14602 matches found
WordPress Simple Shopping Cart < 4.7.2 - Authenticated(Administrator+) Stored Cross-Site Scripting
Description The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automatic redirect URL setting in all versions up to and including 4.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
FreshMail For WordPress <= 2.3.2 - Cross-Site Request Forgery
Description The FreshMail For WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.2. This is due to missing nonce validation function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged...
Advanced Database Cleaner < 3.1.4 - Administrator+ PHP Object Injection
Description The plugin is vulnerable to PHP Object Injection via deserialization of untrusted input in the 'processbulkaction' function. This makes it possible for authenticated attacker, with administrator access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin...
SalesKing < 1.6.30 - Unauthenticated Privilege Escalation
Description The plugin is vulnerable to privilege escalation. This allows unauthenticated attackers to create arbitrary malicious administrator accounts...
Advanced Page Visit Counter <= 8.0.6 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Visit the "Settings" interface...
Better Anchor Links <= 1.7.5 - Cross-Site Request Forgery via admin/options.php
Description The Better Anchor Links plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.5. This is due to missing or incorrect nonce validation on the admin/options.php file. This makes it possible for unauthenticated attackers to update the...
Image Tag Manager <= 1.5 - Reflected Cross-Site Scripting via default_class
Description The Image Tag Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'defaultclass’ parameter in versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
Splashscreen <= 0.20 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC...
Profile Builder Pro < 3.10.1 - Reflected Cross-Site Scripting
Description The Profile Builder Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
MapPress Maps for WordPress < 2.88.16 - Unauthenticated Arbitrary Private/Draft Post Disclosure
Description The plugin does not ensure that posts to be retrieve via an AJAX action is a public map, allowing unauthenticated users to read arbitrary private and draft posts. The fix made in 2.88.15 is not sufficient as it still allowed any authenticated users, such s subscriber to read arbitrary...
Contact Form 7 Extension For Mailchimp <= 0.5.70 - Subscriber+ Server-Side Request Forgery
Description The plugin is vulnerable to Server-Side Request Forgery in all versions up to, and including, 0.5.70. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application which can ...
Quiz Maker < 6.5.1.2 - Missing Authorization
Description The Quiz Maker plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 6.5.1.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized actio...
Contact Form 7 – Dynamic Text Extension < 4.2.0 - Insecure Direct Object Reference
Description The plugin is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the CF7getcustomfield and CF7getcurrentuser shortcodes due to missing validation on a user controlled key. This makes it possible for authenticated attackers with contributor...
RSS Aggregator by Feedzy < 4.3.3 - Missing Authorization
Description The plugin is vulnerable to unauthorized settings update due to a missing capability check when updating settings in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with author-level access or above to change the plugin's settings includin...
The Events Calendar < 6.2.9 - Unauthenticated Sensitive Information Exposure
Description The plugin is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.2.8.2 via the route function hooked into wpajaxnoprivtribedropdown. This makes it possible for unauthenticated attackers to extract potentially sensitive data including post titles and I...
Envira Gallery Lite < 1.8.7.3 - Missing Authorization to Gallery Modification via envira_gallery_insert_images
Description The plugin is vulnerable to unauthorized modification of data due to an improper capability check on the 'enviragalleryinsertimages' function in all versions up to, and including, 1.8.7.1. This makes it possible for authenticated attackers, with contributor access and above, to modify...
Formidable Forms < 6.7.1 - HTML Injection
Description The plugin is vulnerable to HTML injection in versions up to, and including, 6.7. This vulnerability allows unauthenticated users to inject arbitrary HTML code into form fields. When the form data is viewed by an administrator in the Entries View Page, the injected HTML code is...
EventON (Free < 2.2.8, Premium < 4.5.5) - Unauthenticated Email Address Disclosure
Description The plugins do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve email addresses of any users on the blog PoC To get the administrator user emails: curl -X POST --data 'userrole=administrator'...
Uncode Core < 2.8.9 - Privilege Escalation
Description The Uncode Core plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.8.8. This makes it possible for subscribers to escalate their privileges to those of a higher level account...
Oxygen Builder < 4.8.1 - Contributor+ Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via a custom field due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execut...
Paid Member Subscriptions < 2.10.5 - Cross-Site Request Forgery via ajax_add_log_entry
Description The Paid Member Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.10.4. This is due to missing or incorrect nonce validation on the ajaxaddlogentry function. This makes it possible for unauthenticated attackers to modify...
TerraClassifieds <= 2.0.3 Unauthenticated Arbitrary File Upload
Description The TerraClassifieds – Simple Classifieds Plugin plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 2.0.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote...
EventON < 4.4.1 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open a page containing one of the code below: 2.6.x the cmon...
