14603 matches found
Craw Data <= 1.0.0 - Server Side Request Forgery
The plugin does not implement nonce checks, which could allow attackers to make a logged in admin change the url value performing unwanted crawls on third-party sites SSRF. PoC When configuring the CrawData addon, the request is as follows GET...
Uploading SVG, WEBP and ICO files <= 1.0.1 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters which could allow users with a role as low as author to perform Stored Cross-Site Scripting attacks...
Sensei LMS < 4.5.0 - Unauthenticated Private Messages Disclosure via Rest API
The plugin does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers PoC https://example.com/wp-json/wp/v2/sensei-messages/...
WP Sticky Button < 1.4.1 - Unauthenticated Arbitrary Settings Update to Stored XSS
The plugin does not have authorisation and CSRF checks when saving its settings, allowing unauthenticated users to update them. Furthermore, due to the lack of escaping in some of them, it could lead to Stored Cross-Site Scripting issues PoC fetch"/wp-admin/admin-ajax.php", "headers":...
WP Edit Menu < 1.5.0 - Unauthenticated Arbitrary Post Deletion
The plugin does not have authorisation and CSRF in an AJAX action, which could allow unauthenticated attackers to delete arbitrary posts/pages from the blog PoC https://example.com/wp-admin/admin-ajax.php?action=filtermenu=post-id...
Multiple Plugins from Puvox.software - Reflected Cross-Site Scripting
The plugins do not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=wp-phpmyadmin-extension=errors-logreset"...
VR Calendar <= 2.3.4 - Admin+ LFI
The plugin does not validate user input before using it in a require statement, which could allow high privilege users to perform LFI attacks. The attack could also be performed via a CSRF vector by making a logged in admin open a malicious link PoC...
GS Testimonial Slider <= 1.9.1 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as author to perform Stored Cross-Site Scripting attacks...
Simple Banner < 2.12.0 - Admin+ Stored Cross Site Scripting
The plugin does not properly sanitize its "Simple Banner Text" Settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payloads in the "Simple Banner Text" settings of the plugin: Firefox...
WP DS Blog Map <= 3.1.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in any of the settings...
Counter Box < 1.2.1 - Arbitrary Counter Activation/Deactivation via CSRF
The plugin is lacking CSRF check when activating and deactivating counters, which could allow attackers to make a logged in admin perform such actions via CSRF attacks PoC https://example.com/wp-admin/admin.php?page=counter-box=1=activate...
Microsoft Advertising Universal Event Tracking < 1.0.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Due to the nature of this plugin, well crafted XSS can also leak into the frontpage. PoC Put the followi...
Popup Anything < 2.1.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in a frontend page, leading to a Reflected Cross-Site Scripting PoC On a post/page where the paocdetails display="keyxxx" shortcode is embed, append the following payload: ?xxx=11111%3Cscript%3Ealert/XSS/%3C/script%3E...
Name Directory < 1.25.4 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check when importing names, and is also lacking sanitisation as well as escaping in some of the imported data, which could allow attackers to make a logged in admin import arbitrary names with XSS payloads in them. PoC As admin, Import the following CSV...
Popup Builder < 4.1.12 - Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
Simple Page Transition <= 1.4.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in the "Ignored Download...
WP Event Manager < 3.1.28 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape its search before outputting it back in an attribute on the event dashboard, leading to a Reflected Cross-Site Scripting PoC Against any authenticated user: https://example.com/event-dashboard/?searchkeywords=aaaa"...
Popup Builder < 4.1.11 - Admin+ Stored Cross-Site Scripting
The plugin does not escape and sanitize some settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfiltredhtml is disallowed PoC Create/edit a subscription, enabled the GDPR options in it and add the following payload in the "confirmation text"...
FoxyShop < 4.8.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting PoC https://example.com/wp-admin/edit.php?posttype=foxyshopproduct=foxyshoptools=error=...
Pricing Deals for WooCommerce < 2.0.3 - Unauthenticated SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection PoC...
Sharebar <= 1.4.1 - Arbitrary Settings Update to Stored XSS via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and also lead to Stored Cross-Site Scripting issue due to the lack of sanitisation and escaping in some of them PoC...
XO Slider < 3.3.3 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its Slider fields, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks...
API KEY for Google Maps < 1.2.2 - Arbitrary API Key Update via CSRF
The plugin does not have CSRF in place when updating the API key, allowing attackers to make a logged in admin perform such action via a CSRF attack...
WordPress Security < 4.2.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfilteredhtml is disallowed for example in multisite setup PoC Put the following payload in the...
Limit Login Attempts < 4.0.72 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfilteredhtml is disallowed for example in multisite setup PoC Put the following payload in the...
HTML2WP <= 1.0.0 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them PoC...
