14603 matches found
ARI Fancy Lightbox < 1.3.9 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the msg parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=ari-fancy-lightbox=%3Cimg+src+onerror%3Dalert%28/XSS/%29%3E...
Email Subscribers & Newsletters < 5.3.2 - Subscriber+ Blind SQL injection
The plugin does not correctly escape the order and orderby parameters to the ajaxfetchreportlist action, making it vulnerable to blind SQL injection attacks by users with roles as low as Subscriber. Further, it does not have any CSRF protection in place for the action, allowing an attacker to tri...
WP RSS Aggregator < 4.20 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise and escape the id parameter in the wprssfetchitemsrowaction AJAX action before outputting it back in the response, leading to a Reflected Cross-Site Scripting PoC Save the HTML below to a file with the .html extension, then open it in Firefox, while being authenticate...
MapPress Maps for WordPress < 2.73.4 - Reflected Cross-Site scripting
The plugin does not sanitise and escape the mapid parameter before outputting it back in the "Bad mapid" error message, leading to a Reflected Cross-Site Scripting PoC https://example.com/?mappiframe=1=--%3E%3Cimg%20src%20onerror=alert/XSS/%3E...
WP Photo Album Plus < 8.0.10 - Stored Cross-Site Scripting (XSS)
The plugin was vulnerable to Stored Cross-Site Scripting XSS. Error log content was handled improperly, therefore any user, even unauthenticated, could cause arbitrary javascript to be executed in the admin panel. PoC http://127.0.0.1:8001/?search-submit=img%20src%20onerror=alert1 Then the admin...
WP-DownloadManager < 1.68.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting...
WP User Frontend < 3.5.26 - SQL Injection to Reflected Cross-Site Scripting
The plugin does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting PoC...
Smart SEO Tool < 3.0.6 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the search parameter before outputting it back in an attribute when the TDK optimisation setting is enabled, leading to a Reflected Cross-Site Scripting PoC With the "TDK optimization" setting enabled 7th page, first one: https://example.com/?s=123456"...
True Ranker < 2.2.4 - Unauthenticated Arbitrary File Access via Path Traversal
The plugin allows arbitrary files, including sensitive configuration files such as wp-config.php, to be accessed via the src parameter found in the /admin/vendor/datatables/examples/resources/examples.php file. PoC Exploit Authors: Nicole Sheinin, Liad Levy Tested on: MacOS !/usr/bin/env python3...
Tab - Accordion, FAQ < 1.3.2 - Unauthenticated AJAX Calls
All AJAX actions of the plugin are available to both unauthenticated and authenticated users, allowing unauthenticated attackers to modify various data in the plugin, such as add/edit/delete arbitrary tabs. v1.3.0 added CSRF checks, however authorisation was still missing and has been added in...
Everest Forms < 1.8.0 - Reflected Cross-Site Scripting
The plugin does not escape the status parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue PoC The formid needs to be a valid one...
Inspirational Quote Rotator <= 1.0.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the "Quotes list" even when the unfilteredhtml capability is disallowed PoC Add/edit a quote...
Contact Form Entries < 1.2.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape various parameters, such as formid, status, enddate, order, orderby and search before outputting them back in the admin page PoC...
Get Custom Field Values < 4.0.1 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape custom fields before outputting them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks PoC As a contributor, create a custom field in a post, with the following payload: Then add the following shortcode to the...
Registrations for the Events Calendar < 2.7.6 - Unauthenticated SQL Injection
The plugin does not sanitise and escape the eventid in the rtecsendunregisterlink AJAX action available to both unauthenticated and authenticated users before using it in a SQL statement, leading to an unauthenticated SQL injection. PoC The below request will send an email to [email protected]...
Email Log < 2.4.7 - Admin+ SQL Injection
The plugin does not properly validate, sanitise and escape the "orderby" and "order" GET parameters before using them in SQL statement in the admin dashboard, leading to SQL injections PoC https://example.com/wp-admin/admin.php?page=email-log=sentdate+AND+SELECT+3025 FROM+SELECTSLEEP5SBat=DESC...
Job Portal <= 0.0.1 - Admin+ Stored Cross-Site Scripting
The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the /admin/jobsfunction.php file which allowed attackers with administrative user access to inject arbitrary web scripts. This affects multi-site...
WP Fastest Cache < 0.9.5 - Subscriber+ SQL Injection
The plugin does not escape user input in the seturlswithterms method before using it in a SQL statement, leading to an SQL injection exploitable by low privilege users such as subscriber...
