14602 matches found
Redirection for Contact Form 7 < 3.0.0 - Missing Authorization
Description The Redirection for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the exportcurrentfilteredview function hooked via admininit in versions up to, and including, 2.9.2. This makes it possible for unauthenticated...
Advanced Custom Fields 5.0-5.12.2 - Unauthenticated File Upload
The plugin allows unauthenticated users to upload files allowed in a default WP configuration so PHP is not possible if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release. By default WordPress does not allow uploading o...
WooCommerce < 6.6.0 - Admin+ Stored HTML Injection
The plugin is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles PoC Go to WooCommerce - Settings - Payments tab, enable BAC Bank Account Transfers and edit the title in the setup dialog. HTML can be injected there, and will be rendered both f...
WordPress 3.0-4.8.1 - Path Traversal in Unzipping
Description A path traversal vulnerability was discovered in the file unzipping code...
Advanced Custom Fields Pro < 6.2.10 - Authenticated (Contributor+) Code Injection
Description The Advanced Custom Fields Pro plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 6.2.9. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server...
Formidable Forms < 6.2 - Unauthenticated PHP Object Injection
The plugin unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present. PoC To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void die"Arbitrary deserialization"; 1. Active this...
Multiple YITH WooCommerce plugins - Cross-Site Scripting via shortcode ajax
Multiple plugins from YITH does not protect its ajax actions against CSRF attacks, allowing an attacker to trick a logged in user to perform actions on their behalf by submitting a crafted request...
WP Google Map Plugin < 4.1.0 - CSRF to Unauthenticated PHP Object Injection
The WP Google Map Plugin WordPress plugin was affected by a CSRF to Unauthenticated PHP Object Injection security vulnerability...
Essential Addons For Elementor < 5.8.2 - Unauthenticated MailChimp API Key Disclosure
Description The plugin discloses the MailChimp API key in pages with the MailChimp block, allowing unauthenticated users to obtain such key...
WP Super Cache 1.3 - trunk/wp-cache.php wp_nonce_url Function URI XSS
The WP Super Cache WordPress plugin was affected by a trunk/wp-cache.php wpnonceurl Function URI XSS security vulnerability...
Wordfence 3.8.1 - wp-admin/admin.php whois Parameter Stored XSS
The Wordfence Security – Firewall & Malware Scan WordPress plugin was affected by a wp-admin/admin.php whois Parameter Stored XSS security vulnerability...
Contest Gallery Pro < 19.1.5 - Admin+ SQL Injection
The plugin does not escape the wpuserid GET parameter before concatenating it to an SQL query in management-show-user.php. This may allow malicious users with at administrator privileges i.e. on multisite WordPress configurations to leak sensitive information from the site's database. PoC POST...
Folders Disclosure via Outdated jQueryFileTree Library
The plugins are using the admin-page-framework framework which is shipped with the outdated and no longer maintained library jQueryFileTree known to be affected by a path traversal issue, allowing unauthenticated attackers to disclose the folder structure of the web server PoC curl...
Gravity Forms < 2.7.5 - Reflected XSS
The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high-privileged users such as admin. PoC Make a logged in admin open the following URL:...
LiteSpeed Cache < 4.4.4 - IP Check Bypass to Unauthenticated Stored XSS
The plugin does not properly verify that requests are coming from QUIC.cloud servers, allowing attackers to make requests to certain endpoints by using a specific X-Forwarded-For header value. In addition, one of the endpoint could be used to set CSS code if a setting is enabled, which will then ...
RSS for Yandex Turbo <= 1.30 - Authenticated Stored XSS
The plugin does not sanitise or escape some of its settings before saving and outputing them in the admin dashboard, leading to an Authenticated Stored Cross-Site Scripting issue even when the unfilteredhtml capability is disallowed. PoC Vulnerable parameters: =, =, =, =, =, =. PoC 1 |...
Loginizer < 1.6.4 - Unauthenticated SQL Injection
The Loginizer WordPress plugin was found to be affected by an Unauthenticated SQL Injection vulnerability found by the security researcher mslavco. The vulnerability was triggered within the brute force protection functionality, which was enabled by default when the plugin was first installed. Wh...
