14603 matches found
Google Maps Easy < 1.10.1 - Admin+ Stored Cross-Site Scripting
The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the /modules/markergroups/views/tpl/mgrEditMarkerGroup.php file which allowed attackers with administrative user access to inject arbitrary web scripts. Th...
Smash Balloon Social Post Feed < 4.0.1 - Subscriber+ Arbitrary Plugin Settings Update to Stored XSS
The plugin did not have any privilege or nonce validation before saving the plugin's setting. As a result, any logged-in user on a vulnerable site could update the settings and store rogue JavaScript on each of its posts and pages...
WP Performance Score Booster < 2.1 - Settings Change via CSRF
The plugin does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. PoC...
Content Staging <= 2.0.1 - Admin+ Stored Cross-Site Scripting
The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via several parameters that are echo’d out via the /templates/settings.php file which allowed attackers with administrative user access to inject arbitrary web scripts. This affects multi-sit...
Backdoored Plugins & Themes from AccessPress Themes
Numerous Plugins and Themes from the AccessPress Themes aka Access Keys vendor are backdoored due to their website being compromised. Only plugins and themes downloaded via the vendor website are affected, and those hosted on wordpress.org are not. However, all of them were updated or removed to...
WPeMatico RSS Feed Fetcher < 2.6.12 - Admin+ Stored Cross-Site Scripting
The plugin does not escape the Feed URL added to a campaign before outputting it in an attribute, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Create/edit a campaign and add the following feed URL:...
Game Server Status <= 1.0 - Admin+ SQL Injection
The plugin does not validate or escape the serverid parameter before using it in SQL statement, leading to an Authenticated SQL Injection in an admin page PoC sqlmap -u "https://example.com/wp-admin/admin.php?page=grohsfabian-add-game-serversid=1" -p serverid --dbms mysql --cookie your cookie...
WP-T-Wap <= 1.13.2 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the posted parameter found in the /wap/writer.php file which allows attackers to inject arbitrary web scripts...
RentPress <= 6.6.4 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the selections parameter found in the /src/rentPress/AjaxRequests.php file which allows attackers to inject arbitrary web scripts...
User Registration < 2.0.2 - Low Privilege Stored Cross-Site Scripting
The plugin does not properly sanitise the userregistrationprofilepicurl value when submitted directly via the userregistrationupdateprofiledetails AJAX action. This could allow any authenticated user, such as subscriber, to perform Stored Cross-Site attacks when their profile is viewed PoC 1...
Meow Gallery < 4.1.9 - Contributor+ SQL Injection
The plugin does not sanitise, validate or escape the ids attribute of its gallery shortcode available for users as low as Contributor before using it in an SQL statement, leading to an authenticated SQL Injection issue. The injection also allows the returned values to be manipulated in a way that...
Countdown Block < 1.1.2 - Missing Authorisation in AJAX action
The plugin does not have authorisation in the ebwriteblockcss AJAX action, which allows any authenticated user, such as Subscriber, to modify post contents displayed to users. v1.1.1 attempt to fix the issue was incomplete, still allowing it to be exploited via a CSRF attack on an admin due to a...
Woffice < 4.0.2 - Unauthenticated Disclosure of Notification Titles
The theme lacks authentication checks before returning the titles of notifications between the site's users. PoC Any request to the wofficeNotificationGet ajax endpoint will return titles of notifications sent between users. Example:...
Timetable and Event Schedule by MotoPress < 2.3.19 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise some of its parameters, which could allow low privilege users such as author to perform XSS attacks against frontend and backend users when viewing the related event/s PoC Create an event with the following payload in the description of a timeslot: The XSS will be...
OMGF < 4.5.4 - Unauthenticated Path Traversal in REST API
The plugin does not escape or validate the handle parameter of the REST API, which allows unauthenticated users to perform path traversal and overwrite arbitrary CSS file with Google Fonts CSS, or download fonts uploaded on Google Fonts website. PoC Access the URL below as unauthenticated...
Create WooCommerce Product Feeds For 40+ Merchants < 3.3.1.0 - Authenticated SQL Injection
The fetchproductajax functionality in the plugin uses a productid POST parameter which is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Length: 162 Accept: / X-Requested-With:...
Icegram < 2.0.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise some parameters, such as headline, which could allow high prolegs users to perform Cross-Site Scripting attacks...
WP Songbook <= 2.0.11 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the url parameter found in the /inc/class.ajax.php file which allows attackers to inject arbitrary web scripts...
