14603 matches found
Advanced Booking Calendar < 1.7.0 - Unauthenticated SQL Injection
The plugin does not validate and escape the calendar parameter before using it in a SQL statement via the abcbookinggetSingleCalendar AJAX action available to both unauthenticated and authenticated users, leading to an unauthenticated SQL injection PoC 1. Install the vulnerable plugin...
Amelia < 1.0.46 - Arbitrary Customer Deletion via CSRF
The plugin does not have CSRF check in place when deleting customers, which could allow attackers to make a logged in admin delete arbitrary customers via a CSRF attack PoC...
BulletProof Security < 5.8 - Admin+ Stored Cross-Site Scripting (XSS)
The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC As admin, put the following payloads: - in the htaccess File Options htaccess File Editor...
WordPress File Upload < 4.16.3 - Contributor+ Stored Cross-Site Scripting via Malicious SVG
The plugin allows users with a role as low as Contributor to configure the upload form in a way that allows uploading of SVG files, which could be then be used for Cross-Site Scripting attacks PoC 1. As a contributor or above add the following shortcode to a post: wordpressfileupload...
Smart Forms < 2.6.71 - Subscriber+ Form Data Download
The plugin does not have authorisation in its rednaosmartformsentrieslist AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form's data, which could include sensitive information such as PII depending on the form. PoC Execute the below command in the web...
Product Feed PRO for WooCommerce < 11.2.3 - Reflected Cross-Site Scripting
The plugin does not escape the rowCount parameter before outputting it back in an attribute via the wooseacategoriesdropdown AJAX action available to any authenticated user, leading to a Reflected Cross-Site Scripting PoC...
WP Email Users <= 1.7.6 - Subscriber+ SQL Injection
The plugin does not escape the dataraw parameter in the weuselectedusers1 AJAX action, available to any authenticated users, allowing them to perform SQL injection attacks. PoC As any authenticated user such as subscriber, the request below will display all users email addresses...
Blackhole for Bad Bots < 3.3.2 - Arbitrary IP Address Blocking via IP Spoofing
The plugin uses headers such as CF-CONNECTING-IP, CLIENT-IP etc to determine the IP address of requests hitting the blackhole URL, which allows them to be spoofed. This could result in blocking arbitrary IP addresses, such as legitimate/good search engine crawlers / bots. This could also be abuse...
WordPress GDPR & CCPA < 1.9.27 - Unauthenticated Reflected Cross-Site Scripting
The checkprivacysettings AJAX action of the plugin, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript...
Embed Swagger <= 1.0.0 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting due to insufficient escaping/sanitization and validation via the url parameter found in the /swagger-iframe.php file which allows attackers to inject arbitrary web scripts onto the page, in versions up to and including 1.0.0. PoC...
Ad Inserter < 2.7.10 - Reflected Cross-Site Scripting
The plugins do not sanitise and escape the htmlelementselection parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting PoC...
Float Menu < 4.3.1 - Arbitrary Menu Deletion via CSRF
The plugin does not have CSRF check in place when deleting menu, which could allow attackers to make a logged in admin delete them via a CSRF attack PoC https://example.com/wp-admin/admin.php?page=float-menu=delete=1...
XootiX Plugins - Various Versions CSRF to Arbitrary Options Update
The plugins Login/Signup Popup, Side Cart Woocommerce, and Waitlist Woocommerce are all vulnerable to cross-site request forgery due to a missing nonce check that would make it possible for attackers to update arbitrary options on a vulnerable WordPress site. PoC...
Mortgage Calculators WP < 1.56 - Admin+ Stored Cross-Site Scripting
The plugin does not implement any sanitisation on the color setting of the background of a calculator, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC 1. Go to settings page available under the...
Paid Memberships Pro < 2.6.7 - Unauthenticated Blind SQL Injection
The plugin does not escape the discountcode in one of its REST route available to unauthenticated users before using it in a SQL statement, leading to a SQL injection PoC https://example.com/?restroute=/pmpro/v1/checkoutlevelid=3code=%27%20%20union%20select%20sleep1%20--%20g...
