14603 matches found
WPBakery Page Builder Clipboard < 4.5.8 - Unauthorised Arbitrary License Options Update
An AJAX action registered by the plugin did not have capability checks, allowing low privilege users, such as subscribers, to update the license options key, email. PoC When logged in as a user with Subcriber role or greater, submit a request to wp-admin/admin-ajax.php with action =...
Goto - Tour & Travel < 2.0 - Unauthenticated Reflected XSS
The theme does not sanitise the keywords and startdate GET parameter on its Tour List page, leading to an unauthenticated reflected Cross-Site Scripting issue. PoC Payload:...
Patreon WordPress < 1.7.2 - Reflected XSS on Login Form
The Jetpack Scan team identified a Reflected Cross-Site Scripting in the Login Form of the plugin. The WordPress login form wp-login.php is hooked by the plugin and offers to allow users to authenticate on the site using their Patreon account. Unfortunately, some of the error logging logic behind...
Patreon WordPress < 1.7.0 - Unauthenticated Local File Disclosure
The Jetpack Scan team identified a Local File Disclosure vulnerability in the plugin that could be abused by anyone visiting the site. Using this attack vector, an attacker could leak important internal files like wp-config.php, which contains database credentials and cryptographic keys used in t...
GiveWP < 2.10.0 - Reflected Cross Site Scripting (XSS)
The plugin was affected by a reflected Cross-Site Scripting vulnerability inside of the administration panel, via the 's' GET parameter on the Donors page. PoC...
NextGEN Gallery Pro < 3.1.11 - Reflected Cross-Site Scripting (XSS)
In the eCommerce module of NextGEN Gallery Pro, there is an action to call getcartitems via photocratiajax , after that the settingsshippingaddressname is able to inject malicious javascript. PoC On a page where a NextGEN Pro gallery is embed:...
Ninja Forms < 3.4.34 - Authenticated SendWP Plugin Installation and Client Secret Key Disclosure
The AJAX action, wpajaxninjaformssendwpremoteinstallhandler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP plugin and retrieve the clientsecret key needed to...
Post SMTP Mailer/Email Log < 2.0.21 - CSRF Nonce Bypass
A user could bypass the nonce check associated with Export mail to CSV handleCsvExport function PoC Submit a request w/o the post-smtp-log-nonce parameter...
ElasticPress 3.5.2 - 3.5.3 - CSRF Nonce Bypass
A user could bypass the nonce check associated with re-sending the unaltered default search query to ElasticPress.io that is used for providing Autosuggest queries. Impacted plugin and version: ElasticPress versions 3.5.2 and 3.5.3. Fixed in version 3.5.4...
Digital Publications by Supsystic <= 1.6.11 - Authenticated Stored Cross-Site Scripting (XSS)
When creating or editing a publication, all values such as Area Width, Publication Width are vulnerable to stored XSS. It is possible to store code in all input fields as the code does not sanitize any user input. v1.6.11 attempted to fix the issue by using sanitizetextfield, however the output i...
Contact Form 7 Database Addon < 1.2.5.6 - CSV Injection
The plugin was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files. Attackers can possibly exploit this issue to execute arbitrary commands on the victim's system, by the use of Microsoft Excel DDE function, or to leak data via maliciously injected...
Simple Job Board < 2.9.4 - Authenticated Path Traversal Leading to Arbitrary File Download
The plugin does not validate the sjbfile parameter when viewing a resume, allowing authenticated user with the downloadresume capability such as HR users to download arbitrary files from the web-server via a path traversal attack PoC The sjbfile parameter to use may depends on the configuration o...
iThemes Security < 7.7.0 - New-Password Requirements Not Enforced Until second Login
The plugin did not enforce new-password requirements for existing accounts until the second login occurred, which could leave an account configured with a potentially weak password until the user changes it...
Post Grid < 2.0.73 & Team Showcase < 1.22.16 - Authenticated Stored Cross-Site Scripting (XSS)
Ram Gall from Wordfence discovered an authenticated subscriber+ Stored Cross-Site Scripting XSS vulnerability in the Post Grid and Team Showcase WordPress plugins...
Ninja Forms < 3.4.27.1 - CSRF leading to Arbitrary Plugin Installation
The plugin is affected by a Cross-Site Request Forgery CSRF which could allow attackers to make a logged administrator install an arbitrary plugin from the WordPress repository. PoC http://example.com/wp-admin/admin-ajax.php?action=nfservicesinstall=wpscanpath=wpscan/wpscan.php...
