14602 matches found
SEO Redirection < 9.1 - 404 Error & History Deletion via CSRF
The plugin does not have CSRF check when deleting 404 errors and history, which could allow attackers to make logged in admins delete them via CSRF attacks...
PHP Everywhere < 3.0.0 - Contributor+ RCE via Gutenberg Block
The plugin allows any users with a role as low as contributor to execute PHP via the Gutenberg Block of the plugin in posts...
All In One SEO < 4.1.5.3 - Authenticated SQL Injection
The plugin is affected by an authenticated SQL injection issue, which was discovered during an internal audit by the Jetpack Scan team, and could grant attackers access to privileged information from the affected site’s database e.g., usernames and hashed passwords...
Comments - wpDiscuz 7.0.0 - 7.0.4 - Unauthenticated Arbitrary File Upload
This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server. PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Host: URL Content-Length: 774 Accept: / X-Requested-With: XMLHttpRequest User-Agent:...
JoomSport <= 3.3 - SQL Injection
The JoomSport – for Sports: Team & League, Football, Hockey & more WordPress plugin was affected by a SQL Injection security vulnerability...
WPBakery Page Builder < 4.7.4 - Multiple Unspecified Cross-Site Scripting (XSS)
The jscomposer WordPress plugin was affected by a Multiple Unspecified Cross-Site Scripting XSS security vulnerability...
TheCartPress <= 1.3.9 - Multiple Vulnerabilities
The TheCartPress eCommerce Shopping Cart WordPress plugin was affected by a Multiple Vulnerabilities security vulnerability...
WooCommerce 2.3 - 2.3.5 - SQL Injection
The WooCommerce WordPress plugin was affected by a 2.3.5 - SQL Injection security vulnerability...
Meta Slider <= 2.5 - Cross-Site Scripting (XSS)
The Responsive Slider by MetaSlider – Slider and Carousel Plugin for WordPress WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...
Unyson < 2.7.31 - Cross-Site Request Forgery
Description The Unyson plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.30. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform an unknown action...
Bricks < 1.9.6.1 - Unauthenticated Remote Code Execution
Description The Bricks theme for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.9.6. This makes it possible for unauthenticated attackers to execute code on the server...
Login Lockdown < 2.07 - Admin+ SQLi
Description The plugin does not properly sanitise and escape the iDisplayStart parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin...
WP < 6.3.2 - Unauthenticated Post Author Email Disclosure
Description WordPress does not properly restrict which user fields are searchable via the REST API. PoC from multiprocessing import Pool import requests import string import json import sys if lensys.argv != 2: printf'USAGE: sys.argv0 ' sys.exit url = sys.argv1.rstrip'/' + '/wp-json/wp/v2/users'...
WP 5.6-6.3.1 - Contributor+ Stored XSS via Navigation Block
Description WordPress does not escape some of its Navigation block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Oxygen Builder < 4.4 - CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Freemius SDK < 2.5.10 - Reflected Cross-Site Scripting
Description The Freemius SDK for WordPress does not adequately sanitize inputs or escape outputs, leading to Reflected Cross-Site Scripting. This directly affects over 1000 plugins and themes that use this SDK...
File Manager Advanced Shortcode <= 2.3.2 - Unauthenticated Remote Code Execution through shortcode
The plugin does not adequately prevent uploading files with disallowed MIME types when using the shortcode. This leads to RCE in cases where the allowed MIME type list does not include PHP files. In the worst case, this is available to unauthenticated users. PoC 1. Add the following shortcode to ...
WP < 6.0.3 - Stored XSS via wp-mail.php
Description WordPress does not properly sanitize some parameters when receiving a post by email, which could lead to Stored Cross-Site Scripting issue...
Name Directory < 1.18 - Cross-Site Request Forgery (CSRF)
The plugin was affected by CSRF issues, allowing attackers to make a logged in administrator perform unwanted actions...
