14602 matches found
Directorist < 7.4.2.2 - Subscriber+ Arbitrary User Password Update via IDOR
The plugin suffers from an IDOR vulnerability which an attacker can exploit to change the password of arbitrary users instead of his own. PoC The following Python script automates the exploitation of this vulnerability. The script was tested on an installation of WordPress 6.1 with the vulnerable...
Transposh WordPress Translation <= 1.0.8 - Settings Update via Authorization Bypass
The plugin does not properly check for its "Who can translate" settings when the auto translate is enabled which is the default, which could allow unauthenticated attackers to update settings...
TeraWallet - For WooCommerce < 1.4.4 - Subscriber+ Arbitrary Wallet Lock/Unlock via IDOR
The plugin does not ensure that the wallet to lock/unlock belongs to the user making the request, allowing any authenticated users, such as subscriber to lock/unlock arbitrary wallets via an IDOR attack...
WP Affiliate Platform < 6.4.0 - Reflected Cross-Site Scripting
The plugin does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...
Broken Link Checker < 1.11.20 - Admin+ Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in the Youtube API K...
WatchTowerHQ < 3.6.16 - Unauthenticated Arbitrary File Access
The plugin does properly check for the access token in its REST API endpoints, which could allow unauthenticated attackers to call them and download arbitrary files...
Booster for WooCommerce - Checkout Files Deletion via CSRF
The plugins do not have CSRF check in place when deleting files uploaded at the checkout, allowing attackers to make a logged in shop manager or admin delete them via a CSRF attack PoC Requirements: - Enable the "Checkout File Upload" module of the plugin...
Creative Mail < 1.6.0 - Settings Reset via CSRF
The plugin does not have CSRF check when resetting its settings, which could allow attackers to make logged in admins perform such action via a CSRF attack...
IP Blacklist Cloud Plugin <= 5.00 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin...
Role Based Pricing for WooCommerce < 1.6.3 - Subscriber+ PHAR Deserialization
The plugin does not have authorisation and proper CSRF checks, as well as does not validate path given via user input, allowing any authenticated users like subscriber to perform PHAR deserialization attacks when they can upload a file, and a suitable gadget chain is present on the blog PoC As a...
Page View Count < 2.5.6 - Settings Reset via CSRF
The plugin does not have CSRF check in place when resetting its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack...
Anti-Spam by CleanTalk < 5.185.1 - Admin+ SQLi
The plugin does not validate ids before using them in a SQL statement, which could lead to SQL injection exploitable by high privilege users such as admin PoC When deleting a scan logs /edit-comments.php?page=ctcheckspamlogs, intercept the request and change the spamids parameter to...
AdminPad < 2.2 - Note Update via CSRF
The plugin does not have CSRF check when updating admin's note, allowing attackers to make a logged in admin update their notes via a CSRF attack PoC Notes are displayed in the Dashboard /wp-admin/index.php...
SearchWP Live Ajax Search < 1.6.3 - Unauthenticated Local File Inclusion
The plugin does not validate the swpengine parameter of the searchwplivesearch AJAX action, which could allow unauthenticated attackers to perform Local File Inclusion attack via a Path Traversal vector on web server running IIS...
Zephyr Project Manager < 3.2.55 - Unauthorised AJAX Calls To Stored XSS
The plugin does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks...
Contact Form By Mega Forms < 1.2.5 - Subscriber+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as subscriber to perform Stored Cross-Site Scripting attacks...
Download Manager < 3.2.55 - Admin+ Arbitrary File/Folder Access via Path Traversal
The plugin does not validate one of its settings, which could allow high privilege users such as admin to list and read arbitrary files and folders outside of the blog directory PoC 1. Navigate to settings page /wp-admin/edit.php?posttype=wpdmpro=settings 2. In the “File Browser Root:” setting,...
Post SMTP < 2.1.7 - Admin+ Blind SSRF
The plugin does not have proper authorisation in some AJAX actions, which could allow high privilege users such as admin to perform blind SSRF on multisite installations for example. PoC Navigate to https://example.com/wp-admin/admin.php?page=postman%2Fporttest Inside "Outgoing Mail Server...
Beaver Builder < 2.5.5.3 - Authenticated Stored XSS via Image URL
The plugin does not sanitise and escape the Image URL field of the Media block, which could allow users with access to the plugin's editor to perform Cross-Site Scripting attacks...
Poll, Survey, Questionnaire and Voting system <= 1.7.4 - Admin+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
59sec LITE <= 3.4.1 - Unauthenticated Settings Update
Description The plugin does not have any authorisation in place when updating its settings, allowing unauthenticated attackers to do so...
Classima < 2.1.11 - Reflected Cross-Site Scripting
The theme and some of its required plugins do not escape a parameter before outputting it back in attributes, leading to Reflected Cross-Site Scripting PoC https://example.com/all-ads/?q="+onmouseover%3Dalert%281%29+id%3Dx+tabindex%3D0+style%3Ddisplay%3Ablock The XSS will be triggered when the us...
Titan Anti-spam & Security < 7.3.1 - Protection Bypass due to IP Spoofing
The plugin does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it's block feature by spoofing the headers. PoC The function wantispampgetip is vulnerable to IP spoofing because of the general usage of $SERVER'HTTPXFORWARDEDFOR' curl -...
