14602 matches found
Newsletter < 7.4.5 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the $SERVER'REQUESTURI' before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below. PoC...
KiviCare < 2.3.9 - Unauthenticated SQLi
The plugin does not sanitise and escape some parameters before using them in SQL statements via the ajaxpost AJAX action with the getdoctordetails route, leading to SQL Injections exploitable by unauthenticated users PoC With at least one doctor created via the plugin: v 2.3.4 curl...
Email Users <= 4.8.8 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and change the notification settings of arbitrary users PoC...
Code Snippets Extended <= 1.4.7 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF in place when creating/editing snippets, as well as is lacking sanitisation and escaping in some fields, which could allow attackers to make a logged in admin create/edit arbitrary snippets and place XSS payloads in them...
Herd Effects < 5.2.1 - Admin+ LFI
The plugin does not properly validate the current tab used before generating a path and using it in an include statement, which could lead to LFI...
FiboSearch < 1.18.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed PoC Put the following payload in the Woocommerce FiboSearch Autocomplete Products - "N...
Throws SPAM Away < 3.3.1 - Comment Deletion via CSRF
The plugin does not have CSRF checks in place when deleting comments either all, spam, or pending, allowing attackers to make a logged in admin delete comments via a CSRF attack PoC To delete all comments...
WordPress Forms by Pie Forms < 1.4.9.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its form fields, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed PoC Create/edit a form, go to the Form Settings - General Settings and put the following payload in the...
Quotes llama < 1.0.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape Quotes, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. The attack could also be performed by tricking an admin to import a malicious CSV file PoC Create/edit a quote and p...
amtyThumb <= 4.2.0 - Subscriber+ SQLi
The plugin does not sanitise and escape a parameter before using it in a SQL statement via its shortcode, leading to an SQL injection and is exploitable by any authenticated user and not just Author+ like the original advisory mention due to the fact that they can execute shortcodes via an AJAX...
Disable Right Click For WP <= 1.1.6 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
Nirweb support < 2.8.2 - Unauthenticated SQLi
The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an SQL injection PoC curl https://example.com/wp-admin/admin-ajax.php --data 'action=answerdticketform=1 UNION ALL SELECT NULL,NULL,SELECT...
Psychological tests & quizzes <= 0.21.19 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings available to users with a role as low as contributor, allowing them to perform Cross-Site Scripting attacks...
WP-Invoice <= 4.3.1 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check in place when updating its settings, and is lacking sanitisation as well as escaping in some of them, allowing attacker to make a logged in admin change them and add XSS payload in them PoC...
WP Subtitle < 3.4.1 - Contributor+ Stored Cross-Site Scripting
The plugin adds a subtitle field and provides a shortcode to display it via wpsubtitle. The subtitle is stored as a custom post meta with the key: "wpssubtitle", which is sanitized upon post save/update, however is not sanitized when updating it directly from the post meta update button via AJAX ...
VikBooking Hotel Booking Engine & PMS < 1.5.8 - Admin+ PHP File Upload
The plugin does not properly validate images, allowing high privilege users such as administrators to upload PHP files disguised as images and containing malicious PHP code PoC Edit/add a Characteristics /wp-admin/admin.php?option=comvikbooking=carat and upload a fake GIF with PHP code in it as a...
Advanced Contact form 7 DB <= 1.8.7 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape a parameter from its form, which could lead to an unauthenticated Stored Cross-Site Scripting issue...
BMI BMR Calculator <= 1.3 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape arbitrary POST data before outputting it back in the response, leading to a Reflected Cross-Site Scripting PoC...
VikBooking Hotel Booking Engine & PMS < 1.5.4 - Booking Data Disclosure
The plugin has guessable booking IDs, which could allow attackers to retrieve booking data via an IDOR in the search request...
VikBooking Hotel Booking Engine & PMS < 1.5.4 - Unauthenticated Arbitrary File Upload
The plugin does not properly validate the signature file uploaded via its booking form, which could allow unauthenticated attacker to upload arbitrary files...
KB Support <= 1.5.5 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape multiple parameters, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks...
WP Social Buttons <= 2.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payload in the Delay Time General Settings or Top Margin Advanced Settings of the...
