14602 matches found
Modern Events Calendar Lite < 5.22.2 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings before outputting them in attributes, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Go to the plugin Settings Messages Taxonomies...
Support Board < 3.3.4 - Multiple Unauthenticated SQL Injections
The plugin does not escape multiple POST parameters such as statuscode, department, userid, conversationid, conversationstatuscode, and recipientid before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users. PoC The login-cookie parameter is...
Countdown Block < 1.1.2 - Missing Authorisation in AJAX action
The plugin does not have authorisation in the ebwriteblockcss AJAX action, which allows any authenticated user, such as Subscriber, to modify post contents displayed to users. v1.1.1 attempt to fix the issue was incomplete, still allowing it to be exploited via a CSRF attack on an admin due to a...
Timetable and Event Schedule by MotoPress < 2.4.2 - Unauthorised Event TimeSlot Deletion
The plugin does not have proper access control when deleting a timeslot, allowing any user with the editposts capability contributor+ to delete arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be performed via CSRF against a logged in wit...
Fileviewer <= 2.2 - Arbitrary File Upload/Deletion via CSRF
The plugin does not have CSRF checks in place when performing actions such as upload and delete files. As a result, attackers could make a logged in administrator delete and upload arbitrary files via a CSRF attack PoC To delete /phpinfo.php:...
Simple Popup Newsletter <= 1.4.7 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $SERVER'PHPSELF' in the /simple-popup-newsletter.php file which allows attackers to inject arbitrary web scripts...
Per Page Add to Head < 1.4.4 - CSRF to Stored XSS
The plugin is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the setting feature mentioned by the plugin, this could lead to Stored XSS issue which will b...
Custom Post View Generator <= 0.4.6 - Reflected Cross-Site Scripting
The createpostpage AJAX action of the plugin available to authenticated user does not sanitise or escape user input before outputting it back in the response, leading to a Reflected Cross-Site issue PoC...
Nifty Newsletters <= 4.0.23 - CSRF to Stored XSS
The plugin is vulnerable to Cross-Site Request Forgery via the solanlwphead function found in the /sola-newsletters.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.0.23...
uListing < 2.0.6 - Multiple CSRF
The plugin is lacking proper CSRF checks in multiple protected actions within wp-admin pages, leaving them vulnerable to CSRF attacks. PoC PoC | CSRF | Add/Edit Pricing Plans: POST /wp-admin/admin-ajax.php HTTP/2 Host: example.com Cookie: agent or admin cookies User-Agent: Mozilla/5.0 Content-Typ...
uListing < 2.0.6 - Modify User Roles via CSRF
An Add/Edit User Roles via CSRF vulnerability was discovered in the plugin. Missing WPNonce security tokens https://codex.wordpress.org/WordPressNonces . PoC PoC | CSRF | Add/Edit User Roles: POST /wp-admin/admin-ajax.php HTTP/2 Host: example.com Cookie: cookies User-Agent: Mozilla/5.0...
Contact Form 7 Captcha < 0.0.9 - CSRF to Stored XSS
The plugin does not have any CSRF check in place when saving its settings, allowing attacker to make a logged in user with the manageoptions change them. Furthermore, the settings are not escaped when output in attributes, leading to a Stored Cross-Site Scripting issue. PoC All cf7sr parameters a...
WP SMS < 5.4.13 - Authenticated Stored Cross-Site Scripting
The plugin does not sanitise the "wpgroupname" parameter before outputting it back in the "Groups" page, leading to an Authenticated Stored Cross-Site Scripting issue WPScanTeam: During the verification of the fixes with the vendor, other payloads and injection points were identified, reported an...
Grid Gallery < 1.2.5 - Authenticated Stored Cross Site Scripting (XSS)
The plugin does not properly sanitize the title field for image galleries when adding them via the admin dashboard, resulting in an authenticated Stored Cross-Site Scripting vulnerability. PoC Step 1: Install Grid Gallery - Photo Image Grid Gallery plugin in word press and activate the plugin. St...
Wonder Video Embed < 1.8 - Contributor+ Stored XSS
The plugin does not escape parameters of its wonderpluginvideo shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks. PoC wonderpluginvideo iframe='youtube.com?v=dQw4w9WgXcQ" onload="alert1'...
Profile Builder < 3.4.9 - Admin Access via Password Reset
The plugin has a bug allowing any user to reset the password of the admin of the blog, and gain unauthorised access, due to a bypass in the way the reset key is checked. Furthermore, the admin will not be notified of such change by email for example. PoC The password reset key is checked against...
Shantz WordPress QOTD <= 1.2.2 - Arbitrary Setting Update via CSRF
The plugin is lacking any CSRF check when updating its settings, allowing attackers to make logged in administrators change them to arbitrary values. PoC...
