14603 matches found
VK All in One Expansion Unit < 9.86.0.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC Setup: The CTA Expansion...
Multi Rating < 5.0.6 - Ratings Deletion via CSRF
The plugin does not have CSRF check when deleting ratings, which could allow attackers to make logged in admins to perform such action via a CSRF attack...
Ocean Extra < 2.1.2 - Contributor+ Stored XSS
The plugin does not escape the class attribute of its oceanwpbreadcrumb shortcode before outputting it back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC oceanwpbreadcrumb class='"...
Robo Gallery < 3.2.11 - Plugin Activation/Deactivation via CSRF
The plugin does not have CSRF checks when activating and deactivating plugins, which could allow attackers to make logged in users perform such actions via CSRF attacks...
Unlimited Elements For Elementor < 1.5.49 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Zoho Forms < 3.0.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC As a contributor, put the following in ...
teachPress < 8.1.9 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the tab parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Stream < 3.9.2 - Subscriber+ Alert Creation
The plugin does not prevent users with little privileges on the site like subscribers from using its alert creation functionality, which may enable them to leak sensitive information. PoC Step 1: Log in as a subscriber Step 2: Get a nonce from...
WP Super Popup <= 1.1.2 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
SiteGround Security < 1.3.1 - Admin+ SQLi
The plugin does not properly sanitize user input before using it in an SQL query, leading to an authenticated SQL injection issue. PoC 1: POST /wordpress/index.php/wp-json/sg-security/v1/activity-registered HTTP/1.1 Host: YOUR HOST X-WP-Nonce: YOUR NONCE Cookie: Admin+ Content-Length: 155...
jQuery T(-) Countdown Widget < 2.3.24 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC tminus t='2100-01-01' width='"...
Royal Elementor Addons < 1.3.60 - Subscriber+ Arbitrary Template Import
The plugin does not have authorisation and CSRF checks when importing templates, which could allow any authenticated user, such as subscriber to perform such action...
RSS Aggregator by Feedzy < 4.1.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC 1. Add the Feedz...
10WebMapBuilder < 1.0.72 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Exploit:...
Structured Content < 1.5.1 - Contributor+ Stored XSS in Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Exploit...
WP Limit Login Attempts <= 2.6.4 - IP Spoofing
The plugin prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTEADDR, which makes it possible to bypass IP-based restrictions on login forms. PoC Set HTTPCLIENTIP or HTTPXFORWARDEDFOR as used in wplimitgetip to spoof the IP address and bypass the block...
Metricool < 1.18 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. In the settings page of the plugin, add th...
404 to Start <= 1.6.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. In the settings of the plugin,...
ipBlockList <= 1.0 - CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Permalink Manager Lite < 2.3.0 - Authenticated Stored XSS
The plugin does not escape page/post and media titles, which could allow attackers to perform Stored XSS attacks when another plugin/theme allowing low privilege users to modify such titles is active on the blog as well...
Launchpad <= 10.13 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Wholesale Market < 2.2.1 - Unauthenticated Arbitrary File Download
The plugin does not have authorisation check, as well as does not validate user input used to generate system path, allowing unauthenticated attackers to download arbitrary file from the server. PoC 1. Install woocommerce dependency, no setup required 2. Install the vulnerable plugin...
LetsRecover < 1.2.0 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin PoC https://example.com/wp-admin/admin.php?page=letsrecover-manual-notificationid=111+AND+SELECT+5926+FROM+SELECTSLEEP5erUA...
Visual Email Designer for WooCommerce < 1.7.2 - Multiple Author+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as author. PoC action=INSERT HERE NAME OF...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the cgdeactivate and cgactivate POST parameters before concatenating it to an SQL query in 2deactivate.php and 4activate.php, respectively. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. PoC Exploit...
Return Refund and Exchange For WooCommerce < 4.0.9 - Unauthenticated Arbitrary File Upload
The plugin does not validate attachment files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files such as PHP and lead to RCE PoC 1. Install and activate woocommerce dependency, no setup required 2. Install and activate the...
Stop Spammers Security < 2022.6 - Unauthenticated PHP Object Injection
The plugin passes base64 encoded user input to the unserialize PHP function when CAPTCHA are used as second challenge, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain PoC To simulate a gadget chain, put the following code in a plugin class Ev...
WP Shamsi < 4.1.1 - Unauthenticated Arbitrary Plugin Deactivation
The plugin does not have authorisation check when activating plugins via an action hooked to init, which could allow unauthenticated attackers to deactivate arbitrary plugins from the blog...
