14603 matches found
WooCommerce Ninja Forms Product Add-ons < 1.7.1 - Unauthenticated Arbitrary File Upload
Description The plugin does not validate the file to be uploaded, allowing any unauthenticated users to upload arbitrary files to the server, leading to RCE. PoC Make sure to have both WooCommerce and NinjaForms 3.4.34.2 NF's latest version on the 3.4 branch installed, then follow those...
SendPulse Free Web Push < 1.3.2 - CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
WP Site Protector <= 2.0 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
WP-dTree <= 4.4.5 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Ultimate Addons for Contact Form 7 < 3.2.1 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
ActivityPub for WordPress < 1.0.0 - Contributor+ Stored XSS
Description The plugin does not escape user metadata before outputting them in mentions, which could allow users with a role of Contributor and above to perform Stored XSS attacks PoC As a contributor, put the following payload in a post the payload will have to be updated accordingly to watch th...
Leyka < 3.30.7.1 - Subscriber+ Sensitive Information Disclosure
Description The plugin is vulnerable to Sensitive Information Exposure via the 'leykaajaxgetenvandoptions' function. This can allow authenticated attackers with subscriber-level permissions or above to extract sensitive data including Sberbank API key and password, PayPal Client Secret, and more...
BigBlueButton <= 3.0.0-beta.4 - Reflected XSS
Description The plugin does not sanitise and escape the username and tempentrypass parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
All in One B2B for WooCommerce <= 1.0.3 - Multiple CSRF
Description The plugin does not properly check nonce values in several actions, allowing an attacker to perform CSRF attacks. PoC This CSRF attack will reject a Quote in the database. 1. Go to All In One Quote Quotes 2. Click "Add quote", fill in the title, and save. 3. Find the Quote ID,...
Activity Log < 2.8.8 - IP Spoofing
Description This plugin retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic. PoC Run the following code in the web browser and note on the backend that the IP address has been fake...
URL Shortify < 1.7.6 - Unauthenticated Stored XSS via referer header
Description The plugin does not properly escape the value of the referer header, thus allowing an unauthenticated attacker to inject malicious javascript that will trigger in the plugins admin panel with statistics of the created short link. PoC 1. Add a new shortened link in the interface...
Simple Blog Card < 1.31 - Contributor+ Stored XSS via Shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC As a contributor, put the...
Front Editor <= 4.3.5 - Admin+ Stored XSS
Description The plugin does not sanitize and escape some of its form settings, which could allow high-privilege users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Add a new form. 2. For the "Post Title",...
Freemius SDK < 2.5.10 - Reflected Cross-Site Scripting
Description The Freemius SDK for WordPress does not adequately sanitize inputs or escape outputs, leading to Reflected Cross-Site Scripting. This directly affects over 1000 plugins and themes that use this SDK...
Contact Form Builder by Bit Form < 2.2.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Create a Blank form or select...
WP Abstracts <= 2.6.2 - Cross-Site Request Forgery
The plugin does not sufficiently verify requests use nonces, leading to a CSRF vulnerability...
Querlo Chatbot <= 1.2.4 - Stored Cross-Site Scripting
The plugin does not escape or sanitize chat messages, leading to a stored Cross-Site Scripting vulnerability. PoC Submit the following in the chat message: """ See the XSS in Querlo...
Ninja Forms < 3.6.25 - Admin+ Arbitrary File Deletion
The plugin does not validate the path of files to be deleted, which could allow administrators to delete arbitrary files on the server even when they should not be able to...
WooCommerce Payments < 4.5.1 - Intent Parameter Tampering
The plugin allows customer to complete an order on a merchant’s site without paying for it...
MStore API < 3.9.7 - Subscriber+ Unauthorized Settings Update
The plugin does not secure most of its AJAX actions by implementing privilege checks, nonce checks, or a combination of both. PoC Make sure the site also has WooCommerce installed and activated, then, while logged-in as a subscriber, visit the following URLs: -...
AN_GradeBook <= 5.0.1 - Admin+ XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. When adding a new course in the plugin...
MStore API < 3.9.8 - Unauthenticated Blind SQLi
The plugin does not sanitise and escape a parameter before using it in a SQL statement, leading to a Blind SQL injection exploitable by unauthenticated users. This is only exploitable if the site owner elected to pay to get access to the plugins' pro features, and uses the woocommerce-appointment...
Online Booking & Scheduling Calendar for WordPress by vcita < 4.3.1 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitize and escape the businessid parameter of an unprotected REST route endpoint before rendering it back in pages on the website, allowing an unauthenticated attacker to inject arbitrary web scripts, which could target authenticated users such as administrators. PoC curl...
AI-Engine < 1.6.83 - Admin+ Stored XSS
The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. PoC Go to Meow Apps » AI Engine » Chatbot tab »...
