14603 matches found
Pay with Vipps for WooCommerce < 1.14.14 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Pay with Vipps for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the buy now button in versions up to, and including, 1.14.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
Republish Old Posts < 1.27 - Cross-Site Request Forgery via rop_options_page
Description The Republish Old Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.21. This is due to missing or incorrect nonce validation on the ropoptionspage function. This makes it possible for unauthenticated attackers to modify the...
Build App Online <= 1.0.19 - Subscriber+ Privilege Escalation
Description The plugin does not have authorisation in its updateusermetavalue function, allowing any authenticated users, such as subscriber to update arbitrary user metadata and grand themselves administrator privileges...
Checkout Mestres WP < 7.1.9.8 - Authentication Bypass via Password Reset
Description The plugin is vulnerable to authentication bypass due to a weak password reset functionality, allowing unauthenticated attackers to reset the password of arbitrary users to a guessable value based on the current time...
NEX-Forms – Ultimate Form Builder < 8.5.5 - Cross-Site Request Forgery
Description The NEX-Forms – Ultimate Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.5.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an...
ProfileGrid < 5.6.7 - Missing Authorization
Description The ProfileGrid plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 5.6.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized action...
Complianz | GDPR/CCPA Cookie Consent < 6.5.6 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
BERTHA AI Plugin < 1.11.10.8 - Unauthenticated Arbitrary File Upload
Description The BERTHA AI. Your AI co-pilot for WordPress and Chrome plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bthaiwatranslateaudiocallback' function in all versions up to and including 1.11.10.7. This makes it possible for...
WordPress Toolbar <= 2.2.6 - Open Redirect
Description The plugin redirects to any URL via the "wptbto" parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action. PoC...
Easy SVG Allow <= 1.0 - Author+ Stored XSS via SVG
Description The plugin does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. PoC Upload an SVG with the following code: Access the uploaded file directly to trigger the XSS...
WooCommerce Menu Extension <= 1.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The WooCommerce Menu Extension plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above...
Multi Step Form < 1.7.17 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
easy.jobs < 2.4.7 - Subscriber+ Arbitrary Settings Update
Description The plugin does not properly secure some of its AJAX actions, allowing any logged-in users to modify its settings. PoC fetch"/wp-admin/admin-ajax.php", "headers": "content-type": "multipart/form-data; boundary=----WebKitFormBoundaryvEIqF0bdJXlPN58D", , "body":...
Simple Membership < 4.3.9 - Reflected Cross-Site Scripting Vulnerability via environment_mode
Description The Simple Membership plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘environmentmode’ parameter in all versions up to, and including, 4.3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers t...
Greenshift – animation and page builder blocks < 7.6.3 - Authenticated (Administrator+) Arbitrary File Upload
Description The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation on the 'gspbsavefiles' function in versions up to, and including, 7.6.2. This makes it possible for authenticated attackers with...
Multiple Plugins by KlbTheme - Reflected Cross-Site Scripting
Description The plugins do not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Integrate Google Drive < 1.3.5 - Cross-Site Request Forgery
Description The Integrate Google Drive plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.4. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform an...
LiveChat < 4.5.16 - Cross-Site Request Forgery
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Soledad < 8.4.2 - Unauthenticated PHP Object Injection
Description The Soledad theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 8.4.1 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable theme. If a...
Eventin <= 3.3.44 - Missing Authorization
Description The Eventin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on an unknown function in versions up to, and including, 3.3.44. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthoriz...
HDW Player Plugin (Video Player & Video Gallery) <= 5.0 - Cross-Site Scripting
Description The HDW Player Plugin Video Player & Video Gallery plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...
SVGator – Add Animated SVG Easily < 1.2.5 - API Token Update/Deletion & Import Projects via CSRF
Description The plugin does not have CSRF checks when updating and deleting API token as well as importing projects, which could allow attackers to make logged in admins perform such actions via CSRF attacks...
teachPress < 9.0.5 - Cross-Site Request Forgery
Description The teachPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.0.4. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to invoke those functions via a...
Quantity Plus Minus Button for WooCommerce by CodeAstrology < 1.2.0 Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
Nested Pages < 3.2.7 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
HUSKY – Products Filter for WooCommerce (formerly WOOF) < 1.3.4.3 - Unauthenticated SQL Injection via search terms
Description The HUSKY – Products Filter for WooCommerce formerly WOOF plugin for WordPress is vulnerable to generic SQL Injection via search terms in versions up to, and including, 1.3.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existi...