MStore API < 4.10.2 - Cross-Site Request Forgery
Description The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to 4.10.2 exclusive. This is due to missing or incorrect nonce validation in the templates/admin/mstore-api-admin-dashboard.php file. This makes it possible for unauthenticated attackers...
Impreza < 8.18 - Reflected Cross-Site Scripting
Description The Impreza – WordPress Website and WooCommerce Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in all versions up to, and including, 8.17.4 due to insufficient input sanitization and output escaping. This makes it possible for...
WP Remote Site Search < 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The WP Remote Site Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on the 'maxresults' user supplied attribute. This makes it...
Everest Forms < 2.0.5 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Rate my Post < 3.4.3 - IP Spoofing
Description The Rate my Post – WP Rating System plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 3.4.2 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for...
iFrame < 4.9 - Contributor+ Stored XSS
Description The plugin does not sanitise and escape the srcdoc parameter, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks, however given that the malicious JS is limited to the scope of the iframe, there is no practical way to make users su...
Ultimate Addons for Beaver Builder < 1.35.15 - Contributor+ Privilege Escalation
Description The Ultimate Addons for Beaver Builder plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.35.14. This makes it possible for authenticated attackers, with contributor access and above, to escalate their privileges to those of a higher lev...
WP Social Bookmark Menu <= 1.2 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. PoC...
Meris <= 1.1.2 - Reflected XSS
Description The theme does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC...
FOX – Currency Switcher Professional for WooCommerce < 1.4.1.7 - Subscriber+ Stored XSS
Description The plugin does not sanitise and escape its currency options parameters, which could allow any authenticated users, such as subscribers to perform Stored Cross-Site Scripting attacks...
Insert or Embed Articulate Content into WordPress < 4.3000000023 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
JSM file_get_contents() Shortcode < 2.7.1 - Contributor+ SSRF
Description The plugin does not validate one of its shortcode's parameters before making a request to it, which could allow users with contributor role and above to perform SSRF attacks. PoC wpfgc url="http://127.0.0.1:8084"...
Essential Real Estate < 4.4.0 - Subscriber+ Arbitrary File Upload
Description The plugin does not prevent users with limited privileges on the site, like subscribers, from momentarily uploading malicious PHP files disguised as ZIP archives, which may lead to remote code execution. PoC from io import BytesIO import requests import zipfile import sys import re if...
Maspik – Spam blacklist < 0.10.4 - IP Validation Bypass
Description The plugin does not properly validates IP addresses, allowing unauthenticated attackers to bypass IP-based restrictions...
Prime Mover < 1.9.3 - Directory Listing to Sensitive Data Exposure
Description The plugin does not prevent directory listing in sensitive directories containing export files. PoC http://127.0.0.1/wordpress/wp-content/uploads/prime-mover-export-files/1/ 0 Go to packages and crate new If there is no backup now 1 Go to this URL manualy 2 Use Exploit...
Spectra < 2.7.10 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Genesis Simple Love <= 2.0 - Unauthenticated PHP Object Injection
Description The Genesis Simple Love plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.0 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the...
Smart External Link Click Monitor [Link Log] <= 5.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Description The Smart External Link Click Monitor Link Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attacker...
Ultimate Addons for Contact Form 7 < 3.2.1 - Reflected Cross-Site Scripting
Description The Ultimate Addons for Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers...
Product Enquiry for WooCommerce < 3.1 - Cross-Site Request Forgery
Description The Product Enquiry for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0. This is due to missing or incorrect nonce validation on the processbulkaction function. This makes it possible for unauthenticated attackers to...
Webflow Pages <= 1.0.8 - Missing Authorization
Description The Webflow Pages plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on an unknown function in versions up to, and including, 1.0.8. This makes it possible for unauthenticated attackers to perform an unauthorized action...
List all posts by Authors, nested Categories and Title < 2.8.3 - CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Client Dash <= 2.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Description The Client Dash plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...
Track Geolocation Of Users Using Contact Form 7 <= 1.4 - Authenticated (Administrator+) Stored Cross-Site Scripting
Description The Track Geolocation Of Users Using Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
Affiliate Booster < 3.0.6 - Blocks Enabling/Disabling via CSRF
Description The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the processbulkaction function. This makes it possible for unauthenticated attackers to enable or disable all blocks via a forged request granted they can trick a site administrator...
which template file < 5.1.0 - Reflected XSS
Description The plugin does not sanitise and escape the page parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
CF7 Google Sheets Connector < 5.0.6 - Unauthenticated Sensitive Information Exposure via Debug Log
Description The CF7 Google Sheets Connector plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.0.5 via the debug log functionality in google-sheet-connector.php. This makes it possible for unauthenticated attackers to extract sensitive dat...