ActiveCampaign < 8.0.2 - Cross-Site Request Forgery in Settings
The ActiveCampaign 8.0.1 plugin is lacking CSRF check on its Settings form, which could allow attacker to make a logged-in administrator change API Credentials to attacker's account. PoC When a logged-in administrator accesses an HTML page embedded below content, the plugin's setting will be...
Golo < 1.3.3 - Unauthenticated Reflected XSS
An Unauthenticated Reflected XSS vulnerability was discovered in the Golo theme v1.3.2 for WordPress. PoC https://example.com/?s=%22%3E%3Cimg+src%3Dx+onerror%3DalertXSS%2F%2F%22%3Etype=place...
KingComposer < 2.9.5 - Unauthenticated Reflected Cross-Site Scripting
A reflected Cross-Site Scripting XSS Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an installonlinepreset AJAX request containing base64-encoded JavaScript in the kc-online-preset-data POST parameter that is executed...
Payment Form For Paypal Pro < 1.1.65 - Unauthenticated SQL Injection
The 'query' parameter allowed for any unauthenticated user to perform SQL queries with result output to a web page in JSON format. PoC https://example.com/?cffaction=getdatafromdatabase=SELECT%20%20from%20wpposts...
Nexos - Real Estate < 1.8 - Unauthenticated Reflected XSS & SQL Injection
Unauthenticated Reflected XSS and SQL Injection vulnerabilities were discovered in the «Nexos - Real Estate WordPress Theme», tested version — v1.7. June 17th, 2020 - Confirmed & Escalated to Envato. June 19th, 2020 - v1.8 released. Fixing the issues. PoC PoC Unauthenticated Reflected XSS:...
AdRotate < 5.8.4 - Authenticated SQL Injection
Authenticated SQL injection in the AdRotate 5.8.3.1 exists via param "id". However, this requires an admin privileged user. NOTE: The plugin author mistook this SQLi bug for XSS but the remedy remains OK. PoC Param "id" is vulneable to SQL Injeciton. Example 1:...
Iframe < 4.5 - Authenticated Stored Cross Site Scripting (XSS)
The iframe plugin before 4.5 does not sanitize a URL. PoC iframe src="javascript:alertdocument.cookie" width="100%" height="500"...
Accordion < 2.2.9 - Unprotected AJAX Action to Stored/Reflected XSS
This flaw allowed any authenticated user with subscriber-level and above permissions the ability to import a new accordion and inject malicious Javascript as part of the accordion. PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Host: URL Accept: / X-Requested-With: XMLHttpRequest User-Agent:...
LearnDash < 3.1.6 - Unauthenticated SQL Injection
The sfwd-lms WordPress plugin was affected by an Unauthenticated SQL Injection security vulnerability...
WordPress File Upload < 4.13.0 - Directory Traversal to RCE
WordPress File Upload plugin directory traversal. It's possible to use the directory traversal to gain RCE by uploading a file doesn't matter the extension inside the /lib directory of the plugin. More details here https://github.com/beerpwn/CVE/tree/master/WP-File-Uploaddisclosurereport...
Contact Form by WPForms < 1.5.9 - Authenticated Cross-Site Scripting (XSS)
The popular WordPress plugin, WPForms, was found to be vulnerable to Authenticated Cross-Site Scripting XSS. The Form Description and Field Description fields in the WPForms plugin’s Form Builder module was found to be vulnerable to stored XSS, as they did not sanitize user given input properly...
ThemeREX Addons - Remote Code Execution
"This flaw allows attackers to remotely execute code on a site with the plugin installed, including the ability to execute code that can inject administrative user accounts." Note WPScanTeam: There are major version inconsistencies in the trxaddons shipped with the affected themes. As a result, a...
Popup Builder < 3.0 - SQL injection via PHP Deserialization
The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection via PHP Deserialization on attacker-controlled data with the attachmentUrl POST variable. This allows creation of an arbitrary WordPress Administrator account, leading to possible Remote Code Execution...
Elementor < 2.7.5 - Authenticated Arbitrary File Upload
The Elementor plugin version 2.7.4 and below was found to be vulnerable to an arbitrary file upload. Due to the application not handling zip files with directories properly an attacker could upload php files which were executable, this allowed any user able to import templates WordPress role...
Ultimate Member < 2.1.3 - Insecure Direct Object Reference (IDOR)
IDOR issues allowing change of other users' profiles and cover photos...
EasyBook < 1.2.2 - Multiple Vulnerabilities
Multiple vulnerabilities was discovered in the 'EasyBook – Directory & Listing WordPress Theme', tested version — v1.2.1: - Unauthenticated Reflected XSS - Authenticated Persistent XSS - IDOR December 27th, 2019 - Envato Contacted January 6th, 2020 - Envato Investigating January ??th, 2020 -...