Moova for WooCommerce < 3.8 - Reflected Cross-Site Scripting
The plugin does not escape the lat parameter of the moovacustomfields AJAA action available to both unauthenticated and authenticated users before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue PoC...
jQuery Tagline Rotator <= 0.1.5 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $SERVER'PHPSELF' in the /jquery-tagline-rotator.php file which allows attackers to inject arbitrary web scripts...
Site Reviews < 5.13.1 - Authenticated Stored XSS
The plugin does not sanitise some of its Review Details when adding a review as an admin, which could allow them to perform Cross-Site Scripting attacks when the unfilteredhtml is disallowed PoC As an admin, create a review via the Admin dashboard /wp-admin/post-new.php?posttype=site-review and a...
AceIDE <= 2.6.2 - Authenticated (admin+) Arbitrary File Access
The plugin does not sanitise or validate the user input which is appended to system paths before using it in various actions, such as to read arbitrary files from the server. This allows high privilege users such as administrator to access any file on the web server outside of the blog directory...
Embed Youtube Video <= 1.0 - Authenticated SQL Injection
The editid GET parameter of the plugin is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. PoC GET /wp-admin/admin.php?page=embed-youtube-video-add=-6425+UNION+ALL+SELECT+NULL%2Cuser%28%29%2CNULL%2CNULL%2CNULL-- HTTP/1.1 Cache-Control: max-age=0...
WordPress Popular Posts < 5.3.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the widget-wpp2posttype parameter before outputting it in the page, which could lead to a Stored Cross-Site Scripting issue...
YITH Request a Quote for WooCommerce < 1.6.4 - Unauthorised AJAX call via CSRF
The ajax method did not properly check for CSRF, allowing attackers to make users call the ajaxadditem, ajaxremoveitem or ajaxvariationexist actions, which will tamper with their session quote. PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01...
ProfilePress 3.0 - 3.1.3 - Authenticated Privilege Escalation
The user profile update functionality of the plugin allowed arbitrary user meta to be supplied, including wpcapabilities, during a profile update which made it possible for users to escalate their privileges to that of an an administrator. PoC 'Hax0r3', 'regemail' = '[email protected]',...
FoodBakery < 2.2 - Reflected Cross-Site Scripting (XSS)
The plugin, used in the theme did not properly sanitize the foodbakeryradius parameter before outputting it back in the response, leading to an unauthenticated Reflected Cross-Site Scripting XSS vulnerability. PoC...
WP Hardening < 1.2.2 - Reflected XSS via URI
The plugin did not sanitise or escape the $SERVER'REQUESTURI' before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue. PoC https://example.com/wp-admin/plugins.php?%22%3E%3Cscript%3Ealertdocument.domain%3C/script%3Cv=...
The Plus Addons for Elementor Page Builder < 4.1.11 - Arbitrary Reset Pwd Email Sending
The plugin did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password email to a registered user on behalf of the WordPress site. Such issue could be chained with an open redirect...
Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Update and Retrieve Wildcard Value
In the plugin, the lack of capability checks and insufficient nonce check on the AJAX actions, simple301redirects/admin/getwildcard and simple301redirects/admin/wildcard, made it possible for authenticated users to retrieve and update the wildcard value for redirects. PoC $wpuser, 'pwd' = $wppass...
Ultimate Member < 2.1.20 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin did not properly sanitise, validate or encode the query string when generating a link to edit user's own profile, leading to an authenticated reflected Cross-Site Scripting issue. Knowledge of the targeted username is required to exploit this, and attackers would then need to make the...
PickPlugins Product Slider for WooCommerce < 1.13.22 - Reflected Cross-Site Scripting (XSS)
The slider import search feature of the plugin settings did not properly sanitised the keyword GET parameter, leading to reflected Cross-Site Scripting issue PoC https://example.com/wp-admin/edit.php?posttype=wcps=importlayouts="onmouseover=alert1;//...
Target First Plugin 2.0 - Unauthenticated Stored XSS via Licence Key
The Target First WordPress Plugin, also previously known as Watcheezy, suffered from a critical unauthenticated stored XSS vulnerability. An attacker could change the licence key value through a POST on any URL with the "weeWzKey" parameter that will be save as the "weeID" option. The input value...
Give WP < 2.10.4 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise or escape the Background Image field of its Stripe Checkout Setting and Logo field in its Email settings, leading to authenticated admin+ Stored XSS issues. Notes WPScanTeam - The original reporter mentioned the issue being fixed in 2.10.2, but we could still trigger i...
Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Plugin Installation
In the plugin, low level users, such as subscribers, could use the importfromdebug AJAX action to install any plugin from the WordPress repository. PoC $wpuser, 'pwd' = $wppass, 'rememberme' = 'forever', 'wp-submit' = 'Log+In', ; $output = curlexec$ch; curlclose$ch; // Install some plugins $ch =...
CM Download Manager < 2.8.0 - Unauthenticated Reflected Cross Site Scripting (XSS)
The plugin is vulnerable to Unauthenticated Cross Site Scripting XSS before version 2.8.0...
Elementor Addon Elements < 1.11.2 - Contributor+ Stored XSS
The “Elementor Addon Elements” WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting XSS by lower-privileged users such as contributors, all via a similar method. The “Flip Box” widget accepts a “fronttitlehtmltag” parameter. Although the element...
Livemesh Addons for Elementor < 6.8 - Contributor+ Stored XSS
The “Livemesh Addons for Elementor” WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting XSS by lower-privileged users such as contributors, all via a similar method. The “Heading” widget accepts a “titletag” parameter. Although the element control...
Event Banner <= 1.3 - Arbitrary File Upload to RCE
The plugin does not verify the uploaded image file, allowing admin accounts to upload arbitrary files, such as .exe, .php, or others executable, leading to RCE. Due to the lack of CSRF check, the issue can also be used via such vector to achieve the same result, or via a LFI as authorisation chec...
Quiz And Survey Master < 7.1.12 - Authenticated SQL injection via shortcode
The plugin did not sanitise the resultid GET parameter on pages with the qsmresult shortcode without id attribute, concatenating it in a SQL statement and leading to an SQL injection. The lowest role allowed to use this shortcode in post or pages being author, such user could gain unauthorised...
wpDataTables < 3.4.2 - Improper Access Control leading to Table Data Deletion
The plugin has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to delete the data of another user that are present in the same table through idkey and idval parameters. By exploiting this issue an attacker is...
VM Backups <= 1.0 - CSRF to Stored Cross-Site Scripting (XSS)
The plugin does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as update the plugin's options, leading to a Stored Cross-Site Scripting issue. PoC The PoC will be displayed once the issue has been remediated...
WP File Manager < 7.1 - Reflected Cross-Site Scripting (XSS)
During a quick security auditing of the plugin, in the default configuration a Reflected XSS can occur on the endpoint /wp-admin/admin.php?page=wpfilemanagerproperties when a payload is submitted on the User-Agent parameter. The payload is then reflected back on the web application response...
Ninja Forms < 3.4.34 - Administrator Open Redirect
The wpajaxnfoauthconnect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place. PoC http://mysite.com/wp-admin/admin-ajax.php?clientid=1=https://google.com=nfoauthconnect...
Map Block for Google Maps < 1.32 - Unauthorised Google API Key change
The gmwmapblocksavekey AJAX action, available to both authenticated and unauthenticated users did not have any check in place to prevent unauthorised change of the Google API key. PoC...
Digital Publications by Supsystic < 1.6.12 - Authenticated Path Traversal
The "Folder" tab under "Publications" is vulnerable to path traversal and exposes limited information, for example, the user can gain information regarding images stored in outside of the WordPress blog, ie, home directories. PoC Enter the following payload into the "Folder" input field of a...
Pods < 2.7.27 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin was vulnerable to an Authenticated Stored Cross-Site Scripting XSS security vulnerability within the 'Singular Label' field parameter. It is recommended that the Pods WordPress plugin be updated to at least version 2.7.27, which fixes the vulnerability...
Advanced Custom Fields < 5.8.12 - Cross-Site Scripting in Select2 dropdowns
The plugin did not correctly escape input from Select2 dropdowns, which could lead to Cross-Site Scripting issues...
Limit Login Attempts Reloaded < 2.16.0 - Authenticated Reflected Cross-Site Scripting
The plugin does not properly sanitise user input in its options page, which could allow attackers to perform XSS attacks against logged in administrator by making them open a malicious URL The issue was partially fixed in 2.15.1, and fully remediated in 2.16.0 PoC...
Ultimate Category Excluder < 1.2 - Cross-Site Request Forgery
The plugin did not check for CSRF nonce in its options page, allowing attacker to perform CSRF attacks against logged in users...