All In One WP Security < 4.4.11 - Authenticated Arbitrary Redirect / Reflected XSS
The plugin does not validate, sanitise and escape the redirectto parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to an Arbitrary Redirect as well as Cross-Site Scripting issue. Exploitation of...
Import WP < 2.4.6 - Admin+ Arbitrary File Upload to RCE
The plugin does not validate the imported file in some cases, allowing high privilege users such as admin to upload arbitrary files such as PHP, leading to RCE PoC Import a PHP file via an URL Tools Import WP Add Importer put any name, and post template Create Importer Remote File select any file...
Cab fare calculator < 1.0.4 - Unauthenticated LFI
The plugin does not validate the controller parameter before using it in require statements, which could lead to Local File Inclusion issues. Despite what the original advisory claims, the issue is not exploitable by accessing the file directly as a fatal error is triggered before the vulnerable...
Use Any Font < 6.2.1 - API Key Deactivation via CSRF
The plugin does not have CSRF check in place when deactivating its API key, which could allow attackers to make a logged in admin perform such action via a CSRF attack...
Flo Launch < 2.4.1 - Missing Authentication Allow Full Site Takeover
The plugin injects code into wp-config.php when creating a cloned site, allowing any attacker to initiate a new site install by setting the flocustomtableprefix cookie to an arbitrary value. PoC On any website where flo-launch is active create cookie "flocustomtableprefix" with any string value t...
5 Stars Rating Funnel < 1.2.53 - Unauthenticated SQLi
Description The plugin does not properly sanitise, validate and escape lead ids before using them in a SQL statement via the rrtnggdeleteleads AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue. There is an attempt to sanitise the input, using...
Favicon by RealFaviconGenerator < 1.3.23 - Reflected Cross-Site Scripting
The plugin does not properly sanitise and escape the jsonresulturl parameter before outputting it back in the Favicon admin dashboard, leading to a Reflected Cross-Site Scripting issue PoC...
Sassy Social Share < 3.3.40 - Reflected Cross-Site Scripting
The plugin does not escape the viewed post URL before outputting it back in onclick attributes when the "Enable 'More' icon" option is enabled which is the default setting, leading to a Reflected Cross-Site Scripting issue. Note: Vendor was notified on September 14th, 2021. PoC...
Plezi < 1.0.3 - Unauthenticated Stored XSS
The plugin has a REST endpoint allowing unauthenticated users to update the plzconfigurationtrackerenable option, which is then displayed in the admin panel without sanitisation and escaping, leading to a Stored Cross-Site Scripting issue PoC curl -X POST...
Photoswipe Masonry Gallery < 1.2.15 - Subscriber+ Stored Cross-Site Scripting
The plugin does not have authorisation and CSRF when updating its gallery settings via the update function hooked to adminmenu, allowing any authenticated users, such as subscriber to update them and set Cross-Site Scripting payloads in them due to the lack of sanitisation and escaping...
GD Mylist <= 1.1.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following payload in any of the text field settings of the plugin such as Add to Myli...
Profile Builder < 3.6.2 - Reflected Cross-Site Scripting
The plugin does not properly sanitise and escape the siteurl parameter before outputting it back in an href attribute, leading to a Reflected Cross-Site Scripting issue PoC...
Spiffy Calendar < 4.9.1 - Arbitrary Event Deletion via CSRF
The plugin does not have CSRF check in place when deleting events, allowing attacker to make a logged in admin delete arbitrary events via a CSRF attack...
Ditty (formerly Ditty News Ticker) < 3.0.15 - Reflected Cross-Site Scripting (XSS)
The plugin is affected by a Reflected Cross-Site Scripting XSS vulnerability. PoC http://127.0.0.1:8001/wp-admin/edit.php?posttype=ditty=dittysettings=%22%3E%3Cimg+src+onerror%3Dalert%281%29%3E...
AdRotate < 5.8.22 - Admin+ SQL Injection
The plugin does not sanitise and escape the adrotateaction before using it in a SQL statement via the adrotaterequestaction function available to admins, leading to a SQL injection PoC Get the nonce from one of the bulk action, for example /wp-admin/admin.php?page=adrotate and look for...
