14602 matches found
WorkScout Core < 1.3.4 - Authenticated Stored XSS & XFS
The plugin, used by the WorkScout Theme did not sanitise the chat messages sent via the workscoutsendmessagechat AJAX action, leading to Stored Cross-Site Scripting and Cross-Frame Scripting issues PoC Payloads: " POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type:...
Knight Lab Timeline < 3.7.0.0 - Outdated TimelineJS library could Lead to Stored XSS
The plugin used the TimelineJS library 3.7.0 which is affected by a stored Cross-Site Scripting issues if an attacker has write privileges on the source data used for the timeline which is stored on Google Sheets or in a JSON configuration file...
WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in File Uploads
Description Authenticated users with the capability to upload files could upload files with specially crafted names containing utf8 characters to execute JavaScript when later viewed...
Elementor Page Builder < 2.8.5 - Authenticated Reflected XSS
The Elementor Website Builder WordPress plugin was affected by an Authenticated Reflected XSS security vulnerability. PoC /wp-admin/admin.php?page=elementor-system-info%22%3e%3cscript%0csrc%3d//0x7f000001%3e%3c/script%3e=1...
Email Before Download < 4.0 - SQL Injection
Email Before Download https://wordpress.org/plugins/email-before-download/ before version 4.0 was vulnerable to several SQL injections. An SQL escaping function was used but the escaped value was not between quotes so the attack payload does not have to use quotes and thus no escaping is done...
WordPress 2.3-4.8.3 - Host Header Injection in Password Reset
Description Attacker may be able to set the 'From' email header in password reset emails. PoC curl -H "Host: www.evil.com" --data "userlogin=adminto=&wp-submit;=Get+New+Password" http://example.com/wp-login.php?action=lostpassword...
WordPress 4.5.3 - Authenticated Denial of Service (DoS)
...
WordPress 3.6 - 3.9.1 XXE in GetID3 Library
...
WordPress <= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass
...
Max Mega Menu < 3.3.1 - Missing Authorization
Description The Max Mega Menu plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the sandbox function in all versions up to, and including, 3.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger the...
Click to Chat – HoliThemes < 4.0 - Contributor+ LFI
Description The plugin is vulnerable to Local File Inclusion, allowing authenticated attackers, with contributor access or above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensiti...
Better Search Replace < 1.4.5 - Unauthenticated PHP Object Injection
Description The plugin is vulnerable to PHP Object Injection via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed...
WPS Hide Login < 1.9.12 - Hidden Login Page Location Disclosure
Description The plugin is vulnerable to login page disclosure in all versions up to, and including, 1.9.11. This makes it possible for unauthenticated attackers to bypass an intended security restriction designed to prevent brute force authentication attempts on multi-site installations...
WP User Frontend < 3.6.6 - Authenticated (Author+) Privilege Escalation
Description The WP User Frontend – Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission Plugin plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.6.5. This is due to the plugin not providing...
AI Contact Us Form <= 1.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Media Library Assistant < 3.01 - Unauthenticated Error Log Access
The plugin does not have authorisation in place, which could allow unauthenticated attackers to access its error log if they can guess or brute force the filename...
Limit Login Attempts (Spam Protection) < 5.1 - Unauthenticated SQLi
The plugin does not sanitise and escape some parameters before using them in SQL statements via AJAX actions available to unauthenticated users, leading to SQL Injections PoC order and columns parameters are affected curl 'https://example.com/wp-admin/admin-ajax.php' --data...
Xorbin Analog Flash Clock 1.0 - Flash-based XSS
The Xorbin Analog Flash Clock WordPress plugin was affected by a Flash-based XSS security vulnerability...
Post Views Counter < 1.4.5 - Cross-Site Request Forgery via save_bulk_post_views()
Description The plugin is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.4. This is due to missing or incorrect nonce validation on the savebulkpostviews function. This makes it possible for unauthenticated attackers to save bulk post views via a forged request...
LearnPress < 4.2.5.8 - Unauthenticated SQLi
Description The plugin does not properly sanitise and escape the orderby parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users...
WooCommerce Login Redirect <= 2.2.4 - Cross-Site Request Forgery
Description The WooCommerce Login Redirect plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.2.4. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to invoke this...
WP 6.4-6.4.1 - POP Chain
Description WP 6.4 introduced a PHP gadget chain. While the issue is not directly exploitable, it could be used along with a PHP unserialization for example in a plugin or theme installed on the blog to achieve RCE...
OoohBoi Steroids for Elementor < 2.1.5 - Subscriber+ Attachment Deletion
The plugin has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber to delete attachment. PoC Exploit 1 attachment id delete: fetch'/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type': 'application/x-www-form-urlencoded', , body...
Multiple Page Generator Plugin - MPG < 3.3.10 - Multiple CSRF
The plugin does not have CSRF checks in some places for example when delving projects, toggling cache etc, which could allow attackers to make logged in admins perform unwanted actions via CSRF attacks...
Jeg Elementor Kit < 2.5.7 - Subscriber+ Authorization Bypass
The plugin does not properly authorize requests to various ajax actions, allowing authenticated users with roles as low as subscriber to create header templates and make additional changes to the site using an easily available nonce value...