CRM Perks Forms < 1.1.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape the formid field in the plugin settings page, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfilteredhtml capability is disallowed for example in a multisite setup. PoC...
WP Job Portal <= 2.0.1 - Unauthenticated Settings Update
The plugin does not have authorisation and CSRF checks when updating its settings, which could allow unauthenticated attackers to change them...
WP Visitor Statistics (Real Time Traffic) < 6.9 - Unauthenticated SQLi
The plugin does not escape user input which is concatenated to an SQL query, allowing unauthenticated visitors to conduct SQL Injection attacks. PoC Note: The visitorId parameter's numerical prefix before the %27 must be different on each try...
Product Addons & Fields for WooCommerce < 32.0.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape some of its setting fields, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. PoC - Install the plugin and WooCommerce,...
WCP Contact Form <= 3.1.0 - Reflected XSS
The plugin does not sanitise and escape the tab parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Product Enquiry for WooCommerce < 2.2.13 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Product page shipping calculator for WooCommerce < 1.3.21 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WooCommerce JazzCash Gateway <= 2.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
ConvertBox Auto Embed WordPress < 1.0.20 - Contributor+ Stored Cross-Site Scripting
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Event Manager for WooCommerce < 3.8.7 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Open RDW kenteken voertuiginformatie < 2.1.0 - Reflected XSS
The plugin does not sanitise and escape the opendatardwkenteken parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
User Role by BestWebSoft < 1.6.7 - Privilege Escalation via CSRF
The plugin does not protect against CSRF in requests to update role capabilities, leading to arbitrary privilege escalation of any role. PoC Make a logged in admin open a page with the code below. Then, log in as a subscriber and see that you have full admin access...
WH Testimonials <= 3.0.0 - Unauthenticated Stored XSS
The plugin does not sanitise and escape the whhomepage, whtextshort and whtextfull parameters of submitted Testimonials, which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks PoC curl -X POST 'http://example.com/add/' \ -H 'Content-Type: multipart/form-data;...
Mass Delete Unused Tags < 3.0.0 - Tags Deletion via CSRF
The plugin does not have CSRF checks when deleting tag, which could allow attackers to make logged in admins perform such action via a CSRF attack...
Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard < 2.11.0 - Path Traversal
The plugin does not properly check the value of the input "uploaddir", which is modifiable by the user. As a result, by changing the value of this input, it's possible to upload a file anywhere writable in the webserver. PoC 1. Create a contact form and add a "multiple file upload" field. 2. Add...
WP Dark Mode < 4.0.8 - Subscriber+ Local File Inclusion
The plugin does not properly sanitize the style parameter in shortcodes before using it to load a PHP template. This leads to Local File Inclusion on servers where non-existent directories may be traversed, or when chained with another vulnerability allowing arbitrary directory creation. PoC As a...
Free WooCommerce Theme 99fy Extension < 1.2.8 - Arbitrary Plugin Activation via CSRF
Description The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack PoC activate woocommerce plugin exploit: fetch'http://localhost/wp-admin/admin-ajax.php', method: 'POST',...
Read More Excerpt Link < 1.6.1 - Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
Organization chart < 1.4.5 - Multiple CSRF
The plugin does not have CSRF checks in some places, for example when updating/deleting/duplicating popups, tree and themes from the plugin, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Auto Affiliate Links < 6.3.0.3 - Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
WP OAuth Server < 4.2.5 - Arbitrary Post Deletion via CSRF
The plugin does not have CSRF check when deleting a client, and does not ensure that the object to be deleted is actually a client, which could allow attackers to make a logged in admin delete arbitrary client and post via a CSRF attack. PoC fetch'/wp-admin/admin-ajax.php', method: 'POST', header...
Simple Yearly Archive < 2.1.9 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Shortcodes Ultimate < 5.12.7 - Subscriber+ Arbitrary File Access
The plugin does not validate the url attribute of its sutable shortcode before displaying its content, which could allow any authenticated users, such as subscriber to read arbitrary files from the server when the "Unsafe Features" settings is enabled...
WPCode < 2.0.7 - Contributor+ WPCode Library Auth Key Update/Deletion
The plugin does not have adequate privilege checks in place for several AJAX actions, only checking the nonce. This may lead to allowing any authenticated user who can edit posts to call the endpoints related to WPCode Library authentication such as update and delete the auth key. PoC As a...
Ajax Search Lite < 4.11.1 - Subscriber+ Sensitive Data Disclosure
The plugin does not have authorisation and CSRF checks in the wdsearchcf AJAX action, which could allow any authenticated users to call it and retrieve arbitrary post metadata Note: v4.11 added only a CSRF check, authorisation was added in 4.11.1...
Mercado Pago payments for WooCommerce < 6.4.0 - CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...