IP2Location Country Blocker < 2.26.5 - Subscriber+ Arbitrary Country Ban
The plugin does not have authorisation and CSRF checks in the ip2locationcountryblockersaverules AJAX action, allowing any authenticated users, such as subscriber to call it and block arbitrary country, or block all of them at once, preventing users from accessing the frontend. v2.26.5 added...
Futurio Extra < 1.6.3 - Authenticated SQL Injection
The plugin is affected by a SQL Injection vulnerability that could be used by high privilege users to extract data from the database as well as used to perform Cross-Site Scripting XSS against logged in admins by making send open a malicious link PoC Using SQLi to extract database variables:...
Advanced Cron Manager - Subscriber+ Arbitrary Events/Schedules Creation/Deletion
The plugins do not have authorisation checks in some of their AJAX actions, allowing any authenticated users, such as subscriber to call them and add or remove events as well as schedules for example PoC Execute the below command in the web developer console of the web browser when being logged i...
Orange Form <= 1.0.1 - Unauthenticated Arbitrary Post Deletion
The plugin does not have any authorisation and CSRF checks in all of its AJAX calls, for example the ordeletefiled one which is available to both unauthenticated and authenticated users could allow attackers to delete arbitrary posts.The AJAX calls performing actions on posts also do not ensure...
WebP Converter for Media < 4.0.3 - Unauthenticated Open redirect
The plugin contains a file passthru.php which does not validate the src parameter before redirecting the user to it, leading to an Open Redirect issue PoC https://example.com/wp-content/plugins/webp-converter-for-media/includes/passthru.php?src=https://wpscan.com...
Easy Forms for Mailchimp < 6.8.6 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the fieldname and fieldtype parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues PoC...
WP Booking System – Booking Calendar < 2.0.15 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin was affected by a reflected xss in wp-booking-system on the wpbs-calendars admin page. PoC http://127.0.0.1:8001/wp-admin/admin.php?page=wpbs-calendars=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%281%29+x%3D or...
Events Made Easy < 2.2.36 - Subscriber+ SQL Injection
The plugin does not sanitise and escape the searchtext parameter before using it in a SQL statement via the emesearchmail AJAX action, available to any authenticated users. As a result, users with a role as low as subscriber can call it and perform SQL injection attacks PoC...
Download Manager < 3.2.22 - Subscriber+ Stored Cross-Site Scripting
The plugin does not sanitise and escape Template data before outputting it in various pages such as admin dashboard and frontend. Due to the lack of authorisation and CSRF checks in the wpdmsavetemplate AJAX action, any authenticated users such as subscriber is able to call it and perform...
MOLIE <= 0.5 - Reflected Cross-Site Scripting
The plugin does not escape the courseid parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting issue PoC https://example.com/wp-admin/admin.php?page=moliecoursecheckid=alert/XSS/...
SportsPress < 2.7.9 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape its matchday parameter before outputting back in the Events backend page, leading to a Reflected Cross-Site Scripting issue PoC https://example.com/wp-admin/edit.php?posttype=speventday=%22%3E%3Csvg%2Fonload%3Dalert%28%2FXSS%2F%29%3B%3E%3C%22...
User Meta Shortcodes <= 0.5 - Contributor+ Unauthorized Arbitrary User Metadata Access
The plugin registers a shortcode that allows any user with a role as low as contributor to access other users metadata by specifying the user login as a parameter. This makes the WP instance vulnerable to data extrafiltration, including password hashes PoC As a contributor, put the following...
Email Tracker < 5.2.7 - Arbitrary Email Entry Deletion via CSRF
The plugin does not have CSRF check when deleting email entries, which could allow attackers to make a logged in admin delete arbitrary ones via a CSRF attack...
NextScripts: Social Networks Auto-Poster < 4.3.21 - Reflected Cross-Site Scripting
The plugin does not escape the page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting...
URL Shortify < 1.5.1 - Arbitrary Link/Group Deletion via CSRF
The plugin does not have CSRF check in place when bulk-deleting links or groups, which could allow attackers to make a logged in admin delete arbitrary link and group via a CSRF attack. PoC https://example.com/wp-admin/admin.php?page=uslinks=bulkdeleteids=1...