Multivendor Marketplace Solution for WooCommerce < 3.8.12 - Unauthorised AJAX Calls
The plugin is lacking authorisation and CSRF in multiple AJAX actions, which could allow any authenticated users, such as subscriber to call them and suspend vendors reporter by the submitter or update arbitrary order status identified by WPScan when verifying the issue for example. Other...
Multivendor Marketplace Solution for WooCommerce < 3.8.12 - Unauthenticated LFI
The plugin does not validate and sanitise a parameter before using it to include a file via an AJAX action available to both unauthenticated and authenticated users, which could lead to Local File Inclusion PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...
Alpine PhotoTile for Pinterest <= 1.3.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
JoomSport < 5.2.6 - Admin+ SQLi
The plugin does not properly escape the orderby parameter before using it in multiple SQL statement, which could allow high privilege users to perform SQL injection...
MailChimp for Woocommerce < 2.7.2 - Admin+ SSRF
The plugin has an AJAX action that allows high privilege users to perform a POST request on behalf of the server to the internal network/LAN, the body of the request is also appended to the response so it can be used to scan private network for example PoC As an admin:...
MaxButtons < 9.3 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
Download Manager < 3.2.50 - Bypass IP Address Blocking Restriction
The plugin prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTEADDR, which makes it possible to bypass IP-based download blocking restrictions. PoC When downloading a file, add an X-Forwarded-For header that contains a random IP address to your request...
Stockists Manager for Woocommerce <= 1.0.2.1 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues...
GREYD.SUITE < 1.2.7 - Unauthenticated File Upload to RCE
The plugin does not properly validate uploaded custom font packages, and does not perform any authorization or csrf checks, allowing an unauthenticated attacker to upload arbitrary files including php source files, leading to possible remote code execution RCE. Version 1.2.5 added CSRF checks PoC...
Duplicate Page and Post Plugin < 2.8 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payload in the "Duplicate Post Suffix" or "Duplicate Link Text" settings: "...
Website File Changes Monitor < 1.8.3 - Admin+ SQLi
The plugin does not sanitise and escape user input before using it in a SQL statement via an action available to users with the manageoptions capability by default admins, leading to an SQL injection PoC A user with manageoptions permission can exploit the vulnerability with the following request...
Better Tag Cloud <= 0.99.5 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in any text field setting...
YaySMTP < 2.2.1 - Subscriber+ Logs Disclosure
The plugin does not have capability check in an AJAX action, allowing any logged in users, such as subscriber to view the Logs of the plugin PoC @author : 0xshdax Rafshanzani Suhada @usage : python3 script.py http://localhost import requests, sys, re, json Setup here url = sys.argv1 headers =...
Featured Image from URL < 4.0.0 - Arbitrary Settings Update to Stored XSS via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of validation, sanitisation and escaping in some of them, it could also lead to Stored XSS issues PoC All...
Header Footer Code Manager < 1.1.24 - Reflected Cross-Site Scripting
The plugin does not escape generated URLs before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting. PoC https://example.com/wp-admin/admin.php?page=hfcm-list&'...
WP Meta SEO < 4.4.9 - Social Settings Update via CSRF
The plugin does not have CSRF check in place when updating its social settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
Download Manager < 3.2.44 - Reflected Cross-Site Scripting
The plugin does not escape a generated URL before outputting it back in an attribute of the history dashboard, leading to Reflected Cross-Site Scripting PoC https://example.com/wp-admin/edit.php?posttype=wpdmpro=wpdm-stats=historyids=1&"...
Advanced Database Cleaner < 3.1.1 - Reflected Cross-Site Scripting
The plugin does not escape numerous generated URLs before outputting them back in href attributes of admin dashboard pages, leading to Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=advanceddbcleanertab=croncat=all&" Other pages are affected...
miniOrange's Google Authenticator < 5.5.75 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=mo2fatwofa"...
Pagebar < 2.70 - Arbitrary Settings Update via CSRF to Stored XSS
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of sanitisation in some of them, it could also lead to Stored XSS issues PoC...
Gallery < 2.0.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the response of an AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting issue PoC...
Ninja Forms < 3.6.10 - Admin+ Stored Cross-Site Scripting via Import
The plugin does not sanitize and escape some imported data, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC - Make a test form and then export it to your system. - Edit the file and enter an XSS payload like "...
miniOrange's Google Authenticator < 5.5.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfilteredhtml is disallowed for example in multisite setup PoC Enable 2FA + Website Security and...
WP Ultimate CSV Importer < 6.5.3 - Admin+ Blind SSRF
The plugin does not fully validate the file to be imported via an URL before making an HTTP request to it, which could allow high privilege users such as admin to perform Blind SSRF attacks PoC Put an internal/LAN URL such as below in the file upload by URL function https://127.0.0.1:8080...
Newsletter < 7.4.6 - Admin+ Stored Cross-Site Scripting
The plugin does not escape and sanitise the preheadertext setting, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfilteredhtml is disallowed PoC Go to Newsletters of Newsletter at wordpress admin panel eg...
Google XML Sitemaps < 4.1.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape a settings before outputting it in the Debug page, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in the "Try ...
Quick Subscribe <= 1.7.1 - Arbitrary Settings Update via CSRF to Stored XSS
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and leading to Stored XSS due to the lack of sanitisation and escaping in some of them PoC...