSRF and sanitisation/escaping when creating profile, allowing any authenticated users to create arbitrary ones, with Cross-Site Scripting payloads in them PoC Create profile: fetch"https://example.com/wp-admin/admin-ajax.php?action=kccreateprofile",...
Mark Posts < 2.0.1 - Admin+ Stored Cross-Site Scripting
The plugin does not escape new markers, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following payload in the 'Add new markers' settings of the plugin: "autofocus onfocus=alert/XSS/ b=...
Zero Spam < 5.2.11 - Admin+ SQL Injection
The plugin does not properly sanitise and escape the order and orderby parameters before using them in a SQL statement in the admin dashboard, leading to a SQL injection PoC With at least one IP in the “Blocked IPs” list:...