14603 matches found
Restrict User Access – Ultimate Membership & Content Protection < 2.6 - Information Exposure
Description The Restrict User Access – Ultimate Membership & Content Protection plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.5 via API. This makes it possible for unauthenticated attackers to obtain the contents of posts and pages via API...
Comments Extra Fields For Post,Pages and CPT < 5.1 - Missing Authorization
Description The Comments Extra Fields For Post,Pages and CPT plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.0. This is due to missing or incorrect capability checks on several ajax actions. This makes it possible for authenticated attackers, wi...
Categorify < 1.0.7.5 - Missing Authorization in categorifyAjaxAddCategory
Description The Categorify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the categorifyAjaxAddCategory function in all versions up to, and including, 1.0.7.4. This makes it possible for authenticated attackers, with subscriber-level...
Gestpay for WooCommerce < 20240307 - Cross-Site Request Forgery (CSRF) via ajax_set_default_card
Description The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the 'ajaxsetdefaultcard' function. This makes it possible for unauthenticated attackers ...
Brizy – Page Builder < 2.4.41 - Authenticated (Contributor+) Arbitrary File Upload
Description The Brizy – Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the storeImages function in all versions up to, and including, 2.4.40. This makes it possible for authenticated attackers, with contributor access or above, to...
Brizy – Page Builder < 2.4.41 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Brizy – Page Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via block upload in all versions up to, and including, 2.4.40 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
Tutor LMS < 2.6.1 - Missing Authorization
Description The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of restricted Q content due to a missing capability check when interacting with questions in all versions up to, and including, 2.6.0. This makes it possible for authenticate...
Enjoy Social Feed <= 6.2.2 - Subscriber+ Plugin Database Reset
Description The plugin does not have authorisation when resetting its database, allowing any authenticated users, such as subscriber to perform such action PoC Log in as a subscriber, access the Diagnostic tab of the plugin /wp-admin/admin.php?page=enjoyinstagrampluginoptions=diagnostic and click...
Link Library < 7.6.1 - Unauthenticated Stored Cross-Site Scripting
Description The Link Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'llreciprocal' parameter in all versions up to, and including, 7.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
404 Solution < 2.35.8 - Admin+ SQL Injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admins. PoC 1. navigate to logs "https://example.com/wp-admin/options-general.php?page=abj404solution=abj404logs"...
PJ News Ticker <= 6.8.10 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Description The PJ News Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 6.8.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...
Malware Scanner < 4.7.3 - Admin+ SQLi
Description The plugin is vulnerable to SQL Injection via an unknown parameter due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator access and above, to appe...
Insert PHP Code Snippet < 1.3.5 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Brooklyn <= 4.9.7.6 - PHP Object Injection
Description The brooklyn theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.9.7.6 via deserialization of untrusted input from an unknown parameter. This makes it possible for authenticated attackers, with subscriber access and above, to inject a PHP...
Royal Elementor Kit < 1.0.117 - Missing Authorization to Arbitrary Transient Update
Description The Royal Elementor Kit theme for WordPress is vulnerable to unauthorized arbitrary transient update due to a missing capability check on the dismissedhandler function in all versions up to, and including, 1.0.116. This makes it possible for authenticated attackers, with subscriber...
RSS Aggregator by Feedzy < 4.4.3 - Missing Authorization to Arbitrary Page Creation and Publication
Description The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'feedzywizardstepprocess' and 'importstatus' functions in all versions up t...
Blocksy < 2.0.20 - Authenticated (Editor+) Stored Cross-Site Scripting
Description The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via headers/footers in all versions up to, and including, 2.0.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access, to...
Event Tickets and Registration < 5.8.1 - Contributor+ Arbitrary Events Access
Description The plugin does not prevent users with at least the contributor role from leaking the existence of certain events they shouldn't have access to. e.g. draft, private, pending review, pw-protected, and trashed events. PoC 1. ADMIN: Install Event Tickets 2. ADMIN: Install Event Tickets...
All-In-One Security (AIOS) – Security and Firewall < 5.2.6 - Reflected Cross-Site Scripting
Description The All-In-One Security AIOS – Security and Firewall plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for...
WP Visitor Statistics (Real Time Traffic) < 6.9.5 - Sensitive Information Exposure via Log File
Description The WP Visitor Statistics Real Time Traffic plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.9.4. This makes it possible for unauthenticated attackers to extract sensitive data from log files...
Don't Muck My Markup <= 1.8 - Cross-Site Request Forgery
Description The Don't Muck My Markup plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform unauthorize...
InstaWP Connect < 0.1.0.10 - Authenticated (Subscriber+) SQL Injection
Description The InstaWP Connect plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 0.1.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attacker...
Backuply – Backup, Restore, Migrate and Clone < 1.2.4 - Admin+ Directory Traversal
Description The plugin is vulnerable to Directory Traversal via the nodeid parameter in the backuplygetjstree function. This makes it possible for attackers with administrator privileges or higher to read the contents of arbitrary files on the server, which can contain sensitive information...
WP RSS Aggregator < 4.23.5 - Admin+ Stored XSS
Description The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WordPress Button Plugin MaxButtons < 9.7.7 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...
Product Import Export for WooCommerce < 2.3.8 - Shop Manager+ Arbitrary File Upload via upload_import_file
Description The plugin is vulnerable to arbitrary file uploads due to missing file type validation in the 'uploadimportfile' function n all versions up to, and including, 2.3.7. This makes it possible for authenticated attackers, with Shop Manager access and above, to upload arbitrary files on th...