Similar Posts < 3.1.6 - Admin+ Arbitrary PHP Code Execution
The plugin allow high privilege users to execute arbitrary PHP code in an hardened environment ie with DISALLOWFILEEDIT, DISALLOWFILEMODS and DISALLOWUNFILTEREDHTML set to true via the 'widgetrrmsimilarpostscondition' widget setting of the plugin. Vendor was notified in July 2021, the issue was...
Chameleon CSS <= 1.2 - Subscriber+ SQL Injection
The plugin does not have any CSRF and capability checks in all its AJAX calls, allowing any authenticated user, such as subscriber to call them and perform unauthorised actions. One of AJAX call, removecss, also does not sanitise or escape the cssid POST parameter before using it in a SQL...
G Auto-Hyperlink <= 1.0.1 - Admin+ SQL Injection
The plugin does not sanitise or escape an 'id' GET parameter before using it in a SQL statement, to select data to be displayed in the admin dashboard, leading to an authenticated SQL injection PoC https://plugins.trac.wordpress.org/browser/g-auto-hyperlink/trunk/g-auto-hyperlink.phpL271 Open the...
Cool Tag Cloud < 2.26 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape the style attribute of the cooltagcloud shortcode, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. PoC cooltagcloud style='" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert/XS...
Check & Log Email < 1.0.3 - Admin+ SQL Injections
The plugin does not validate and escape the "order" and "orderby" GET parameters before using them in a SQL statement when viewing logs, leading to SQL injections issues PoC With the 'Enable Log' settings of the plugin activated: -...
Ninja Forms < 3.5.8 - Unprotected REST-API to Email Injection
The plugin is vulnerable to arbitrary email sending via the triggeremailaction function found in the /includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the affected server via the...
Dflip Lite < 1.7.10 - Contributor+ Stored Cross-Site Scripting
Description The plugin does not escape the class attribute of its shortcode before outputting it back in an attribute, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks PoC dflip class='"...
SP Rental Manager <= 1.5.3 - Unauthenticated SQL Injection
The plugin is vulnerable to SQL Injection via the orderby parameter found in the /user/shortcodes.php file which allows attackers to retrieve information contained in a site’s database...
Timetable and Event Schedule by MotoPress < 2.4.0 - Arbitrary User's Hashed Password/Email/Username Disclosure
The plugin outputs the Hashed Password, Username and Email Address along other less sensitive data of the user related to the Even Head of the Timeslot in the response when requesting the event Timeslot data with a user with the editposts capability. Combined with the other Unauthorised Event...
WordPress Page Contact <= 1.0 - Authenticated (editor+) SQL Injection
The Orders functionality in the plugin has an orderid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. The feature is available to low privilege users such as contributors PoC POST /wp-admin/admin.php?page=wpagecontact-plugin...
BuddyPress < 9.1.1 - Activation Key Disclosure
The plugin disclosed the activation key from responses of the createitem method in the BP REST API Signup controller...
Simple Behance Portfolio <= 0.2 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the dark parameter in the /titan-framework/iframe-font-preview.php file which allows attackers to inject arbitrary web scripts...
WP Fusion Lite < 3.37.30 - CSRF to Data Deletion
The plugin is vulnerable to Cross-Site Request Forgery via the showlogssection function found in the /includes/admin/logging/class-log-handler.php file which allows attackers to drop all logs for the plugin...
Simple Banner < 2.10.4 - Authenticated Stored XSS
The plugin does not sanitise and escape one of its settings, allowing high privilege users such as admin to use Cross-Site Scripting payload even when the unfilteredhtml capability is disallowed. PoC Put the following payload in the Simple Banner Text setting of the plugin: The XSS will be...
Diary & Availability Calendar <= 1.0.3 - Authenticated (subscriber+) SQL Injection
The daacdeletebookingcallback function, hooked to the daacdeletebooking AJAX action, takes the id POST parameter which is passed into the SQL statement without proper sanitisation, validation or escaping, leading to a SQL Injection issue. Furthermore, the ajax action is lacking any CSRF and...
Timeline Calendar <= 1.2 - Authenticated (admin+) SQL Injection
The plugin does not sanitise, validate or escape the edit GET parameter before using it in a SQL statement when editing events, leading to an authenticated SQL injection issue. Other SQL Injections are also present in the plugin PoC GET...