RegistrationMagic – Custom Registration Forms and User Login < 4.6.0.4 - Multiple Critical Issues
These allowed an attacker with subscriber-level permissions to elevate their account’s privileges to those of an administrator and to export every form on the site, including all the data that had been submitted to them in the past. Additionally, through a number of unprotected AJAX actions, an...
Duplicator 1.3.24 & 1.3.26 - Unauthenticated Arbitrary File Download
The issue is being actively exploited, and allows attackers to download arbitrary files, such as the wp-config.php file. According to the vendor, the vulnerability was only in two versions v1.3.24 and v1.3.26, the vulnerability wasn't present in versions 1.3.22 and before. PoC...
Avada Theme <= 5.1.4 - Stored Cross-Site Scripting (XSS) & CSRF
Description The Avada WordPress theme was affected by a Stored Cross-Site Scripting XSS & CSRF security vulnerability. PoC http://cdn.wphutte.com/Avada/5.1.4/xss.html http://cdn.wphutte.com/Avada/5.1.4/csrf.html...
Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin < 5.7.15 - Unauthenticated SQL Injection
Description The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'run' function of the 'IGESSubscribersQuery' class in all versions up to, and including, 5.7.14 due to insufficie...
LiteSpeed Cache < 5.7.0.1 - Unauthenticated Stored XSS
Description The plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'nameservers' and 'msg' parameters due to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user...
Store Locator WordPress < 1.4.15 - Admin+ Arbitrary File Deletion
Description The plugin is vulnerable to Directory Traversal, allowing authenticated attackers, with administrator access and above, to delete arbitrary files...
Footer Putter <= 6.1.3 - Reflected Cross-Site Scripting
Description The Footer Putter plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in all versions up to, and including, 6.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
Decorator - WooCommerce Email Customizer < 1.2.8 - Cross-Site Request Forgery
Description The Decorator – WooCommerce Email Customizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.7. This is due to missing nonce validation on several functions such as ajaxreset, wtdecoratorbuttontext, wtdecoratorsetasdefault, an...
Bamboo Columns <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Bamboo Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inje...
Master Slider Pro <= 3.6.5 - Authenticated (Editor+) SQL Injection
Description The Master Slider Pro plugin for WordPress is vulnerable to SQL Injection via an unknown parameter in all versions up to, and including, 3.6.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possib...
WordPress Database Administrator <= 1.0.3 - Unauthenticated SQL Injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. PoC Run the command: curl -i -s -k -X POST --data-binary...
WooCommerce Checkout Field Manager < 18.0 - Unauthenticated Arbitrary File Upload
The plugin does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server PoC 1. Install and activate woocommerce dependency, no setup required 2. Install and active the vulnerable plugin n-media-woocommerce-checkout-fields...
MailChimp for Woocommerce < 2.7.1 - Subscriber+ SSRF
The plugin has an AJAX action that allows any logged in users such as subscriber to perform a POST request on behalf of the server to the internal network/LAN, the body of the request is also appended to the response so it can be used to scan private network for example PoC As any logged in user:...
WordPress (5.9-5.9.1) / Gutenberg (9.8.0-12.7.1) - Contributor+ Stored Cross-Site Scripting
Description Post authors are able to bypass KSES restrictions in WordPress = 5.9 and or Gutenberg = 9.8.0 due to the order filters are executed, which could allow them to perform to Stored Cross-Site Scripting attacks PoC As a user without the UNFILTEREDHTML capability, create a post containing t...
All in One SEO Pack < 4.1.0.2 - Admin RCE via unserialize
The plugin enables authenticated users with "aioseotoolssettings" privilege most of the time admin to execute arbitrary code on the underlying host. Users can restore plugin's configuration by uploading a backup .ini file in the section "Tool Import/Export". However, the plugin attempts to...
GravityForms < 2.4.9 - Hashed Password Leakage
The gravityforms WordPress plugin was affected by a Hashed Password Leakage security vulnerability...
