14603 matches found
WPFront User Role Editor < 4.1.0 - Limited Information Exposure
Description The WPFront User Role Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.1.11184 via the wpfrontuserroleeditorassignrolesuserautocomplete AJAX action. This makes it possible for authenticated attackers, with...
Hot Random Image < 1.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Hot Random Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' attribute in versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-leve...
Ultimate Addons for Beaver Builder – Lite < 1.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget
Description The Ultimate Addons for Beaver Builder – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Button widget in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
Breeze < 2.1.4 - Admin+ Stored XSS
Description The plugin does not sanitise and escape its breezeapitoken settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WordPress File Upload < 4.24.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description The WordPress File Upload plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 4.24.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
Ecwid Ecommerce Shopping Cart < 6.12.11 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Description The Ecwid Ecommerce Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 6.12.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...
WP-Eggdrop <= 0.1 - Cross-Site Request Forgery to Settings Update
Description The WP-Eggdrop plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1. This is due to missing or incorrect nonce validation on the wpeggupdateOptions function. This makes it possible for unauthenticated attackers to update the plugin...
GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress < 6.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description The GamiPress – The 1 gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 6.9.0 due to insufficient input sanitization and...
Hubbub Lite – Fast, Reliable Social Network Sharing Buttons < 1.33.2 - PHP Object Injection
Description The Hubbub Lite – Fast, Reliable Social Sharing Buttons plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.33.1 via deserialization of untrusted input via the 'dpspmaybeunserialize' function. This makes it possible for authenticated...
Automation By Autonami < 2.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Automation By Autonami plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above,...
Barcode Scanner with Inventory & Order Manager < 1.5.4 - Reflected Cross-Site Scripting
Description The Barcode Scanner with Inventory & Order Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
Advanced Classifieds & Directory Pro < 3.1.2 - Missing Authorization to Arbitrary Attachment Deletion
Description The Advanced Classifieds & Directory Pro plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the ajaxcallbackdeleteattachment function in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with...
Woomotiv < 3.5.0 - Review Count Reset via CSRF
Description The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the 'ajaxcancelreview' function. This makes it possible for unauthenticated attackers to reset the site's review count via a forged request granted they can trick a site administrato...
Order Tip for WooCommerce < 1.4.0 - Missing Authorization to Unauthenticated Data Export
Description The Order Tip for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the exporttipstocsv function in all versions up to, and including, 1.3.1. This makes it possible for unauthenticated attackers to export the plugin's...
MasterStudy LMS < 3.3.0 - Missing Authorization to Sensitive Information Exposure in search_posts
Description The MasterStudy LMS plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the searchposts function in all versions up to, and including, 3.2.13. This makes it possible for authenticated attackers, with subscriber-level access and above,...
WP Recipe Maker < 9.3.0 - Authenticated Stored Cross-Site Scripting via Video Embed
Description The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Video Embed parameter in all versions up to, and including, 9.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with access t...
Page Builder Gutenberg Blocks < 3.1.7 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC Create/Edit a Post, add an "Icon" block...
Team Circle Image Slider With Lightbox < 1.0.1 - Image Data Update via CSRF
Description The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the circlethumbnailsliderwithlightboximagemanagementfunc function. This makes it possible for unauthenticated attackers to edit image data which can be used to inject malicious...
EventPrime – Events Calendar, Bookings and Tickets < 3.4.4 - Unauthenticated Stored Cross-Site Scripting
Description The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'offlinestatus' parameter in all versions up to, and including, 3.4.3 due to insufficient input sanitization and output escaping. This makes it possible for...
Otter Blocks PRO < 2.6.4 - Unauthenticated Stored Cross-Site Scripting via SVG Upload
Description The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via file upload form, which allows SVG uploads, in all versions up to, and including, 2.6.3 due to insufficient input sanitization and...
GenerateBlocks < 1.8.3 - Contributor+ Arbitrary Draft/Private Post Access
Description The plugin is vulnerable to Sensitive Information Exposure via Query Loop, allowing authenticated attackers, with contributor access and above, to see contents of posts and pages in draft or private status as well as those with scheduled publication dates...
Avada < 7.11.6 - Authenticated(Contributor+) Sensitive Information Exposure via Form Entries
Description The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 7.11.5 via the form entries page. This makes it possible for authenticated attackers, with contributor access and above, to view...
Exclusive Addons for Elementor < 2.6.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via data attribute in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
Beaver Builder – WordPress Page Builder < 2.7.4.3 - Contributor+ Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via the audio widget 'linkurl' parameter due to insufficient input sanitization and output escaping, allowing authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute...
BeePress <= 6.9.8 - Cross-Site Request Forgery via beepress-pro.php
Description The BeePress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.9.8. This is due to missing or incorrect nonce validation on multiple functions in the beepress-pro.php. This makes it possible for unauthenticated attackers to modify the...