WP Super Cache 1.3 - trunk/plugins/wptouch.php URI XSS
The WP Super Cache WordPress plugin was affected by a trunk/plugins/wptouch.php URI XSS security vulnerability...
Element Pack Pro <= 7.7.4 - Authenticated (Contributor+) Arbitrary File Read and PHAR Deserialization
Description The Element Pack Pro - Addon for Elementor Page Builder WordPress Plugin plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 7.7.4. This makes it possible for authenticated attackers, with contributor-level access and above, to read the...
Qi Addons For Elementor < 1.6.4 - Authenticated (Contributor+) Local File Inclusion
Description The Qi Addons For Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowi...
Smart Slider 3 < 3.5.1.11 - PHP Object Injection
The plugin unserialises the content of an imported file, which could lead to PHP object injection issues when a user import intentionally or not a malicious file, and a suitable gadget chain is present on the site. PoC To simulate a gadget chain, put the following code in a plugin class Evil publ...
SearchWP Live Ajax Search < 1.6.2 - Unauthenticated Arbitrary Post Title Disclosure
The plugin does not ensure that users making. alive search are limited to published posts only, allowing unauthenticated users to make a crafted query disclosing private/draft/pending post titles along with their permalink PoC...
Unauthorised AJAX Calls via Freemius
Description The plugins and themes use an insecure version of the Freemius Framework, which is lacking CSRF and/or authorisation in some of its AJAX actions. As a result, any authenticated users, such as subscriber could access the debug logs. Unauthenticated attackers could also make a logged in...
Contact Form Email < 1.3.25 - Admin+ Stored Cross-Site Scripting
The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via the name parameter found in the /trunk/cp-admin-int-list.inc.php file which allowed attackers with administrative user access to inject arbitrary web scripts. This only affects multi-site...
GTM4WP < 1.15.2 - Admin+ Stored Cross-Site Scripting
The plugin does not properly escape the Content Element ID settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when unfilteredhtml is disallowed for example multisite setups...
Like Button Rating < 2.6.32 - Unauthenticated Full-Read SSRF
The LikeBtn WordPress plugin was vulnerable to Unauthenticated Full-Read Server-Side Request Forgery SSRF. On line 7493 in likebtnlikebutton.php a hook is set to allow unauthenticated ajax calls which will call the function likebtnprx. As the name suggests, this function works as a proxy and can ...
WooCommerce < 4.2.1 - Potential Cross-Site Scripting (XSS) via SelectWoo
A DOM based Cross-Site Scripting XSS vulnerability was found to affect the SelectWoo dependency that WooCommerce used. SelectWoo replaces the standard box in web browsers...
Multiple Plugins - jQueryFileTree - Unauthenticated Path Traversal
Since no authentication or authorisation checks for direct access to the jqueryFileTree.php are made, the vulnerability allows for browsing the file system on a host out of an unauthenticated context. Even though no file content can be exfiltrated this way, "hidden" files e.g. in the web...
Photo-Gallery <= 1.2.41 - UploadHandler.php File Upload CSRF
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin was affected by an UploadHandler.php File Upload CSRF security vulnerability...
Nexter < 2.0.4 - Missing Authorization
Description The Nexter theme for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on several functions such as nexterextraextactiveajax, nexterextraextdeactivateajax, nexterextwpreplaceurlsettingsajax, nexterextwpduplicatepostsettingsajax,...
Insert Pages < 3.7.5 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Exploit:...
Modern Events Calendar < 6.1.5 - Unauthenticated Blind SQL Injection
The plugin does not sanitise and escape the time parameter before using it in a SQL statement in the mecloadsinglepage AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue PoC...
Elegant Themes (Divi 3.0 - 4.5.2, Extra 2.0 - 4.5.2, Divi Builder 2.0 - 4.5.2) - Authenticated Arbitrary File Upload
Description This flaw gave authenticated attackers, with contributor-level or above capabilities, the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server. PoC Usage: php poc.php url username password filetoupload Once the file is...
Ultimate Addons for Elementor < 1.20.1 - Authentication Bypass
A vulnerability affecting the Ultimate Addons for Elementor WordPress plugin allows malicious users to authenticate as any other user due to the lack of checks when logging in via Facebook or Google...
WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation
Description According to the WordPress release notes: "Props to Soroush Dalili @irsdl from NCC Group for disclosing an issue with URL sanitization that can lead to cross-site scripting XSS attacks." PoC Thanks to @irsdl's Hacker1 disclosure: JS - Numerical Entities JS - Hex Entities...
Salient Theme <= 4.9 - DOM Cross-Site Scripting (XSS)
The Salient theme comes budled with a vulnerable version of PrettyPhoto which can be found in http://www.example.com/wp-content/themes/salient/js/prettyPhoto.js...
WP Forum < 2.4 - Multiple SQL Injection
The wp-forum WordPress plugin was affected by a Multiple SQL Injection security vulnerability...
Slider Revolution < 6.7.0 - Missing Authorization
Description The Slider Revolution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the initrestapi function in versions up to 6.7.0. This makes it possible for unauthenticated attackers to update slider data...
WP Fastest Cache < 1.2.2 - Unauthenticated SQL Injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users. PoC 1. Visit WP Fastest Cache Settings. Ensure "Cache System" is enabled, and "Logged-in Users" is disabled. Click "Submit"...
Betheme < 26.6.3 - Subscriber+ Unauthorised Action
The plugin does not have authorisation in some areas, which could allow any authenticated users, such as subscriber to perform unauthorised action...
Font Awesome 4 Menus <= 4.7.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC Put the following payload in the "A custom...
Simple Membership < 4.1.3 - Unauthenticated Membership Privilege Escalation
The plugin allows user to change their membership at the registration stage due to insufficient checking of a user supplied parameter. Note: This only affects membership from the plugin, not the WordPress role PoC The request contains the levelidentifier parameter with the md52 value, where 2 is...
WordPress < 5.5.2 - Cross-Site Scripting (XSS) via Global Variables
Description The release notes state: "Thanks to Marc Montas from Sucuri for reporting an issue that could lead to XSS from global variables."...
Yoast SEO 1.2.0-11.5 - Authenticated Stored XSS
The vendor's description, reference included below: "Yoast SEO 11.6 also fixes a security issue regarding term pages in WordPress. Unfiltered code was allowed in some fields. This, however, does not pose a problem for single user sites. In specific cases, on multisite installs, this might become ...
Tajer - Unauthenticated Arbitrary File Upload
The tajer WordPress plugin was affected by an Unauthenticated Arbitrary File Upload security vulnerability. PoC curl -F "[email protected]" http://www.example.com/wp-content/plugins/tajer/lib/jQuery-File-Upload-master/server/php/index.php Shell is uploaded to:...
WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) < 7.6.7 - Authenticated (Subscriber+) Privilege Escalation
Description The WordPress Social Login and Register Discord, Google, Twitter, LinkedIn plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 7.6.6. This is due to the plugin improperly restricting user meta values that can be updated and allowing users t...
Mega Addons For WPBakery Page Builder < 4.3.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC vctestimonial link='target:"...
Paid Membership Pro < 2.9.8 - Unauthenticated SQLi
The plugin does not properly sanitise and escape the code parameter before using it in a SQL statement via the /pmpro/v1/order REST route, leading to a SQL injection exploitable by unauthenticated users PoC curl...
Membership For WooCommerce < 2.1.7 - Unauthenticated Arbitrary File Upload
The plugin does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as malicious PHP code, and achieve RCE. PoC 1. Install and activate WooCommerce dependency, no setup required 2. Create a local file containing the payload on /tmp/payload.php 3...
WP Championship < 9.3 - Multiple CSRF
The plugin is lacking CSRF checks in various places, allowing attackers to make a logged in admin perform unwanted actions, such as create and delete arbitrary teams as well as update the plugin's settings. Due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site...