WordPress <= 5.2.3 - Stored XSS in Style Tags
...
SlickQuiz <= 1.3.7.1 - Authenticated SQL Injection
The last time it was checked the plugin was still affected and had been closed...
LifterLMS <= 3.34.5 - Unauthenticated Options Import
Unauthenticated Options Import, which could lead to - Website Redirection - Administrator Account Creation - Content Injection - Stored XSS The issues have been reported as fixed in 3.35.0. However v3.35.1 added additional input sanitisation and filtering...
Event Tickets <= 4.10.7.1 - CSV Injection
The Event Tickets WordPress plugin was affected by a CSV Injection security vulnerability...
Woody Ad Snippets < 2.2.6 - Arbitrary Post Deletion
The adminInit function of the admin/includes/class.actions.snippets.php file, registered as an admininit hook did not have any CSRF or capability checks for its close action, allowing unauthenticated users to delete arbitrary posts from the blog PoC...
WP Fastest Cache <= 0.8.9.5 - Directory Traversal
The WP Fastest Cache WordPress plugin was affected by a Directory Traversal security vulnerability...
Pirate Forms < 2.5.2 - HTML Injection & CSRF
The Contact Form & SMTP Plugin for WordPress by PirateForms WordPress plugin was affected by a HTML Injection & CSRF security vulnerability...
Gallery Photoblocks < 1.1.43 - Authenticated Reflected XSS
The Gallery PhotoBlocks WordPress plugin was affected by an Authenticated Reflected XSS security vulnerability. PoC When logged in with an account with administrator capabilities: https:///wp-admin/admin.php?page=photoblocks-edit="...
WP Like Button <= 1.6.0 - Auth Bypass
Authentication Bypass vulnerability in the WP Like Button Free plugin version 1.6.0 allows unauthenticated attackers to change the settings of the plugin. The contains function in wplikebutton.php did not check if the current request is made by an authorized user, thus allowing any unauthenticate...
WebP Converter for Media <= 1.0.2 - Cross-Site Request Forgery (CSRF)
The WebP Converter for Media WordPress plugin was affected by a Cross-Site Request Forgery CSRF security vulnerability...
WP-Members <= 3.2.7 - Cross-Site Request Forgery (CSRF)
No CSRF Protection on Add new Fields. Can also Edit and Delete fields the same way. PoC 1.Download csrfwp-members.html 2.Change URL in html file.FORM ACTION. 3.Submit Request. Video POC : https://drive.google.com/file/d/1TuJK0NjxznjTDmoJF5wbGu2vMAXXikw/view?usp=sharing HTMLFILE :...
Hostel Plugin <= 1.1.3 - Unauthenticated Stored XSS
This vulnerability allows any user can inject Javascript code and the code will be executed on the admin side when he visits the Bookings Page Authentication Required:No Affected Version: 1.1.3 or possibly below Fixed version:1.1.4...
Option Tree < 2.7.0 - PHP Object Injection
The OptionTree WordPress plugin was affected by a PHP Object Injection security vulnerability...
Form Maker by 10Web < 1.13.5 - Cross-Site Request Forgery (CSRF) to LFI
Form Maker by WD plugin suffers from a CSRF issue that could lead to an LFI attack...
Booking < 8.4.5.15 - SQL Injection
The Booking Calendar WordPress plugin was affected by a SQL Injection security vulnerability...
WP Live Chat Support < 8.0.18 - Cross-Site Scripting (XSS)
The 3CX Live Chat WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...
LoginPress <= 1.1.15 - Authenticated Blind SQL Injection
Blind time-based SQL injection, combined with lack of permission check resulted in an unauthorised attack which can be performed by any user on the site including subscriber profiles. 1. Lack of permission check in settings import Similar to our recent analysis, this vulnerability was also caused...
WP GDPR Compliance <= 1.4.2 - Unauthenticated Call Any Action or Update Any Option
The plugin WP GDPR Compliance allows unauthenticated users to execute any action and to update any database value. If the request data form is available for unauthenticated users, even unauthenticated users are able to do this. See references for discussion of the issue. The problem is in the fil...
WPML <= 3.6.3 - Unauthenticated Stored Cross-Site Scripting (XSS)
The sitepress-multilingual-cms WordPress plugin was affected by an Unauthenticated Stored Cross-Site Scripting XSS security vulnerability. PoC POST /wp-admin/admin.php?page=sitepress-multilingual-cms-3.6.3%2Fmenu%2Ftheme-localization.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Windows NT...