14602 matches found
Gallery Blocks with Lightbox < 2.2.1- Authenticated Stored Cross-Site Scripting
A stored cross-site scripting vulnerability has been discovered in : Simply Gallery Blocks with Lightbox Version – 2.2.0 & below . The vulnerability exists in the Lightbox functionality where a user with low privileges is allowed to execute arbitrary script code within the context of the...
Post Views Counter < 1.3.5 - Authenticated Stored XSS
The plugin does not sanitise or escape its Post Views Label settings, which could allow high privilege users to perform Cross-Site Scripting attacks in the frontend even when the unfilteredhtml capability is disallowed PoC Put the following payload in the Post Views Label settings of the plugin...
The Sorter <= 1.0 - Authenticated SQL Injection
The checkorder function of the plugin uses an areaid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. PoC GET /wp-admin/admin.php?page=thesorterareasid=1%20AND%20SELECT%207667%20FROM%20SELECTSLEEP5DWBj HTTP/1.1 Cache-Control:...
Email Artillery <= 4.1 - Arbitrary File Upload
The plugin does not properly check the uploaded files from the Import Emails feature, allowing arbitrary files to be uploaded. Furthermore, the plugin is also lacking any CSRF check, allowing such issue to be exploited via a CSRF attack as well. However, due to the presence of a .htaccess, denyin...
Language Bar Flags <= 1.0.8 - CSRF to Stored XSS
The plugin does not have any CSRF in place when saving its settings and did not sanitise or escape them when generating the flag bar in the frontend. This could allow attackers to make a logged in admin change the settings, and set Cross-Site Scripting payload in them, which will be executed in t...
Multiplayer Games <= 3.7 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $SERVER'PHPSELF' in the /multiplayergames.php file which allows attackers to inject arbitrary web scripts...
Plugmatter Pricing Table Lite <= 1.0.32 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the email parameter in the /license.php file which allows attackers to inject arbitrary web scripts...
Securimage-WP-Fixed <= 3.5.4 - Reflected Cross-Site Scripting (XSS)
The plugin is affected by a Reflected Cross-Site Scripting issue due to the use of $SERVER'PHPSELF' in the /securimage-wp.php file which allows attackers to inject arbitrary web scripts PoC https://example.com/wp-admin/options-general.php/"/script%3E?page=securimage-wp-options%2F...
Per Page Add to Head < 1.4.4 - CSRF to Stored XSS
The plugin is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the setting feature mentioned by the plugin, this could lead to Stored XSS issue which will b...
Book appointment Online < 1.39 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise or escape Service Prices before outputting it in the List, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC In the admin dashboard navigate to Services Add service and put the...
AddToAny < 1.7.46 - Authenticated Stored XSS
The plugin does not sanitise its Sharing Header setting when outputting it in frontend pages, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following payload in the Sharing Header setting of th...
WordPress Download Manager < 3.1.25 - Authenticated Directory Traversal
Authenticated Directory Traversal in WordPress Download Manager Add New. Name the post, and intercept the request when you Submit for Review no file needs to be uploaded. In the filepagetemplate parameter, swap out page-template-1col-flat.php for “\\../../../../../wp-config.php” Then preview the...
uListing < 2.0.6 - Unauthenticated Privilege Escalation
An Unauthenticated Privilege Escalation vulnerability was discovered in the uListing plugin through v2.0.5 for WordPress. User registration must be allowed on the target website. PoC PoC | Unauthenticated Privilege Escalation | Request: POST /wp-admin/admin-ajax.php?action=stmlistingregister HTTP...
GiveWP < 2.12.0 - Authenticated Stored XSS
The plugin did not escape the Donation Level setting of its Donation Forms, allowing high privilege users to use Cross-Site Scripting payloads in them. PoC Put the following payload in any Donation Level Text field of a Donation Form ie...
GTranslate < 2.8.65 - Reflected Cross-Site Scripting (XSS)
In the Pro and Enterprise versions of GTranslate 2.8.65, the gtranslaterequesturivar function runs at the top of all pages and echoes out the contents of $SERVER'REQUESTURI'. Although this uses addslashes, and most modern browsers automatically URLencode requests, this plugin is still vulnerable ...
Vik Rent Car < 1.1.10 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise the 'Text Next to Icon' field when adding or editing a Characteristic, allowing high privilege users such as admin to use XSS payload in it, leading to an authenticated Stored Cross-Site Scripting issue PoC Add or Edit a Characteristic...