Bulk Datetime Change < 1.12 - Missing Authorisation
The plugin does not enforce capability checks which allows users with Contributor roles to 1 list private post titles of other users and 2 change the posted date of other users' posts. PoC Run on "Bulk Datetime Change" page:...
Media-Tags <= 3.2.0.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape any of its Labels settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtnl capability is disallowed. PoC https://drive.google.com/file/d/1ZXIS-q2fzZhRhTyHpHEzxcZ2Shl4Up2/view?usp=sharing Put the...
Paypal Donation < 1.3.2 - Admin+ Stored Cross-Site Scripting
The plugin does not escape the Amount Menu Name field of created Buttons, which could allow a high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Create/Edit a Button and put the following payload in the Amount Menu Name field...
WP SEO Redirect 301 < 2.3.2 - Redirect Deletion via CSRF
The plugin does not have CSRF in place when deleting redirects, which could allow attackers to make a logged in admin delete them via a CSRF attack PoC https://example.com/wp-admin/admin.php?page=wp-seo-redirect-301/seoredirectlist.phpid=12url=https://example.com/yolo deleteid is the post id, whi...
Print-O-Matic < 2.0.3 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings before outputting them in attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payload in the "Pause Before Print" settings of the...
Header Footer Code Manager < 1.1.14 - Admin+ SQL Injections
The plugin does not validate and escape the "orderby" and "order" request parameters before using them in a SQL statement when viewing the Snippets admin dashboard, leading to SQL injections PoC...
404 to 301 < 3.0.9 - Logs Deletion via CSRF
Description The plugin does not have CSRF check in place when cleaning the logs, which could allow attacker to make a logged in admin delete all of them via a CSRF attack PoC https://example.com/wp-admin/admin.php?page=jj4t3-logs=bulkclean...
WP-Recall < 16.24.48 - Reflected Cross-Site Scripting
The plugin does not escape some filters parameters before outputting them back in attributes when the Commerce add-on is active, leading to Reflected Cross-Site Scripting issues PoC Activate the Commerce Add-On of the plugin and open the below URL...
Far Future Expiry Header < 1.5 - Plugin's Settings Update via CSRF
The plugin does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. PoC...
WordPress Download Manager < 3.2.16 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of the Download settings when outputting them, allowing high privilege users to perform XSS attacks even when the unfilteredhtml capability is disallowed PoC - Create a new Download, add the following payload in the "Version" and "Link Label" fields from the...
YITH Maintenance Mode < 1.4.0 - Multiple Admin+ Stored Cross-Site Scripting
The plugin does not sanitise multiple of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks...
Ninja Forms < 3.5.8 - Unprotected REST-API to Sensitive Information Disclosure
The plugin is vulnerable to sensitive information disclosure via the bulkexportsubmissions function found in the /includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data via the...
WP HTML Author Bio <= 1.2.0 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise the HTML allowed in the Bio of users, allowing them to use malicious JavaScript code, which will be executed when anyone visit a post in the frontend made by such user. As a result, user with a role as low as author could perform Cross-Site Scripting attacks against...
Telefication <= 1.8.0 - Open Relay & Server-Side Request Forgery
The plugin is vulnerable to Open Proxy and Server-Side Request Forgery via the /bypass.php file due to a user-supplied URL request value that gets called by a curl requests...
Tutor LMS < 1.9.9 - Multiple Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payload in the Plugin's Settings General "Error message...
YITH Maintenance Mode < 1.3.8 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise the yithmaintenancenewslettersubmitlabel settings, which could allow high privilege users to perform Cross-Site Scripting attacks...
GNU-Mailman Integration <= 1.0.6 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the gmerror parameter found in the /includes/admin/mailing-lists-page.php file which allows attackers to inject arbitrary web scripts...
SMS OVH <= 0.1 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the position parameter found in the /sms-ovh-sent.php file which allows attackers to inject arbitrary web scripts...
WordPress InviteBox Plugin <= 1.4.1 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the message parameter found in the /admin/admin.php file which allows attackers to inject arbitrary web scripts...
Twitter Friends Widget <= 3.1 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the pmcTFuser and pmcTFpassword parameter found in the /twitter-friends-widget.php file which allows attackers to inject arbitrary web scripts...