Theme and plugin translation for Polylang < 3.2.17 - Unauthenticated Translation Settings Update
The theme does not have authorisation in the processpolylangthemetranslationwploaded function, which could allow unauthenticated attack to update translation settings, as well as import arbitrary translations...
AntiHacker < 4.20 - Subscriber+ Arbitrary Plugin Installation
The plugin does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org PoC Run the below command in the developer console of the web browser while being on the blog as ...
StopBadBots < 7.24 - Subscriber+ Arbitrary Plugin Installation
The plugin does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org PoC Run the below command in the developer console of the web browser while being on the blog as ...
Advanced Import < 1.3.8 - Arbitrary Plugin Installation & Activation via CSRF
The plugin does not have CSRF check when installing and activating plugins, which could allow attackers to make a logged in admin install arbitrary plugins from WordPress.org, and activate arbitrary ones from the blog via CSRF attacks PoC Make a logged in admin open a page containing the HTML cod...
Becustom < 1.0.5.3 - Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC...
AdRotate Banner Manager < 5.9.1 - Password Change via CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make a logged admin change their password via CSRF attacks...
LoginPress < 1.6.3 - Unauthenticated Settings Update
The plugin does not have authorisation and CSRF checks when updating its Opt-In and Opt-Out tracking settings, which could allow any unauthenticated users to update them...
WatchTowerHQ < 3.6.16 - Unauthenticated Arbitrary File Deletion
The plugin does properly check for the access token in its REST API endpoints, which could allow unauthenticated attackers to call them and delete arbitrary files...
Contact Form Entries < 1.3.0 - CSV Injection
The plugin does not validate data when its output in a CSV file, which could lead to CSV injection. PoC - Submit a form using Contact Form 7, Ninja Forms, Elementor Forms or WP Forms using =5+5 as the value - Export the data as CSV /wp-admin/admin.php?page=vxcfleads - Open the CSV with a...
WP-Polls < 2.77.0 - Subscriber+ Race Condition
The plugin is affect by a race condition which could allow any authenticated users to tamper with the votes on a poll...
WP ALL Export Pro < 1.7.9 - Authenticated Code Injection
The plugin does not limit some functionality during exports only to users with the Administrator role, allowing any logged in user which has been given privileges to perform exports to execute arbitrary code on the site. By default only administrators can run exports, but the privilege can be...
Oceanwp Sticky Header <= 1.0.8 - CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Soledad < 8.2.5 - Reflected Cross-site Scripting
The theme does not sanitise the id,datafiltertype,... parameters in its pencimoreslistpostajax AJAX action, leading to a Reflected Cross-Site Scripting XSS vulnerability. PoC A threat actor can collect the nonce value on the main webpage by searching for it on the ajaxvarmore call: var ajaxvarmor...
DSGVO All in one for WP < 4.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Go the DSGVO AIO Settings Cookie Notice settin...
Corner Ad < 1.0.57 - Ads Deletion via CSRF
The plugin does not have CSRF check when deleting ads, which could allow attackers to make logged in admins delete arbitrary ads via a CSRF attack...
Frontend File Manager < 21.3 - Subscriber+ Arbitrary File Upload
The plugin allows any authenticated users, such as subscriber, to rename a file to an arbitrary extension, like PHP, which could allow them to basically be able to upload arbitrary files on the server and achieve RCE PoC 1. Navigate to the page where ffmwp shortcode is included as Subscriber 2...
Word Search Puzzles Game <= 2.0.1 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as author to perform Cross-Site Scripting attacks...
Image Hover Effects Ultimate < 9.8.0 - Authenticated Stored XSS
The plugin does not sanitise and escape the Media Image URL, Video Link, Title and Description field of an Image Hover, which could lead to Stored XSS when low privileged users are allowed to access the plugin's feature which can be set via the plugin settings...
Visual Composer Website Builder < 45.0.1 - Authenticated Stored XSS via Text Block
The plugin does not sanitise and escape its Text Block fields, which could allow users with access to the plugin's editor to perform Cross-Site Scripting attacks PoC Create a post using the plugin editor, add a Text Block and put the following payload in its content: The XSS will be triggered whe...
Visual Composer Website Builder < 45.0.1 - Authenticated Stored XSS via Title
The plugin does not sanitise and escape post/page Title, which could allow users with access to the plugin's editor to perform Cross-Site Scripting attacks PoC Create a post using the plugin editor and add the following payload in the Title: " The XSS will be triggered when editing the post again...
About Rentals <= 1.5 - Unauthenticated Actions
The plugin does not have authorisation in various actions, which could allow unauthenticated users to call them and perform unauthorised actions...
Launcher: Coming Soon & Maintenance Mode <= 1.0.11 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...