14603 matches found
WP Private Message < 1.0.6 - Private Message Disclosure via IDOR
The plugin bundled with the Superio theme as a required plugin does not ensure that private messages to be accessed belong to the user making the requests. This allowing any authenticated users to access private messages belonging to other users by tampering the ID. PoC - Install the Superio them...
Quick Restaurant Menu < 2.1.0 - Menu Items Update via CSRF
The plugin does not have CSRF checks when updating its menu items, which could allow attackers to make logged in admins update menu items via a CSRF attack...
Blocksy Companion < 1.8.68 - Contributor+ Stored XSS
The plugin does not validate and escape the class attribute of its blocksyposts shortcode before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Pinpoint Booking System < 2.9.9.2.9 - Subscriber+ SQLi
The plugin does not validate and escape one of its shortcode attributes before using it in a SQL statement, which could allow any authenticated users, such as subscriber to perform SQL Injection attacks. PoC Note: A Calendar is needed if there is not one already. Run the below command in the...
Image and Video Lightbox, Image PopUp < 2.1.6 - Admin+ Stored XSS
The plugin does not sanitise and escape various parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Social Like Box and Page by WpDevArt < 0.8.41 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC wpdevartlikebox height='"...
WP Google Map < 4.4.0 - Editor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the Editor role and above to perform Stored Cross-Site Scripting attacks...
SiteGround Security < 1.3.1 - Admin+ SQLi
The plugin does not properly sanitize user input before using it in an SQL query, leading to an authenticated SQL injection issue. PoC 1: POST /wordpress/index.php/wp-json/sg-security/v1/activity-registered HTTP/1.1 Host: YOUR HOST X-WP-Nonce: YOUR NONCE Cookie: Admin+ Content-Length: 155...
eExamhall <= 4.0 - CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Clean Login < 1.13.7 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Note: 1...
Event Manager and Tickets Selling Plugin for WooCommerce < 3.8.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its post meta before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC 1. Add an event in the plugin with a city meta as: " onmouseover="alert1" 2. On...
Royal Elementor Addons < 1.3.60 - Subscriber+ Arbitrary Theme Activation
The plugin does not have authorisation and CSRF checks when activating themes, which could allow any authenticated user, such as subscriber to perform such action...
Page View Count < 2.6.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC Exploit Additional CSS classes for "Page Views"...
Social Warfare < 4.3.1 - Subscriber+ Post Meta Deletion
The plugin does not have authorisation in some AJAX actions, allowing any authenticated users, such as subscriber, to call them and delete arbitrary post meta as well as reset access tokens related to network...
Pricing Tables WordPress Plugin ā Easy Pricing Tables < 3.2.3 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. PoC Note: Enable compatibility mode by going to the settings of the plugins. Exploit shortcode: easy-pricing-toggle...
WP Popups < 2.1.4.8 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Exploit:...
WP Recipe Maker < 8.6.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin. PoC Exploit...
WP User <= 7.0 - Unauthenticated SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users. PoC 1. As an unauthenticated user, visit the "Sign Up" page by default, this is /?pageid=5, or /user/ 2. Extract the...
BookingPress < 1.0.31 - Unauthenticated IDOR in appointment_id
The plugin suffers from an Insecure Direct Object Reference IDOR vulnerability in it's thank you page, allowing any visitor to display information about any booking, including full name, date, time and service booked, by manipulating the appointmentid query parameter. PoC curl -s...
GD bbPress Attachments < 4.4 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Stop Spammers Security < 2022.6 - Unauthenticated PHP Object Injection
The plugin passes base64 encoded user input to the unserialize PHP function when CAPTCHA are used as second challenge, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain PoC To simulate a gadget chain, put the following code in a plugin class Ev...
Welcart e-Commerce < 2.8.5 - Unauthenticated Arbitrary File Access
The plugin does not validate user input before using it to output the content of a file, which could allow unauthenticated attacker to read arbitrary files on the server This is a different issue than CVE-2022-41840 PoC...
ARMember < 5.6 - Unauthenticated Privilege Escalation
The plugin could allow unauthenticated attackers to escalate themselves as admin...
Easy WP SMTP < 1.5.2 - Admin+ RCE
The plugin could allow high privilege users such as admin to perform RCE even when they should not be able to for example in multisite setups...
Menu Item Visibility Control <= 0.5 - Admin+ Arbitrary PHP Code Execution
The plugin doesn't sanitize and validate the "Visibility logic" option for WordPress menu items, which could allow highly privileged users to execute arbitrary PHP code even in a hardened environment. PoC 1. As an admin, go to "Appearance - Menus" and create a menu with some items of your choice...
Quiz and Survey Master < 8.0.5 - Improper Input Validation
The plugin does not properly validate the questionid parameter, which could allow attackers to send values other than the expected type...