Advanced Custom Fields < 6.2.5 - Contributor+ Stored Cross-Site Scripting via Custom Field
Description The plugin is vulnerable to Stored Cross-Site Scripting via a custom text field in all versions up to, and including, 6.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to injec...
WP Recipe Maker < 9.1.1 - Reflected Cross-Site Scripting via Referer
Description The plugin is vulnerable to Reflected Cross-Site Scripting via the ‘Referer' header in all versions up to, and including, 9.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages tha...
Unlimited Addons for WPBakery Page Builder <= 1.0.42 - Authenticated (Editor+) Arbitrary File Upload
Description The Unlimited Addons for WPBakery Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'importZipFile' function in versions up to, and including, 1.0.42. This makes it possible for authenticated attackers with a role...
InstaWP Connect < 0.1.0.9 - Missing Authorization to Arbitrary Options Update
Description The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the savemanagementsettings function in all versions up to, and including, 0.1.0.8. This makes it possible for authenticated...
ARMember < 4.0.23 - Cross-Site Request Forgery
Description The ARMember plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.0.22. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to inject PHP objects via a forged...
WP Job Manager < 2.1.0 - Cross-Site Request Forgery
Description The WP Job Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.0. This is due to missing or incorrect nonce validation on the settingssave function. This makes it possible for unauthenticated attackers to save settings via a...
Booster Plus for WooCommerce < 7.1.2 - Missing Authorization to Arbitrary Page/Post Deletion
Description The Booster Plus for WooCommerce plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on an unknown function in all versions up to 7.1.2 exclusive. This makes it possible for authenticated attackers, with subscriber-level access and above, ...
CPT Bootstrap Carousel <= 1.12 - Reflected Cross-Site Scripting
Description The CPT Bootstrap Carousel plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...
PageLayer < 1.8.0 - Author+ Stored XSS
Description The plugin doesn't prevent attackers with administrator privileges from inserting malicious JavaScript inside a post's header or footer code, even when unfilteredhtml is disallowed, such as in multi-site WordPress configurations. PoC - As a user with Author+ capabilities, create a new...
Uncode Core < 2.8.9 - Authenticated (Subscriber+) Arbitrary File Deletion
Description The uncode-core plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 2.8.8. This makes it possible for authenticated attackers with subscriber level access or higher to delete arbitrary files on the site...
Webba Booking < 5.0 - Cross-Site Request Forgery
Description The Appointment & Event Booking Calendar Plugin – Webba Booking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.33. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for...
Thrive Automator < 1.17.1 - Cross-Site Request Forgery
Description The Thrive Automator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.17. This is due to missing or incorrect nonce validation on the factoryreset function. This makes it possible for unauthenticated attackers to reset plugin setting...
WP Adminify < 3.1.7 - Authenticated(Administrator+) SQL Injection
Description The WP Adminify plugin for WordPress is vulnerable to SQL Injection via an unknown parameter in all versions up to 3.1.7 exclusive due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...
Zoho Forms < 3.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description The Zoho Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including 3.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
Simply Schedule Appointments < 1.6.6.1 - Authenticated(Administrator+) SQL Injection
Description The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL Injection via an unknown parameter in all versions up to 1.6.6.1 exclusive due to insufficient escaping on the user supplied parameter and lack of sufficient...
BookingPress < 1.0.73 - Authenticated (Contributor+) SQL Injection
Description The BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin plugin for WordPress is vulnerable to SQL Injection via an unknown parameter in all versions up to, and including, 1.0.72 due to insufficient escaping on the user supplied parameter and lack of...
WooCommerce Ship to Multiple Addresses < 3.8.10 - Missing Authorization
Description The WooCommerce Ship to Multiple Addresses plugin for WordPress is vulnerable to unauthorized action due to a missing capability check on a function in versions up to, and including, 3.8.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to...
HT Mega < 2.3.9 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape the regbio parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
WooCommerce Shipping Per Product < 2.5.5 - Missing Authorization
Description The WooCommerce Shipping Per Product plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.5.4. This makes it possible for authenticated attackers, with customer-level access and above, to perform ...
Verge3D < 4.5.3 - Subscriber+ Arbitrary File Upload
Description The plugin is vulnerable to arbitrary file uploads due to missing file type validation in the 'v3duploadappfile' function, allowing any authenticated attackers, with subscriber access and above, to upload arbitrary files on the affected site's server which may make remote code executi...
Essential Blocks for Gutenberg < 4.2.1 - Subscriber+ Unauthorised Actions
Description The plugin does not have proper authorisation checks in various functions, allowing any authenticated users, such as subscribers to perform unauthorized actions...
PageLayer < 1.7.9 - Contributor+ Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via the 'pagelayerheadercode', 'pagelayerbodyopencode', and 'pagelayerfootercode' meta fields due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
Solid Security Basic < 9.0.1 - Unauthenticated Login Page Disclosure
Description The plugin is vulnerable to protection mechanism bypass due to disclosing the login path when comments are enabled and registration is required. This makes it possible for unauthenticated attackers to discover the login page path and bypass the intended functionality of the security...
Mail logging - WP Mail Catcher < 2.1.4 - Admin+ SQLi
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin...