14602 matches found
Elementor < 3.5.6 - DOM Reflected Cross-Site Scripting
The plugin does not sanitise and escape user input appended to the DOM via malicious Lightbox settings, resulting in a DOM Cross-Site Scripting issue PoC...
WordPress <= 4.8.2 - $wpdb->prepare() Weakness
Description WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb-prepare can create unexpected and unsafe queries leading to potential SQL injection SQLi. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from...
Ultimate Member < 2.6.7 - Unauthenticated Privilege Escalation
The plugin does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild. PoC POST /register/ HTTP/1.1 Host: wpscan-vulnerability-test-bench.ddev.site...
YITH WooCommerce Gift Cards < 3.20.0 - Unauthenticated Arbitrary File Upload
The plugin does not validate files to be uploaded, allowing unauthenticated attackers to upload arbitrary files, such as PHP...
Onair2 < 3.9.9.2 & KenthaRadio < 2.0.2 - Unauthenticated RFI and SSRF
The theme and plugin have exposed proxy functionality to unauthenticated users, sending requests to this proxy functionality will have the web server fetch and display the content from any URI, this would allow for SSRF Server Side Request Forgery and RFI Remote File Inclusion vulnerabilities on...
WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in Customizer
Description Authenticated users could corrupt JSON data in the Customizer of other users' to inject malicious JavaScript...
WordPress <= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
Description WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site...
WordPress 1.5 & 1.5.1.1 - SQL Injection
...
Avada < 7.11.7 - Authenticated (Admin+) SQL Injection via entry
Description The Avada theme for WordPress is vulnerable to SQL Injection via the 'entry' parameter in all versions up to, and including, 7.11.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...
Slider Revolution < 6.6.19 - Author+ Insecure Deserialization leading to RCE
Description The plugin does not prevent users with at least the Author role from unserializing arbitrary content when importing sliders, potentially leading to Remote Code Execution. PoC 1. Make sure to configure the plugin so Authors can access its settings 2. Create a new slider. 3. Save and...
Media Library Assistant < 3.06 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. PoC POST /wp-admin/tools.php?page=insertfixit-tools HTTP/1.1...
eaSYNC < 1.1.16 - Unauthenticated Arbitrary File Upload
The plugin suffers from insufficient input validation which leads to arbitrary file upload and subsequently to remote code execution. An AJAX action accessible to unauthenticated users is affected by this issue. An allowlist of valid file extensions is defined but is not used during the validatio...
wpDiscuz < 7.3.12 - Sensitive Information Disclosure
The plugin is affected by a sensitive information disclosure...
WordPress < 5.4.2 - Misuse of set-screen-option Leading to Privilege Escalation
Description Props to Simon Scannell of RIPS Technologies for finding an issue where set-screen-option can be misused by plugins leading to privilege escalation...
WordPress 5.2.2 - Cross-Site Scripting (XSS) in Stored Comments
Description From the WordPress version release notes: "Props to Simon Scannell of RIPS Technologies for finding and disclosing two issues. The first, a cross-site scripting XSS vulnerability found in post previews by contributors. The second was a cross-site scripting vulnerability in stored...
JSmol2WP <= 1.07 - Unauthenticated Server Side Request Forgery (SSRF)
The jsmol2wp WordPress plugin was affected by an Unauthenticated Server Side Request Forgery SSRF security vulnerability. PoC http://localhost:8080/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true=getRawDataFromDatabase=php://filter/resource=../../../../wp-config.php...
WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
Description Authenticated Cross-Site Scripting XSS in post/page text editor mode. Editor user and up. PoC link...
Yoast SEO < 22.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Yoast SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘displayname’ author meta in all versions up to, and including, 22.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
Elementor Website Builder Pro < 3.21.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Description The Elementor Website Builder – More than Just a Page Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several parameters in versions up to, and including, 3.21.0 due to insufficient input sanitization and output escaping. This makes it possible fo...
JetEngine < 3.2.5 - Missing Authorization
Description The JetEngine plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in versions up to, and including, 3.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action...
eCommerce Product Catalog for WordPress < 3.3.27 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description The eCommerce Product Catalog Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's iccontainer shortcode in all versions up to, and including, 3.3.26 due to insufficient input sanitization and output escaping on user supplied...
Form Maker < 1.15.21 - Captcha Bypass
Description The Form Maker plugin for WordPress is vulnerable to Captcha Bypass in versions up to, and including, 1.15.20 due to insufficient input verification. This makes it possible for unauthenticated attackers to automate form submissions...
Essential Blocks <= 4.2.0 - Unauthenticated PHP Object Injection via queries
Description The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the getposts function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the...
Elementor Pro < 3.11.7 - Subscriber+ Arbitrary Options Update
The plugin does not have authorisation in an AJAX action relying only on a nonce, which is available to any authenticated users, and does not validate the options to be updated. This allows any authenticated users, such as subscriber to update arbitrary blog options, such as the defaultrole, when...
All In One WP Security & Firewall < 5.1.3 - Configuration Leak
The plugin leaked settings of the plugin publicly, including the used email address. PoC Config leak in previous versions: "aiowpsremovewpgeneratormetainfo" filetype:txt https://www.google.com/search?q=%22aiowpsremovewpgeneratormetainfo%22+filetype%3Atxt Search for aiowpsemailaddress...
Shortcodes Ultimate < 5.12.1 - Stored XSS via CSRF
The plugin does not have CSRF check when adding a Preset, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads in a Preset created via a CSRF attack...
Avada < 6.2.3 - Missing Permission Checks leading to Arbitrary Post Creation, Edition, Deletion and Stored XSS
Description NinTechNet disclosed multiple security vulnerabilities affecting the premium Avada WordPress theme on their blog after responsibly disclosing the security vulnerabilities to Avada. These vulnerabilities included: - Content Injection & Stored XSS - Arbitrary Post Deletion - Arbitrary...