Pie Register < 3.8.1.3 - Unauthenticated Arbitrary User Deletion
The plugin does not have authorisation and CSRF when deleting users via an init action handler, allowing unauthenticated attackers to delete arbitrary users along with their posts PoC Invoke the following curl command to delete the user user id 2 curl https://example.com/wp-admin/admin-ajax.php...
WP Stripe Checkout < 1.2.2.21 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks PoC As a contributor, put the following shortcode in a page/post...
WordPress Popular Posts < 6.1.0 - Unauthenticated Views Manipulation
The plugin does not validate some user inputs via a REST endpoint, which could allow unauthenticated users to update the number of views of articles...
WooSwipe WooCommerce Gallery <= 2.0.1 - Subscriber+ Settings Update
The plugin does not have any authorisation when updating its settings, which could allow any authenticated users, such as subscriber to update them PoC POST /wp-admin/admin.php?page=wooswipe-options HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0...
Advanced Import < 1.3.8 - Arbitrary Plugin Installation & Activation via CSRF
The plugin does not have CSRF check when installing and activating plugins, which could allow attackers to make a logged in admin install arbitrary plugins from WordPress.org, and activate arbitrary ones from the blog via CSRF attacks PoC Make a logged in admin open a page containing the HTML cod...
WP OAuth Server < 3.4.2 - Client Secret Regeneration via CSRF
The plugin does not have CSRF check when regenerating secrets, which could allow attackers to make logged in admins regenerate the secret of an arbitrary client given they know the client ID PoC Make a logged in admin open a page containing the HTML code below. This will regenerate the secret for...
WPML < 4.5.11 - Subscriber+ Settings Update
The plugin does not have authorisation check when updating the selected language for legacy widgets and default behaviour for media content settings, which could allow any authenticated users, such as subscriber to update them...
Homepage Pop-up <= 1.2.5 - CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Event Monster < 1.2.1 - Admin+ SQLi
The plugin does not validate and escape some parameters before using them in SQL statements, which could lead to SQL Injection exploitable by high privilege users PoC...
WP User Frontend < 3.5.29 - Obscure Registration as Admin
The plugin uses a user supplied argument called urhidden in its registration form, which contains the role for the account to be created with, encrypted via wpufencryption. This could allow an attacker having access to the AUTHKEY and AUTHSALT constant via an arbitrary file access issue for...
Appointment Hour Booking < 1.3.72 - Feedback Submission via CSRF
The plugin does not have CSRF check when submitting feedback, which could allow attackers to make logged in users do such action on their behalf via a CSRF attack...
Quiz And Survey Master < 7.3.5 - Admin+ SQL Injection
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privileged users...
FluentForm < 4.3.13 - CSV Injection
The plugin does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection PoC - As unauthenticated, submit a form using =5+5 as value in any field - As admin, export the data as CSV /wp-admin/admin.php?page=fluentformsid=1=entries - open the CSV with a...
WP All Import < 3.6.9 - Admin+ Arbitrary File Upload to RCE
The plugin is not properly filtering which file extensions are allowed to be imported on the server, which could allow administrators in multi-site WordPress installations to upload arbitrary files PoC 1 Create 'poc.zip' with 2 files like below 1-1 'exploit.php.txt' is as follows...
Newspaper < 12 - Reflected Cross-Site Scripting
Description The theme does not sanitise a parameter before outputting it back in an HTML attribute via an AJAX action, leading to a Reflected Cross-Site Scripting. PoC...
Blog2Social < 6.9.10 - Subscriber+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscribers PoC Run the script below in the web browser console while being logged in as a subscriber and on the Blog2Social...
Shortcodes Ultimate < 5.12.1 - Settings Preset Update via CSRF
The plugin does not have CSRF check in place when updating its preset settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
Seriously Simple Podcasting < 2.16.1 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
Popup Maker < 1.16.9 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks PoC As a user with the Contributor or above, create a new Popup in Popup Maker menu with "content" field containing...
CPO Shortcodes <= 1.5.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Login Block IPs <= 1.0.0 - Arbitrary Setting Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC Make a logged in admin open a page containing the HTML code below...
Ldap WP Login / Active Directory Integration < 3.0.2 - Unauthenticated Settings Update to Auth Bypass
The plugin does not have any authorisation and CSRF checks when updating it's settings which are hooked to the init action, allowing unauthenticated attackers to update them. Attackers could set their own LDAP server to be used to authenticated users, therefore bypassing the current authenticatio...
Image Hover Effects Ultimate < 9.8.0 - Authenticated Stored XSS
The plugin does not sanitise and escape the Media Image URL, Video Link, Title and Description field of an Image Hover, which could lead to Stored XSS when low privileged users are allowed to access the plugin's feature which can be set via the plugin settings...
Add User Role <= 0.0.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...