Payment Gateway for Telcell < 2.0.4 - Unauthenticated Open Redirect
Description The plugin does not validate the apiurl parameter before redirecting the user to its value, leading to an Open Redirect issue PoC https://localhost/wp-admin/admin.php?page=wc-settings=redirecttelcellformurl=https://www.google.com...
Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan < 4.53 - Missing Authorization to Authenticated (Subscriber+) Table Truncation
Description The Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the antihackertruncatescantable function in all versions up to, and including,...
MainWP Dashboard < 5.0 - Cross-Site Request Forgery via posting_bulk
Description The MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.0.1. This is due to missing or incorrect nonce validation on the 'postingbulk' function. This makes it...
Simple Tweet <= 1.4.0.2 - Authenticated (Author+) Stored Cross-Site Scripting
Description The Simple Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Tweet this text value in all versions up to, and including, 1.4.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
ProfilePress < 4.15.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via [reg-select-role] Shortcode
Description The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's reg-select-role shortcode in all versions up to, and including, 4.15.0 due to...
Colibri Page Builder < 1.0.260 - Import Images, Delete Post, Save Theme Data via CSRF
Description The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the apiCall function, allowing unauthenticated attackers to call a limited set of functions that can be used to import images, delete posts, or save theme data via a forged request...
Widget for Social Page Feeds < 6.4 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Create a new Facebook like...
ProfilePress < 4.15.0 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its login-password shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Error Log Viewer < 1.1.3 - Directory Listing to Sensitive Data Exposure
Description The plugin contains a vulnerability that allows you to read and download PHP logs without authorization PoC 1 Admin should click on "Save as TXT file" in http://yoursite/wordpress/wp-admin/admin.php?page=rrrlgvwr-monitor.php 2 Then someone else can go to...
Buttons Shortcode and Widget <= 1.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Description The Buttons Shortcode and Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.16 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
WP RSS Aggregator < 4.23.6 - Authenticated (Admin+) Server-Side Request Forgery via RSS Feed Source
Description The WP RSS Aggregator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.23.5 via the RSS feed source in admin settings. This makes it possible for authenticated attackers, with administrator-level access and above, to make web...
Coupon Referral Program <= 1.7.2 - Unauthenticated PHP Object Injection
Description The Coupon Referral Program plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7.2 via deserialization of untrusted input. This makes it possible for unuathenitcated attackers. to inject a PHP Object. No known POP chain is present in the...
Cloudflare < 4.12.3 - Missing Authorization via initProxy
Description The Cloudflare plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'initProxy' function in versions up to and including 4.12.2. This makes it possible for authenticated attackers, with subscriber access and above, to send requests...
3D Tag Cloud <= 3.8 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Description The 3D Tag Cloud plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to inject malicious JavaScript via a forged request...
Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently < 4.1.2 - Authenticated (Contributor+) PHP Object Injection in mep_event_meta_save
Description The Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.1 via deserialization of untrusted input in the mepeventmetasave function. This makes it possible for...
JobSearch WP Job Board < 2.3.4 - Authentication Bypass
Description The plugin does not prevent attackers from logging-in as any users with the only knowledge of that user's email address. PoC Browse to the site, paste the following in your browser's console replace the email address with that site's administrator's email address:...
Views for WPForms < 3.2.3 - Missing Authorization via create_view
Description The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'createview' function in all versions up to, and including, 3.2.2. This makes it possible for...
WebSub (FKA. PubSubHubbub) < 3.2.0 - Admin+ Stored XSS
Description The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
VK Block Patterns < 1.31.2.0 - Cross-Site Request Forgery
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Asgaros Forum < 2.8.0 - Unauthenticated PHP Object Injection in prepare_unread_status
Description The Asgaros Forum plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.7.2 via deserialization of untrusted input in the prepareunreadstatus function. This makes it possible for unauthenticated attackers to inject a PHP Object. If a POP...
FastDup – Fastest WordPress Migration & Duplicator < 2.2 - Directory Listing to Account Takeover and Sensitive Data Exposure
Description The plugin does not prevent directory listing in sensitive directories containing export files. PoC 1 Run backup function http://yoursite/wordpress/wp-admin/admin.php?page=njt-fastdup/ 2 During backup creation, you can intercept the following paths:...
Page Builder: Live Composer < 1.5.29 - Author+ PHP Object Injection
Description The plugin is vulnerable to PHP Object Injection via deserialization of untrusted input. This makes it possible for authenticated attackers, with author-level access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an...
Booster Elite for WooCommerce < 7.1.2 - Missing Authorization to Order Information Disclosure
Description The Booster Elite for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to 7.1.2 exclusive. This makes it possible for authenticated attackers, with subscriber-level access and above, to view...
ActivityPub for WordPress < 1.0.6 - Unauthenticated REST API Access
Description The plugin does not properly authorize access to the REST API, allowing an unauthenticated attacker to access restricted endpoints...
WooCommerce PDF Invoice Builder < 1.2.102 - Cross-Site Request Forgery
Description The WooCommerce PDF Invoice Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.101. This is due to missing or incorrect nonce validation in the /pages/invoicelist.php file. This makes it possible for unauthenticated attackers...