Art-Picture-Gallery <= 1.2.9 - Unauthenticated Arbitrary File Upload
Edit WPScanTeam: March 26th, 2020 - Report Received & Vendor Contacted March 30th, 2020 - Escalated to WP Plugins team as no response from vendor March 31st, 2020 - WP Plugins team investigating & Plugin closed April 2nd, 2020 - Disclosure PoC The PoC will be displayed once the issue has been...
Prime Slider < 3.14.2 - Contributor+ Stored XSS via Pagepiling Widget
Description The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's Pagepiling widget due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...
Elementor Pro < 3.19.3 - Authenticated (Contributor+) Information Exposure
Description The Elementor Website Builder Pro plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.19.2 . This makes it possible for authenticated attackers, with contributor-level access and above, to extract arbitrary user meta values...
iPages Flipbook < 1.5.0 - Authenticated (Administrator+) SQL Injection
Description The iPages Flipbook For WordPress plugin for WordPress is vulnerable to SQL Injection via the orderby parameter in all versions up to 1.5.0 exclusive due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...
WP Category Post List Widget <= 2.0.3 - Cross-Site Request Forgery via gen_set_page
Description The WP Category Post List Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.3. This is due to missing or incorrect nonce validation on the 'gensetpage' function. This makes it possible for unauthenticated attackers to modify...
LifterLMS < 7.5.0 - Authenticated(Administrator+) Directory Traversal to Arbitrary CSV File Deletion
Description The LifterLMS – WordPress LMS Plugin for eLearning plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 7.4.2 via the maybeserveexport function. This makes it possible for authenticated attackers, with administrator or LMS manager access and abov...
PDF.js Viewer < 2.1.8 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC pdfjs-viewer viewerheight='"...
Infographic Maker - iList < 4.3.8 - Unauthenticated SQL Injection
The plugin does not validate and escape the postid parameter before using it in a SQL statement via the qcldupvoteaction AJAX action available to unauthenticated and authenticated users, leading to an unauthenticated SQL Injection PoC curl https://example.com/wp-admin/admin-ajax.php --data...
WP Cerber Security, Anti-spam & Malware Scan < 8.9.6 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise the $url variable before using it in an attribute in the Activity tab in the plugins dashboard, leading to an unauthenticated stored Cross-Site Scripting vulnerability. PoC POST /"/onmouseover=alert1;// HTTP/1.1 Host: 127.0.0.1 Content-Type:...
Ultimate GDPR & CCPA Compliance Toolkit < 2.5 - Unauthenticated Plugin Settings Export and Import
The plugin used the isadmin method as an authorisation check, which does not check if the user is a an administrator. This could allow unauthenticated attackers to import arbitrary plugin’s settings and redirect all traffic to an external malicious website for example. Even though proper capabili...
Ebook Download < 1.2 - Directory Traversal
The Zedna eBook download WordPress plugin was affected by a Directory Traversal security vulnerability...
Web3 – Crypto wallet Login & NFT token gating < 3.0.0 - Authentication Bypass
Description The plugin is vulnerable to an authentication bypass due to incorrect authentication checking in the login flow in functions 'handleauthrequest' and 'hadleloginrequest'. This makes it possible for non authenticated attackers to log in as any existing user on the site, such as an...
Google Analytics by Monster Insights < 8.22.0 - Missing Authorization
Description The plugin is vulnerable to unauthorized access due to a missing capability check in versions up to, and including, 8.21.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action...
BuddyBoss Theme < 2.4.61 - Missing Authorization
Description The BuddyBoss Theme theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on an unspecified function in all versions up to, and including, 2.4.60. This makes it possible for unauthenticated attackers to change the plugin's settings...
WP Statistics < 13.2.9 - Authenticated SQLi
The plugin does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manageoptions capability admin+, however the plugin has a settings to allow low privilege users to access it as well. PoC...
WP < 6.0.3 - Stored XSS via Comment Editing
Description WordPress does not properly escape comments, which could lead to Stored Cross-Site Scripting issues...
GiveWP < 2.21.0 - Manager+ Arbitrary File Creation via Export
The plugin does not validate the exported file, which could allow high privilege users such as Managers to create arbitrary files...
Affiliates Manager < 2.9.0 - Unauthenticated Stored Cross-Site Scripting
The plugin does not validate, sanitise and escape the IP address of requests logged by the click tracking feature, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admin viewing the tracked requests. PoC As unauthenticated: wget "https://example.com/?wpamid=1"...
Testimonial Rotator <= 3.0.3 - Authenticated Stored Cross-Site Scripting
Stored Cross-Site Scripting vulnerabilities in Testimonial Rotator 3.0.3 allow low privileged users Contributor to inject arbitrary JavaScript code or HTML without approval. This could lead to privilege escalation Edit WPScanTeam: The https://wordpress.org/plugins/themify-portfolio-post/ plugin...
WordPress <= 5.0 - PHP Object Injection via Meta Data
Description According to WordPress: "Sam Thomas discovered that contributors could craft meta data in a way that resulted in PHP object injection."...
WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
...
My Calendar < 3.4.22 - Unauthenticated SQL Injection
Description The My Calendar plugin for WordPress is vulnerable to blind|generic|time-based SQL Injection via the 'from' and 'to' parameters of the '/my-calendar/v1/events' rest route in all versions up to, and including, 3.4.21 due to insufficient escaping on the user supplied parameter and lack ...
Ultimate Member < 2.5.1 - Subscriber+ RCE
The plugin does not validate user input passed to calluserfunc via the populatedropdownoptions function, which could allow any authenticated users, such as subscriber to call arbitrary functions without argument ie phpinfo...