14602 matches found
WordPress Social Login <= 3.0.4 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its wordpresssocialloginmeta shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Multiple Themes - Reflected XSS
Description The themes suffer from the same issue about the search box reflecting the results causing XSS which allows an unauthenticated attacker to exploit against users if they click a malicious link. PoC https://example.com/?s=katana/asd/...
Store Locator WordPress < 1.4.13 - Reflected XSS
Description The plugin does not sanitise and escape an invalid nonce before outputting it back in an AJAX response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open the URL below...
WPBulky < 1.0.10 - Contributor+ Stored Cross-Site Scripting
Description The plugin does not properly sanitize user input via its sanitize function, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
WP Ultimate CSV Importer < 7.9.9 - Author+ RCE
Description The plugin does not validate imported files, which could allow authors and above roles who have been granted access to the plugin settings to perform RCE...
InstaWP Connect < 0.0.9.19 - Unauthenticated Data Modification
Description The plugin does not have authorisation check in its eventsreceiver function, allowing unauthenticated users to create/update/delete posts/taxonomy, install/activate/deactivate plugin, update the customizer settings as well as create/update/delete arbitrary users...
Ultimate Addons for Contact Form 7 < 3.1.29 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. PoC 1. Ensure Contact Form 7 is installed, along with this plugin 2. Visit Contact...
Royal Elementor Addons < 1.3.71 - Unauthenticated API Key Disclosure
Description The plugin discloses the MailChimp API key in pages with the MailChimp block, allowing unauthenticated users to obtain such key...
MultiParcels Shipping For WooCommerce < 1.14.14 - Subscriber+ Arbitrary Shipment Deletion
Description The plugin does not have authorisation when deleting shipment, allowing any authenticated users, such as subscriber to delete arbitrary shipment PoC Login as a subscriber an open https://example.com/wp-admin/admin-post.php?action=multiparcelsdeleteshipping=1 to delete the shipment wit...
Advanced Flat rate shipping Woocommerce < 1.6.4.6 - Cross-Site Request Forgery
Cross-Site Request Forgery CSRF vulnerability in PI Websolution Conditional shipping & Advanced Flat rate shipping rates / Flexible shipping for WooCommerce shipping plugin = 1.6.4.4 versions...
Shortcode IMDB <= 6.0.8 - Cross-Site Request Forgery
The plugin does not properly implement anti-CSRF mechanisms, making it vulnerable to potential CSRF attacks...
WP Mail Log < 1.1.2 - Unauthenticated Stored Cross-Site Scripting
The plugin does not properly sanitize and escape email contents, leading to a potential Stored Cross-Site Scripting vulnerability. This issue allows for arbitrary web scripts to be injected into pages, which will execute when a user accesses an affected page...
Short URL < 1.6.5 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WooCommerce Stripe Payment Gateway < 7.4.1 - Subscriber+ Order Intent Update
The plugin does not properly restrict users from making a certain set of changes to other customers' orders. TODO: ADD link to Patchstack's post instead of H1 PoC Affected functions: createpaymentintentajax updatepaymentintentajax saveupeappearanceajax updateorderstatusajax updatefailedorderajax ...
Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite < 1.0.0 - Subscriber+ Stored XSS
The plugin does not sanitize and escape reviews, which could allow users any authenticated users, such as Subscribers to perform Stored Cross-Site Scripting attacks...
WooCommerce Google Sheet Connector <= 1.3.5 - Access Code Update via CSRF
The plugin does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a CSRF attack PoC Make a logged in admin open https://example.com/wp-admin/admin.php?page=wc-gsheetconnector-config=attacker-code...
Membership Plugin - Restrict Content < 3.2.3 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged-in admin open a page containing the HTML code below...
Event Manager for WooCommerce < 3.9.6 - Editor+ Stored Cross-Site Scripting
The plugin does not correctly sanitize user inputs, leading to potential Stored Cross-Site Scripting XSS vulnerabilities...
Multiple Plugins - Cross-Site Scripting From Third-party Library
The plugins use a third-party library that removes the escaping on some HTML characters, leading to a cross-site scripting vulnerability. PoC WP-Optimize - Reflected Cross-Site Scripting 1. Go to the plugin settings and in the "Images" section check the box "Create WebP version of image". 2...
CF7 Google Sheets Connector (Free < 5.0.2, Pro < 2.3.7) - Reflected XSS
The plugins do not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open the URL below cf7-google-sheets-connector -...
Kanban Boards for WordPress < 2.5.21 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to...
FormCraft Premium < 3.9.7 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. PoC 1. View the plugin settings and intercept the request and add the payload sortOrder=ASC%2cselectfromselectsleep20a 2...
WP User Switch < 1.0.3 - Subscriber+ Authentication Bypass
The plugin does not properly verify the 'wpuswhoswitch' cookie value, which allows attackers with low-privilege accounts like Subscribers to bypass authentication and login as any other existing user. PoC Log-in as a subscriber onto the affected site. Run the following JS script in your browser's...