Freemius Library < 2.2.4 - Subscriber+ Arbitrary Option Update
Description The library, used in numerous plugins, does not have proper authorisation when updating blog options, allowing any authenticated users, such as subscriber to update arbitrary options PoC As any authenticated user: Enable new user registrations:...
WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
Description An application Denial of Service DoS was found to affect WordPress versions 4.9.4 and below. We are not aware of a patch for this issue...
Yoast SEO <= 2.1.1 - Authenticated Stored DOM XSS
The "snippet preview" functionality of the Yoast WordPress SEO plugin was susceptible to cross-site scripting in versions before 2.2. PoC Vulnerable URL: /wp-admin/post-new.php?posttitle= Vulnerable Code wordpress-seo/js/wp-seo-metabox.js: function ystcleanstr if str == '' || str == undefined...
Multiple iThemes plugins, themes and add-ons - XSS via add_query_arg() and remove_query_arg()
...
Contact Form by WPForms – Drag & Drop Form Builder for WordPress < 1.8.8.2 - Unauthenticated Price Manipulation
Description The Contact Form by WPForms – Drag & Drop Form Builder for WordPress is vulnerable to price manipulation. This is due to a lack of controls on several product parameters, making it possible for unauthenticated attackers to manipulate prices, product information, and quantities for...
WP Show Posts < 1.1.6 - Improper Authorization to Information Exposure
Description The WP Show Posts plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple AJAX functions in all versions up to, and including, 1.1.5. This makes it possible for authenticated attackers, with subscriber access and above, to view...
WP Statistics < 14.5.1 - Unauthenticated Stored Cross-Site Scripting
Description The plugin does not properly escape visited URLs which are reflected on the plugin's dashboard. PoC Visit one same page multiple times so it makes it to the most visited pages, adding the following "utmid" parameter to it:...
LearnPress < 4.2.5.8 - Unauthenticated Command Injection
Description The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4.2.5.7 via the getcontent function. This is due to the plugin making use of the calluserfunc function with user input. This makes it possible for unauthenticated attackers to...
Contact Form builder with drag & drop - Kali Forms < 2.3.29 - Missing Authorization via get_log
Description The Contact Form builder with drag & drop - Kali Forms plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the getlog function in versions up to, and including, 2.3.28. This makes it possible for authenticated attackers, with subscriber-level...
Charitable < 1.7.0.14 - Authenticated(Contributor+) Stored Cross-Site Scripting
Description The Charitable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in versions up to, and including, 1.7.0.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
Vertical scroll recent post <= 14.0 - Cross-Site Request Forgery via vsrp_admin_options
Description The Vertical scroll recent post plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 14.0. This is due to missing or incorrect nonce validation on the 'vsrpadminoptions' function. This makes it possible for unauthenticated attackers to...
Download Manager Pro < 6.3.0 - Unauthenticated Sensitive Information Disclosure
The plugin leaks master key information without the need for a password, allowing attackers to download arbitrary password-protected package files. PoC - Create a password protected package containing one or more files. - Navigate to the download page of the package e.g. /download/package1 -...
Menu Image, Icons made easy < 3.0.8 - Subscriber+ Stored Cross-Site Scripting
The plugin does not have authorisation and CSRF checks when saving menu settings, and does not validate, sanitise and escape them. As a result, any authenticate users, such as subscriber can update the settings or arbitrary menu and put Cross-Site Scripting payloads in them which will be triggere...
All-in-One WP Migration < 7.41 - Admin+ Arbitrary File Upload to RCE
The plugin does not validate uploaded files' extension, which allows administrators to upload PHP files on their site, even on multisite installations. PoC To reproduce: - Log in, Click all in one WP migration import to use the import from file function. - Intercept wp-admin/admin-...
W3 Total Cache < 2.1.4 - Reflected XSS in Extensions Page (Attribute Context)
The plugin was vulnerable to a reflected Cross-Site Scripting XSS security vulnerability within the "extension" parameter in the Extensions dashboard, which is output in an attribute without being escaped first. This could allow an attacker, who can convince an authenticated admin into clicking a...