Workreap < 2.2.2 - Missing Authorization Checks in Ajax Actions
The theme had several AJAX actions missing authorization checks to verify that a user was authorized to perform critical operations such as modifying or deleting objects. This allowed a logged in user to modify or delete objects belonging to other users on the site. PoC log in as arbitrary...
Handsome Testimonials & Reviews < 2.1.1 - Authenticated (Subscriber+) SQL Injection
The hndtstactioninstancecallback AJAX call of the plugin, available to any authenticated users, does not sanitise, validate or escape the hndtstpreviewShortcodeInstanceId POST parameter before using it in a SQL statement, leading to an SQL Injection issue. PoC curl -i -s -k -X $'POST' \ -H...
Poll Maker < 3.2.1 - Authenticated Blind SQL Injections
The getpollcategories, getpolls and getreports functions in the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the getresults DB calls, leading to SQL injection issues in the admin dashboard PoC SQLMAP: python sqlmap.py -r r.txt -p order...
Photo Gallery by Ays - Responsive Image Gallery < 4.4.4 - Authenticated Blind SQL Injections
The getgallerycategories and getgalleries functions in the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the getresults DB calls, leading to SQL injection issues in the admin dashboard PoC SQLMAP: python sqlmap.py -r r.txt -p orderby...
RSVPMaker < 8.7.3 - Authenticated (admin+) SSRF
The Import feature of the plugin /wp-admin/tools.php?page=rsvpmakerexportscreen takes an URL input and calls curl on it, without first validating it to ensure it's a remote one. As a result, a high privilege user could use that feature to scan the internal network via a SSRF attack. PoC Go to the...
Event Geek <= 2.5.2 - Stored Cross-site Scripting (XSS)
The plugin does not sanitise or escape its "Use your own theme" setting before outputting it in the page, leading to an authenticated admin+ stored Cross-Site Scripting issue PoC As admin, put the following payload in the "Use your own theme enter URL:" option...
User Profile Picture < 2.6.0 - Arbitrary User Picture Change/Deletion via IDOR
The plugin was affected by an IDOR issue, allowing users with the uploadimage capability by default author and above to change and delete the profile pictures of other users including those with higher roles. PoC Use a proxy such as Burp Suite to capture the request made when change your own...
WP Image Zoom < 1.47 - Local File Inclusion
The plugin did not validate its tab parameter before using it in the includeonce function, leading to a local file inclusion issue in the admin dashboard PoC PoC: https://example.com/wp-admin/admin.php?page=zoooomsettings=whatever This URL shows includeonce error, which indicates that the paramet...
Easy Cookie Policy <= 1.6.2 - Broken Access Control to Stored Cross-Site Scripting
The plugin is lacking any capability and CSRF check when saving it's settings, allowing any authenticated users such as subscriber to change them. If users can't register, this can be done through CSRF. Furthermore, the cookie banner setting is not sanitised or validated before being output in al...
WP Config File Editor <= 1.7.1 - Authenticated Stored Cross-Site Scripting (XSS)
The WP Config File Editor WordPress plugin was affected by an Authenticated Stored Cross-Site Scripting XSS vulnerability. By default, only administrator users could access the affected functionality, limiting the exploitability of the vulnerability. However, some WordPress admins may allow lesse...
Xllentech English Islamic Calendar < 2.6.8 - Authenticated SQL Injection
When deleting a date in the plugin, the yearnumber and monthnumber POST parameters are not sanitised, escaped or validated before being used in a SQL statement, leading to SQL injection. PoC POST /wp-admin/options-general.php?page=xllentechoptionstab4 HTTP/1.1 Content-Length: 220 Cache-Control:...
Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Unauthenticated Redirect Export
The exportdata function of the plugin had no capability or nonce checks making it possible for unauthenticated users to export a site's redirects. PoC curl -X POST --url "URL/wp-admin/admin-post.php?page=301options=true"...
FlightLog <= 3.0.2 - Authenticated (editor+) SQL Injection
The plugin does not sanitise, validate or escape various POST parameters before using them a SQL statement, leading to SQL injections exploitable by editor and administrator users PoC 1. to and from parameters Editor Level Tools - Flightlog - add a record POST...
LifterLMS < 4.21.2 - Access Other Student Grades/Answers via IDOR
The plugin was affected by an IDOR issue, allowing students to see other student answers and grades PoC - Add 2 users with Student role for the scenario . - Create A course With a quiz I picked True or Flase question for my quiz - Set Enrol on Free for the ease of scenario - Enrol into the...