Happyforms < 1.25.10 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in an hidden attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Delete Post Revisions In WordPress <= 4.6 - Cross-Site Request Forgery
Description The delete-post-revisions-on-single-click theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6. This is due to missing or incorrect nonce validation on the createadminpage function. This makes it possible for unauthenticated attacke...
Salient Core < 2.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The salient-core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
Simple Membership < 4.3.5 - Account Takeover via Password Reset
Description The Simple Membership plugin for WordPress is vulnerable to account takeover due to missing input validation on the processpasswordresetusinglink function in versions up to, and including, 4.3.4. This makes it possible for authenticated attackers to gain access to arbitrary accounts o...
kk Star Ratings < 5.4.6 - Missing Authorization
Description The kk Star Ratings plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on an unknown function in versions up to, and including, 5.4.5. This makes it possible for unauthenticated attackers to make use of this functionality. The exa...
Unyson <= 2.7.28 - Missing Authorization
Description The Unyson plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on several functions in versions up to, and including, 2.7.28. This makes it possible for authenticated attackers, with subscriber-level access and above, to...
WP-Matomo Integration (WP-Piwik) < 1.0.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description The WP-Matomo Integration WP-Piwik plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wp-piwik' shortcode in versions up to, and including, 1.0.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
Brands for WooCommerce < 3.8.2.3 - Missing Authorization to Unauthenticated Order Manipulation and Information Retrieval
Description The Brands for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 3.8.2.2. This is due to missing capability checks on the clearcacheajax, saveorder, brgetproducts, brgetbrands, and saveallorders functions hooked via AJAX nopriv...
Podcast Subscribe Buttons < 1.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description The Podcast Subscribe Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'podcastsubscribe' shortcode in versions up to, and including, 1.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
AtomChat <= 1.1.4 - Missing Authorization via credits REST API Endpoint
Description The AtomChat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'credits' REST API function in versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to manipulate user credits when the...
Poptin < 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description The Poptin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'poptin-form' shortcode in versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers wit...
WP Customer Reviews < 3.6.7 - Authenticated (Subscriber+) Sensitive Information Exposure
Description The WP Customer Reviews plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 3.6.6 via the ajaxenabledposts function. This can allow authenticated attackers to extract sensitive data such as post titles and slugs, including those of...
Ajax Domain Checker <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Ajax Domain Checker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to...
Social Sharing Plugin - Social Warfare < 4.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description The Social Sharing Plugin - Social Warfare plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'socialwarfare' shortcode in versions up to, and including, 4.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
RSVPMaker < 10.6.7 - Unauthenticated PHP Object Injection
Description The RSVPMaker plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 10.6.6 via deserialization of untrusted input from the $details variable. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable...
Themify Ultra < 7.3.6 - Missing Authorization
Description The themify-ultra theme for WordPress is vulnerable to unauthorized access, modification or loss of data due to a missing capability check on an unknown function in all versions up to, and including, 7.3.3. This makes it possible for authenticated attackers with subscriber access or...
Youzify < 1.2.3 - Insecure Direct Object Reference
Description The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.2 due to missing validation on a user controlled key. This makes it...
Simple User Listing < 1.9.3 - Reflected XSS
Description The plugin does not sanitise and escape the as parameter before outputting it back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Seo By 10Web <= 1.2.9 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
eCommerce Product Catalog Plugin for WordPress < 3.3.26 - Products Deletion via CSRF
Description The plugin does not have CSRF checks in some of its admin pages, which could allow attackers to make logged-in users perform unwanted actions via CSRF attacks, such as delete all products PoC Make a logged in admin open the URL below...
Filr – Secure document library < 1.2.3.6 - Author+ RCE via file upload with phar ext
Description The plugin is vulnerable from an RCE Remote Code Execution vulnerability, which allows the operating system to execute commands and fully compromise the server on behalf of a user with Author-level privileges. PoC 1 Go to main dashboard of plugin...
WordPress Backup & Migration < 1.4.4 - Subscriber+ Plugin Settings Update
Description The plugin does not authorize some AJAX requests, allowing users with a role as low as Subscriber to update some plugin settings. PoC fetch"/wp-admin/admin-ajax.php", "headers": "content-type": "application/x-www-form-urlencoded; charset=UTF-8", , "body":...
WP Hotel Booking < 2.0.8 - Unauthenticated SQLi
Description The plugin does not have authorisation and CSRF checks, as well as does not escape user input before using it in a SQL statement of a function hooked to admininit, allowing unauthenticated users to perform SQL injections PoC Run the below command in the developer console of the web...
Print, PDF, Email by PrintFriendly < 5.5.2 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...