Custom Content Shortcode < 4.0.2 - Authenticated Arbitrary File Access / LFI
The plugin does not validate the data passed to its load shortcode, which could allow Contributor+ v 4.0.1 or Admin+ v 4.0.2 users to display arbitrary files from the filesystem such as logs, .htaccess etc, as well as perform Local File Inclusion attacks as PHP files will be executed. Please note...
Cost Calculator <= 1.8 - Authenticated Local File Inclusion
The plugin allows authenticated users Contributor+ in versions 1.5, and Admin+ in versions = 1.8 to perform path traversal and local PHP file inclusion on Windows Web Servers via the Cost Calculator post's Layout PoC As a contributor, create a Cost Calculator post, set the Layout to...
Post Snippets < 3.1.4 - CSRF to Stored Cross-Site Scripting
The plugin does not have CSRF check when importing files, allowing attacker to make a logged In admin import arbitrary snippets. Furthermore, imported snippers are not sanitised and escaped, which could lead to Stored Cross-Site Scripting issues PoC The XSS will be triggered anywhere in the backe...
Crazy Bone <= 0.6.0 - Unauthenticated Stored XSS
The plugin does not sanitise and escape the username submitted via the login from when displaying them back in the log dashboard, leading to an unauthenticated Stored Cross-Site scripting PoC curl 'https://example.com/wp-login.php' --data-raw 'log=a=x&wp-submit;=Log+In' The XSS will be trigged in...
WP Google Map < 1.8.4 - Arbitrary Post Deletion and Plugin's Settings Update via CSRF
The plugin does not have CSRF checks in most of its AJAX actions, which could allow attackers to make logged in admins delete arbitrary posts and update the plugin's settings via a CSRF attack PoC Removing post: fetch"https://example.com/wp-admin/admin-ajax.php", "headers": "content-type":...
WooCommerce – Store Exporter < 2.7.1 - Reflected Cross-Site Scripting (XSS)
The plugin was affected by a Reflected Cross-Site Scripting XSS vulnerability in the wooce admin page. PoC http://127.0.0.1:8001/wp-admin/admin.php?page=wooce=1=%3Cscript%3Ealert1;%3C/script%3E...
IP2Location Country Blocker < 2.26.5 - Ban Bypass
The plugin bans can be bypassed by using a specific parameter in the URL PoC https://example.com/?admin-ajax=hehe...
SupportCandy < 2.2.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the query string before outputting it back in pages with the wpsccreateticket shortcode embed, leading to a Reflected Cross-Site Scripting issue PoC Note: the ticket-creation page is the one with the wpsccreateticket shortcode embed...
Document Embedder < 1.7.5 - Unauthenticated Arbitrary Private/Draft Post Title Disclosure
The plugin contains a REST endpoint, which could allow unauthenticated users to enumerate the title of arbitrary private and draft posts. PoC https://example.com/wp-json/doc/v1/single/509 509 being the ID of a private/draft Post...
SVG Support < 2.3.20 - Admin+ Stored Cross-Site Scripting
The plugin does not escape the "CSS Class to target" setting before outputting it in an attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC With the Advanced Mode enabled, put the following payload in...
Spreadsheet Integration < 3.6.0 - CSRF Bypass
The plugin does not properly check for CSRF in its wpgsiWorksheetColumnsTitle function, by making a request without the nonce parameter. This could allow attacker to make logged in admins call it...
Product Feed PRO for WooCommerce < 11.0.7 - Subscriber+ Settings Update to Stored XSS
The plugin does not have authorisation and CSRF check in some of its AJAX actions, allowing any authenticated users to call then, which could lead to Stored Cross-Site Scripting issue which will be triggered in the admin dashboard due to the lack of escaping. v10.9.1 added a CSRF check, however...
Five Star Restaurant Reservations < 2.4.8 - Subscriber+ Stored Cross-Site Scripting
The plugin does not have capability and CSRF checks in the rtbwelcomesetschedule AJAX action, allowing any authenticated users to call it. Due to the lack of sanitisation and escaping, users with a role as low as subscriber could perform Cross-Site Scripting attacks against logged in admins PoC A...