Page Builder by AZEXO <= 1.27.133 - Cross-Site Request Forgery (CSRF)
The plugin does not protect the ajax actions azhaddpost, azhduplicatepost, azhupdatepost and azhremovepost against CSRF attacks, allowing an unauthenticated attacker to add, modify and delete posts by tricking a logged in user to submit a crafted request...
IP Metaboxes <= 2.1.1 - Unauthenticated Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Upload Resume <= 1.2.0 - Captcha Bypass
The plugin does not validate the captcha parameter when uploading a resume via the resumeuploadform shortcode, allowing unauthenticated visitors to upload arbitrary media files to the site. PoC The PoC will be displayed once the issue has been remediated...
Booking Ultra Pro < 1.1.7 - Cross-Site Request Forgery
The plugin does not have CSRF checks in some places, which could allow attackers to make logged-in users perform unwanted actions via CSRF attacks. The original researcher didn't provide enough information on which actions could be performed...
WIP Custom Login < 1.3.0 - Cross-Site Request Forgery (CSRF)
The plugin does not protect some of its actions against CSRF attacks, allowing an unauthenticated attacker to perform actions on their behalf by tricking a logged in user to submit a crafted request...
10WebSocial < 1.2.9 - Reflected XSS
The plugin does not sanitise and escape some parameter before outputting it back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open a page with the code below The XSS will be triggered when pressing...
Slimstat Analytics < 5.0.5 - Admin+ SQLi
The plugin does not sanitise and escape the misclimitresults parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin...
Ultimate Addons for Contact Form 7 < 3.1.24 - Unauthenticated SQLi
The plugin does not properly sanitise and escape the id and formid parameters before using them in a SQL statement, leading to a SQL injection exploitable by unauthenticated users...
Shield Security < 17.0.18 - Subscriber+ Arbitrary Log Entry Creation
The plugin does not have authorisation in the theme-plugin-file AJAX action, allowing any authenticated users, such as subscriber to call it and add arbitrary audit log entries, which could also lead to Stored XSS due to the lack of escaping of some entry metadata...
WP-dTree <= 4.4.5 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Easy Ad Manager <= 1.0.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WP Original Media Path < 2.4.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
UserPlus <= 2.0 - Stored XSS via CSRF
The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged-in admin add Stored XSS payloads via a CSRF attack. PoC Open the .html file where the admin user is logged in - Go to...
hiWeb Migration Simple <= 2.0.0.1 Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins. The hiweb-migration-simple plugin is vulnerable to POST based XSS on endpoint...
ChatBot < 4.4.9 - Unauthenticated Stored XSS
The plugin does not have authorisation and CSRF in a function hooked to init, allowing unauthenticated users to update some settings, leading to Stored XSS due to the lack of escaping when outputting them in the admin dashboard PoC curl -X POST --data 'qcbotstrweight=" style=animation-name:rotati...
PowerPress < 10.0.2 - Contributor+ Stored Cross-Site Scripting
The plugin does not properly sanitize and escape user-supplied attributes in its shortcodes, leading to a Stored Cross-Site Scripting vulnerability...
SEOPress < 6.5.0.3 - Admin+ PHP Object Injection
The plugin unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. PoC To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void...
Comments Ratings < 1.1.7 - Cross-Site Request Forgery
The plugin does not properly validate requests use nonces, leading to a potential Cross-Site Request Forgery vulnerability...
IMPress Listings <= 2.6.2 - Contributor+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks...
Site Reviews < 6.7.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Login as Admin. 2. Go to...
WCFM Membership < 2.10.1 - Unauthenticated AJAX Calls
The plugin does not have authorisation in various AJAX actions, allowing unauthenticated attackers to call them and modify membership details/renewal information etc...
Steveas WP Live Chat Shoutbox <= 1.4.2 - Unauthenticated Stored XSS
The plugin does not sanitise and escape a parameter before outputting it back in the Shoutbox, leading to Stored Cross-Site Scripting which could be used against high privilege users such as admins. PoC On a clean Wordpress on localhost: 1. Modify the Shoutboxalias cookie with a value such as 2...
Weaver Show Posts < 1.7 - Contributor+ Stored Cross-Site Scripting
The plugin does not properly escape the profile display name, leading to stored Cross-Site Scripting vulnerabilities...
Photo Gallery by 10Web < 1.8.15 - Admin+ Path Traversal
- The plugin did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images anywhere in the filesystem via a path traversal vector. - Path Traversal Vulnerabillity also allows listing the entire folder & image file in the system. PoC - The...
Pricing Tables For WPBakery Page Builder < 3.0 - Subscriber+ LFI
The plugin does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacks PoC Run the below command in the developer console of the web browser while being on the blog as a...
Events Made Easy <= 2.3.14 - Subscriber+ SQLi
The plugin does not properly sanitise and escape the searchname parameter before using it in a SQL statement via the emerecurrenceslist AJAX action, leading to a SQL injection exploitable by any authenticated users, such as subscriber PoC Open the URL below while being on the blog as subscriber...
MDTF < 1.3.1 - Reflected XSS
The plugin does not sanitise and escape the taxname parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open...