PDF24 Article To PDF <= 4.2.2 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC .pdf24Plugin-cp border:1px solid silver; .pdf24Plugin-cp inputtype="text" width:200px; border:1px solid silver; margin:0; padding:2px;...
PDF24 Articles To PDF <= 4.2.2 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC .pdf24Plugin-cp border:1px solid silver; .pdf24Plugin-cp inputtype="text" width:200px; border:1px solid silver; margin:0; padding:2px;...
Print, PDF, Email by PrintFriendly < 5.2.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Custom Button Text settings, which could allow high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC In the plugin's settings, tick 'Custom Button' and put the following...
WP-Email < 2.69.0 - Anti-Spam Protection Bypass via IP Spoofing
The plugin prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTEADDR, which makes it possible to bypass IP-based anti-spamming restrictions. PoC Set HTTPCLIENTIP, HTTPXFORWARDEDFOR or any of the other headers used in getipaddress. curl...
Hotel Booking <= 3.0 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks...
WP Statistic < 13.2.2 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitise and escape some of its settings, which could allow a high privilege users to perform Stored Cross-Site Scripting attacks when unfiltredhtml is disallowed...
Appointment Hour Booking < 1.3.56 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape a settings of its Calendar fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. PoC Create/edit a calendar, and put the following payload in the "Additional CSS Class" settings of...
MailerLite < 1.5.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting PoC The first digit of the ID must be an existing form ID...
HC Custom WP-Admin URL <= 1.4 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, allowing them to change the login URL PoC...
JupiterX Core < 2.0.7 - Information Disclosure, Modification, and Denial of Service
Any logged in users, such as subscriber could view site configuration and logged-in users, modify post conditions, or perform a denial of service attack via the jupiterxconditionalmanager AJAX action which can be used to call any function in the includes/condition/class-condition-manager.php file...
Simple Real Estate Pack <= 1.4.8 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed PoC Put the following payload in the plugin's settings such as "Consumer Key": "...
Content Mask < 1.8.4.1 - Subscriber+ Arbitrary Options Update
The plugin does not have authorisation and CSRF checks in various AJAX actions, as well as does not validate the option to be updated to ensure it belongs to the plugin. As a result, any authenticated user, such as subscriber could modify arbitrary blog options PoC POST /wp-admin/admin-ajax.php...
Hermit <= 3.1.6 - Subscriber+ SQLi
The plugin does not sanitise and escape the ids parameter before using it in a SQL statement, leading to a SQL injection...
Tripetto < 5.2.0 - Unauthenticated Stored Cross-Site Scripting
The plugin does not validate uploaded attachment files, which could allow unauthenticated users to upload malicious SVG and lead to Cross-Site Scripting...
ShortPixel Adaptive Images < 3.4.0 - Subscriber+ Arbitrary Settings Update
The plugin does not have any authorisation when updating its settings via an AJAX action, allowing any authenticated users, such as subscriber to change them...
ScrollReveal.js Effects <= 1.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed PoC Put the following payload in any of the plugin's settings such as Opacity: "...
th23 Social <= 1.2.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following payload in the plugin's settings...
Easily Generate Rest API Url <= 1.0.0 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following payload in the "Post Per Page" or "Enter Search Text": settings of the plugin: "autofocu...
Sitemap by click5 < 1.0.36 - Unauthenticated Arbitrary Options Update
The plugin does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as the userscanregister and defaultrole,...
Testimonial Slider <= 3.5.8.3 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its slider settings, such as mpsppostsbgcolor, mpsppostsdescriptioncolor, mpspslidenavbuttoncolor which could allow users with the editpost capability contributor and above to perform Cross-Site Scripting attacks...
Users Ultra <= 3.1.0 - Unauthenticated SQL Injection
The plugin fails to properly sanitize and escape the datatarget parameter before it is being interpolated in an SQL statement and then executed via the ratingvote AJAX action available to both unauthenticated and authenticated users, leading to an SQL Injection. PoC curl...
Loco Translate < 2.6.1 - Authenticated Stored Cross-Site Scripting
The plugin does not properly remove inline events from elements in the source translation strings before outputting them in the editor in the plugin admin panel, allowing any user with access to the plugin Translator and Administrator by default to add arbitrary javascript payloads to the source...
WP Downgrade < 1.2.3 - Admin+ Stored Cross-Site Scripting
The plugin only perform client side validation of its "WordPress Target Version" settings, but does not sanitise and escape it server side, allowing high privilege users such as admin to perform Cross-Site attacks even when the unfilteredhtml capability is disallowed PoC Access the settings of th...
Easy Social Icons < 3.2.1 - Admin+ Stored Cross-Site Scripting in add icon
The plugin does not properly escape the imagefile field when adding a new social icon, allowing high privileged users to inject arbitrary javascript even when the unfilteredhtml capability is disallowed. Version 3.2.0 adressed some of the issues, but was still vulnerable when clicking to edit the...