Alipay <= 3.7.2 - Authenticated SQL Injection
A proid GET parameter of the plugin is not sanitised, properly escaped or validated before inserting to a SQL statement not delimited by quotes, leading to SQL injection. PoC GET /wp-admin/options-general.php?page=wsalipay=edit=-5818%20UNION%20ALL%20SELECT...
Maintenance < 4.03 - Authenticated Stored XSS
The plugin does not sanitise or escape some of its settings, allowing high privilege users such as admin to se Cross-Site Scripting payload in them even when the unfilteredhtml capability is disallowed, which will be triggered in the frontend PoC POST /wp-admin/admin.php?page=maintenance HTTP/1.1...
KN Fix Your Title <= 1.0.1 - Authenticated Stored XSS
The plugin was vulnerable to Authenticated Stored XSS in the separator field. PoC 1. Install WordPress 5.7.2 2. Install and activate KN Fix Your Title 3. Navigate to Fix Title under Settings Tab Click on I have done this and enter the XSS payload into the Separator input field. 4. Click Save...
Photo Gallery < 1.5.75 - File Upload Path Traversal
The plugin did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images/SVG anywhere in the filesystem via a path traversal vector PoC The below requests will put the xss.svg file into the /wp-content/uploads/ folder rather than...
WP Upload Restriction < 2.2.5 - Missing Access Control in getSelectedMimeTypesByRole
Missing access control in getSelectedMimeTypesByRole function allows authenticated users, such as subscribers, to retrieve approved mime types for any given role...
FAQ Builder < 1.3.6 - Authenticated Blind SQL Injections
The getfaqs function in the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the getresults DB calls, leading to SQL injection issues in the admin dashboard PoC SQLMAP: python sqlmap.py -r r.txt -p orderby --level 5 --risk 3 --dbms MySQL...
Tutor LMS < 1.9.2 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not escape the Summary field of Announcements when outputting it in an attribute, which can be created by users as low as Tutor Instructor. This lead to a Stored Cross-Site Scripting issue, which is triggered when viewing the Announcements list, and could result in privilege...
CiviCRM < 5.24.3 - Authenticated Phar Deserialization
The plugin was vulnerable to Authenticated Phar Deserialization. The vulnerability was discovered by sonarsource. Update to versions 5.24.3 and above to patch the vulnerability...
Poll, Survey, Questionnaire and Voting system < 1.5.3 - Unauthenticated Blind SQL Injection
The plugin did not sanitise, escape or validate the dateanswers POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks PoC v 1.5.3 POST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1 Accept: /...
W3 Total Cache < 2.1.3 - Authenticated Stored XSS
The plugin did not sanitise or escape some of its CDN settings, allowing high privilege users to use JavaScript in them, which will be output in the page, leading to an authenticated Stored Cross-Site Scripting issue PoC Vulnerable parameters: cnames= 1, cdncnames= 2, cdncnames= 3. CDN Type:...
WP Google Maps < 8.1.13 - Multiple Admin+ Stored Cross-Site Scripting
The plugin does not sanitise some of its fields, which could lead to Stored Cross-Site Scripting issues...
WordPress Popular Posts < 5.3.3 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not properly sanitise or escape its Default Thumbnail setting before outputting back in the page, leading to a stored Cross-Site Scripting issue PoC POST /wp-admin/options-general.php?page=wordpress-popular-posts=tools HTTP/1.1 Accept:...
Fancy Product Designer < 4.6.9 - Unauthenticated Arbitrary File Upload and RCE
The plugin allows unauthenticated attackers to upload arbitrary files, resulting in remote code execution. The issue is being actively exploited, and no patch is available. Further details will be made available once pathed. PoC The Custom Product Designer plugin for WordPress offers the ability...
WP Prayer < 1.6.2 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin provides the functionality to store requested prayers/praises and list them on a WordPress website. These stored prayer/praise requests can be listed by using the WP Prayer engine. An authenticated WordPress user with any role can fill in the form to request a prayer. The form to reque...
Store Locator Plus <= 5.5.15 - Unauthenticated Stored Cross-Site Scripting (XSS)
There are several endpoints in the plugin that could allow unauthenticated attackers the ability to inject malicious JavaScript into pages. PoC The PoC will be displayed once the issue has been remediated...
Import XML and RSS Feeds < 2.0.3 - Authenticated Server-side Request Forgery (SSRF)
The plugin is affected by a Server-side request forgery SSRF vulnerability via the data parameter in a moovereadxml action...