Simple Banner < 2.12.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings proversionactivationcode settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
OAuth Single Sign On < 6.22.6 - Authentication Bypass
The plugin doesn't validate that OAuth access token requests are legitimate, which allows attackers to log onto the site with the only knowledge of a user's email address. PoC POST / HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type:...
2Way VideoCalls and Random Chat < 5.2.8 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the vwsnotice AJAX action found in the /inc/requirements.php file which allows attackers to inject arbitrary web scripts...
The Plus Addons for Elementor Page Builder < 4.1.7 - Authentication Bypass
The plugin was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user including admin by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even ...
WordPress < 5.5.2 - Hardening Deserialization Requests
Description The release notes state: "Props to Alex Concha of the WordPress Security Team for their work in hardening deserialization requests." This vulnerability affected the third-party "Requests for PHP" library used by WordPress...
WordPress <= 5.0 - File Upload to XSS on Apache Web Servers
Description According to WordPress: "Tim Coen and Slavco discovered that authors on Apache-hosted sites could upload specifically crafted files that bypass MIME verification, leading to a cross-site scripting vulnerability."...
WordPress <= 4.4.2 - Reflected XSS in Network Settings
...
Salient Core < 2.0.8 - Authenticated (Contributor+) Local File Inclusion via Shortcode
Description The Salient Core plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.7 via the 'nectaricon' shortcode 'iconlinea' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include an...
Forminator < 1.29.3 - Admin+ SQL Injection
Description The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 1.29.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation...
PageLayer < 1.8.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Enter the following payload in...
Spiffy Calendar < 4.9.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Spiffy Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to 4.9.6 exclusive due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
MainWP < 4.4.3.4 - Authenticated (Administrator+) SQL Injection
Description The MainWP plugin for WordPress is vulnerable to SQL Injection via the 'tags' parameter in versions up to, and including, 4.4.3.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...
wpDiscuz < 7.6.6 - Unauthenticated SQL Injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users...
User Registration < 3.0.2.1 - Subscriber+ Arbitrary File Upload Leading to RCE
The plugin does not validate the file types, and uses a hardcoded encryption key during the profile picture upload process. Authenticated users with minimal permissions, such as a subscriber, can thus upload arbitrary files, potentially leading to remote code execution...
Hummingbird < 3.4.2 - Unauthenticated Path Traversal
The plugin does not validate the generated file path for page cache files before writing them, leading to a path traversal vulnerability in the page cache module. This allows an attacker to: - Enumerate file system directories where the user who starts the web server process has write access. -...
All-In-One Security (AIOS) < 5.1.5 - Admin+ Arbitrary File/Folder Access via Traversal
The plugin does not limit what log files to display in it's settings pages, allowing an authorized user admin+ to view the contents of arbitrary files and list directories anywhere on the server to which the web server has access. The plugin only displays the last 50 lines of the file. PoC POST...
PB SEO Friendly Images <= 4.0.5 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
All in One SEO Pack < 4.3.0 - Admin+ Stored XSS
The plugin does not sanitise and escape multiple parameters, which could allow high privilege users such as admin to perform Stored XSS attacks even when unfilteredhtml is disallowed...
Gallery PhotoBlocks <= 1.2.6 - Authenticated Stored XSS
The plugin does not sanitise and escape some parameters, which could allow low privileged users to perform Stored Cross-Site Scripting attacks...
Directorist < 7.3.1 - Unauthenticated Email Address Disclosure
The plugin discloses the email address of all users in an AJAX action available to both unauthenticated and any authenticated users PoC https://example.com/wp-admin/admin-ajax.php?action=directoristauthorpagination...
Multiple Shipping Address Woocommerce < 2.0 - Unauthenticated SQLi
The plugin does not properly sanitise and escape numerous parameters before using them in SQL statements via some AJAX actions available to unauthenticated users, leading to unauthenticated SQL injections PoC curl 'https://example.com/wp-admin/admin-ajax.php' --data...
Catch Themes Demo Import < 1.8 - Admin+ Arbitrary File Upload
The plugin is vulnerable to arbitrary file uploads via the import functionality found in the /inc/CatchThemesDemoImport.php file, in versions up to and including 1.7, due to insufficient file type validation. This makes it possible for an attacker with administrative privileges to upload maliciou...
DZS Zoomsounds < 6.50 - Unauthenticated Arbitrary File Download
The plugin allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the dzsapdownload action using directory traversal in the link parameter...
Easy WP SMTP < 1.4.3 - Debug Log Disclosure
The plugin has an optional debug log file generated with a random name, located in the plugin folder and which contains all email messages sent. However, this folder does not have any index page, allowing access to log file on servers with the directory listing enabled or misconfigured. This coul...
Dynamic Content for Elementor < 1.9.6 - Authenticated RCE
The PHP Raw Widget https://www.dynamic.ooo/widget/php-raw/ of the Dynamic Content for Elementor plugin before 1.9.6 did not properly check for user permissions, allowing accounts with a role as low as editor to perform RCE attacks. PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Host: example.com...