Marmoset Viewer < 1.9.3 - Reflected Cross Site Scripting
The plugin does not property sanitize, validate or escape the 'id' parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue. PoC https://example.com/wp-content/plugins/marmoset-viewer/mviewer.php?id=http://%3C/script%3E%3Csvg/onload=alert1%3E WPScanTeam...
Speed Booster Pack 4.2.0-beta - Authenticated (admin+) RCE
The plugin did not validate its cachingexcludeurls and cachingincludequerystrings settings before outputting them in a PHP file, which could lead to RCE PoC PoC | Authenticated RCE | Caching Exclude URLs / Cached query strings: POST /wp-admin/admin.php?page=sbp-settings HTTP/2 Host: example.com...
CSRF Bypass in Multiple Plugins
Multiple plugins are affected by CSRF bypass as they do not properly check for the nonce due to a logic flaw. This could allow attackers to make logged in users do unwanted actions...
Bookshelf <= 2.0.4 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise or escape its "Paypal email address" setting before outputting it in the page, leading to an authenticated Stored Cross-Site Scripting issue PoC Add the following payload in the "Paypal email address" setting of the plugin /wp-admin/admin.php?page=bookshelf-settings: ...
ZoomSounds < 6.05 - Unauthenticated Arbitrary File Upload
The plugin contained a PHP file, allowing unauthenticated users to upload an arbitrary file anywhere on the web server. Note WPScanTeam: It's unclear which version fixed the issue exactly, however we were able to confirm the issue on version as high as v5.96 and that the related file has been...
Sign-up Sheets < 1.0.14 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise or escape some of its fields when creating a new sheet, allowing high privilege users to add JavaScript in them, leading to a Stored Cross-Site Scripting issue. The payloads will be triggered when viewing the 'All Sheets' page in the admin dashboard PoC As admin, add a...
Export Users With Meta < 0.6.5 - Authenticated SQL Injection
The plugin did not escape the list of roles to export before using them in a SQL statement in the export functionality, available to admins, leading to an authenticated SQL Injection. PoC POST /wp-admin/users.php?page=uewmsettings HTTP/1.1 Accept:...
Include Me <= 1.2.1 - Authenticated Remote Code Execution (RCE) via LFI log poisoning
The plugin is vulnerable to path traversal / local file inclusion, which can lead to Remote Code Execution RCE of the system due to log poisoning and therefore potentially a full compromise of the underlying structure PoC RCE through chaining LFI with log poisoning 1. Path Traversal / Local File...
Prismatic < 2.8 - Contributor+ Stored XSS
The plugin does not sanitise or validate some of its shortcode parameters, allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS trigger able in the frontend, however, higher...
The Plus Addons for Elementor Page Builder < 4.1.10 - Open Redirect
The plugin did not validate a redirect parameter on a specifically crafted URL before redirecting the user to it, leading to an Open Redirect issue. PoC The vulnerable code leading to the open redirect is in the function "redirecttotpcustompasswordreset" in...
Side Menu < 3.1.5 - Authenticated (admin+) SQL Injection
The menu delete functionality of the plugin, available to Administrator users takes the did GET parameter and uses it into an SQL statement without proper sanitisation, validation or escaping, therefore leading to a SQL Injection issue PoC GET /wp-admin/admin.php?page=side-menu=del=1%20OR%201=1...
iFlyChat – WordPress Chat <= 4.6.4 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise its APP ID setting before outputting it back in the page, leading to an authenticated Stored Cross-Site Scripting issue PoC Step1: Install and activate the plugin "iFlyChat – WordPress Chat-4.6.4" Step2: Enter the following payload in the "APP ID" field of the plugin...
Database Backup for WordPress < 2.4 - Authenticated Persistent Cross-Site Scripting (XSS)
The plugin did not escape the backuprecipient POST parameter in before output it back in the attribute of an HTML tag, leading to a Stored Cross-Site Scripting issue. PoC POST /wp-admin/tools.php?page=wp-db-backup HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Content-Type:...
CM Download Manager < 2.8.0 - Authenticated Arbitrary File Deletion
The plugin may allow authorized users to delete arbitrary files and possibly cause a denial of service via the fileName parameter in a deletescreenshot action...
Stop Spammers < 2021.9 - Reflected Cross-Site Scripting (XSS)
The plugin did not escape user input when blocking requests such as matching a spam word, outputting it in an attribute after sanitising it to remove HTML tags, which is not sufficient and lead to a reflected Cross-Site Scripting issue. PoC From an IP not in the Allow List...
Advanced Booking Calendar < 1.6.7 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin did not sanitise the calId GET parameter in the "Seasons & Calendars" page before outputing it in an A tag, leading to a reflected XSS issue PoC Payloads: - Original reporter:...
Facebook for WordPress 3.0.0-3.0.3 - CSRF to Stored XSS and Settings Deletion
The wpajaxsavefbesettings and wpajaxdeletefbesettings AJAX actions of the plugin were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved. PoC CSRF to XSS CSRF to Delete settings...
Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Image Box Widget
In the plugin, the image box widget includes/widgets/image-box.php accepts a ‘titlesize’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘savebuilder’ request containing JavaScript ...
wpDataTables < 3.4.2 - Improper Access Control leading to Table Permission Takeover
The plugin has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to access the data of another user that are present in the same table by taking over the user permissions on the table through formdatawdtID...
Database Backups <= 1.2.2.6 - CSRF to Backup Download
The plugin does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the database, change the plugin's settings and delete backups. When generating a backup, the file is created in the /wp-content/uploads/database-backups directory, with ...
QuadMenu < 2.0.7 - Unauthenticated RCE via compiler_save
The compilersave AJAX action, available to both authenticated and unauthenticated users did not check the extension of the imported file, and had the nonce used for CSRF check displayed in the homepage. This could allow unauthenticated users to create an arbitrary PHP file on the blog, leading to...
Responsive Menu < 4.0.4 - CSRF to Settings Update
"Attackers could craft a request and trick an administrator into importing all new settings. These settings could be modified to include malicious JavaScript, therefore allowing an attacker to inject payloads that could aid in further infection of the site." PoC...
Contact Form by Supsystic < 1.7.11 - Authenticated SQL Injections
The GET parameters sidx and sord were used in a SQL statement without being sanitised when searching for Forms in the dashboard, leading to an authenticated SQL Injection issues. PoC...
Newsletter by Supsystic <= 1.5.6 - Authenticated SQL Injection
The GET parameter "sidx" is used in a SQL statement without being sanitised when searching for subscribers in the dashboard, leading to an authenticated SQL Injection issue. PoC The PoC will be displayed once the issue has been remediated...
Popup Builder < 3.74 - Authenticated Reflected Cross-Site Scripting (XSS)
The "All Subscribers" setting page of Popup Builder was vulnerable to reflected Cross-Site Scripting. PoC http://example.com/wp-admin/edit.php?posttype=popupbuilder=sgpbSubscribers&sgpb-subscribers-date;=%22%3E%3Cscript%3Ealert%28origin%29%3C%2Fscript%3E Video:...
WP Editor < 1.2.7 - Authenticated SQL injection
The plugin did not sanitise or validate its setting fields leading to an authenticated admin+ blind SQL injection issue via an arbitrary parameter when making a request to save the settings. PoC https://drive.google.com/file/d/1KT4lHePmYuX36jvA4AEQ1MVDwJBlZOO/view?usp=sharing payload:...
Stripe Payments < 2.0.40 - Authenticated Stored Cross-Site Scripting (XSS)
The Stripe Payments WordPress plugin, version 2.0.39 and possibly below, was vulnerable to Stored Cross-Site Scripting XSS in the plugin's currencycode settings parameter. The form did require a valid CSRF nonce, limiting the exploitability of the vulnerability...
Anti-Spam by CleanTalk < 5.149 - Multiple Authenticated SQL Injections
Multiple authenticated SQL injections in the Anti-Spam by CleanTalk plugin 5.148 exist, however, it requires high privilege user admin+. PoC Vulnerable functions: removeLogs and removeSpam at: lib/Cleantalk/ApbctWP/FindSpam/ListTable/Users.php Sleep query: POST...
Constant Contact Forms < 1.8.8 - Multiple Authenticated Stored XSS
Multiple stored cross-site scripting vulnerabilities in Constant Contact Forms for WordPress 1.8.7 and lower allow high-privileged user Editor+ to inject arbitrary Javascript code or HTML in posts where the malicious form is embed. PoC High-privileged user Editor+ can exploit XSS via Add New Form...
WP Floating Menu < 1.4.1 - Authenticated Reflected Cross-Site Scripting
The id GET parameter used by WP Floating menu does not correctly sanitise user input before reflecting the parameter back to the user, resulting in a reflected XSS vulnerability. Other sanitisation have been added to prevent other XSS issues as well as potential SQL injections. PoC...
Sell Media < 2.4.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)
A Cross-site scripting XSS vulnerability in /inc/class-search.php in the Sell Media plugin v2.4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the keyword parameter aka $searchterm or the Search field. PoC https://example.com/sell-media-search/?keyword="...
Email Subscribers & Newsletters < 4.5.1 - Cross-site Request Forgery in send_test_email()
An attacker could exploit this issue by convincing a user to click a specially crafted URL, which will send emails from the affected user’s WordPress email account. PoC https://github.com/tenable/poc/blob/master/WordPress/plugins/Icegram/emailsubscribersandnewsletters/csrfpoc.html...
ACF to REST API < 3.3.0 - Unauthenticated Arbitrary wp_options Disclosure
The plugin does not properly check for authorisation and allowed options to be retrieved from the wp-json/acf/v3/options/ endpoint. This could allow unauthenticated attacker to retrieve arbitrary values from the wpoptions table, such as a list of active plugins. PoC List all active plugins of the...