Bello < 1.6.0 - Unauthenticated Blind SQL Injection
The theme did not sanitise the btbblistingfieldpricerangeto, btbblistingfieldnowopen, btbblistingfieldmylng, listinglistview and btbblistingfieldmylat parameters before using them in a SQL statement, leading to SQL Injection issues PoC -- Payload: $ -4034 OR 4877=4877 AND 2369=2369 -- PoC 1 |...
Bello < 1.6.0 - Unauthenticated Reflected XSS & XFS
The theme did not properly sanitise and escape its listinglistview, btbblistingfieldmylat, btbblistingfieldmylng, btbblistingfielddistancevalue, btbblistingfieldmylatdefault, btbblistingfieldkeyword, btbblistingfieldlocationautocomplete, btbblistingfieldpricerangefrom and...
ReDi Restaurant Reservations < 21.0426 - Unauthenticated Stored Cross-Site Scripting (XSS)
The ReDi Restaurant Reservations plugin provides the functionality to let users make restaurant reservations. These reservations are stored and can be listed on an 'Upcoming' page provided by the plugin. An unauthenticated user can fill in the form to make a restaurant reservation. The form to ma...
Ultimate Maps by Supsystic < 1.2.5 - Reflected Cross-Site scripting (XSS)
The plugin did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue PoC /wp-admin/admin.php?page=ultimate-maps-supsystic="onmouseover=alert1//...
Contact Form by Supsystic < 1.7.15 - Reflected Cross-Site scripting (XSS)
The plugin did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue PoC /wp-admin/admin.php?page=contact-form-supsystic="onmouseover=alert1//...
Video Downloader for TikTok < 1.4 - Server Side Request Forgery (SSRF) & Local File Inclusion (LFI)
The plugin is vulnerable to SSRF or LFI attacks via the njt-tk-download-video parameter sent by the user not being properly sanitized before used in code...
Image Hover Effects - Elementor Addon < 1.3.4 - Contributor+ Stored XSS
The “Image Hover Effects – Elementor Addon” WordPress Plugin before 1.3.4 has a widget that is vulnerable to stored Cross-Site Scripting XSS by lower-privileged users such as contributors, all via a similar method. The “Image Hover Effects” widget accepts a "eihetag" parameter. Although the eleme...
JetWidgets For Elementor < 1.0.9 - Contributor+ Stored XSS
The “JetWidgets For Elementor” WordPress Plugin before 1.0.9 has several widgets that are vulnerable to stored Cross-Site Scripting XSS by lower-privileged users such as contributors, all via a similar method. The “Animated Box” widget accepts "titlehtmltag" and "subtitlehtmltag" parameters...
The Plus Addons for Elementor Page Builder Lite < 2.0.6 - Contributor+ Stored XSS
The “The Plus Addons for Elementor Page Builder Lite” WordPress Plugin before 2.0.6 has four widgets that are vulnerable to stored Cross-Site Scripting XSS by lower-privileged users such as contributors, all via a similar method. The “Accordion” widget accepts a “titlehtmltag” parameter. Although...
Elementor - Header, Footer & Blocks Template < 1.5.8 - Contributor+ Stored XSS
The “Elementor – Header, Footer & Blocks Template” WordPress Plugin before 1.5.8 has two widgets that are vulnerable to stored Cross-Site Scripting XSS by lower-privileged users such as contributors, all via a similar method. The “Page Title” widget accepts a “headingtag” parameter. Although the...
Virtual Robots.txt < 1.10 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise the content of the robots.txt, allowing high privilege users admin+ to use XSS payloads, which will be output back in the settings page of the plugin. PoC Put the following directive in the plugin settings "User Agents and Directives for this site" Disallow:...
Easy Form Builder <= 1.0 - Authenticated Arbitrary File Upload
The EFBPverifyuploadfile AJAX action of the plugin, available to authenticated users, does not have any security in place to verify uploaded files, allowing low privilege users to upload arbitrary files, leading to RCE. PoC The PoC will be displayed once the issue has been remediated...
WooCommerce Help Scout < 2.9.1 - Unauthenticated Arbitrary File Upload leading to RCE
We noticed 0-day in the plugin https://woocommerce.com/products/woocommerce-help-scout/ being actively exploited. This vulnerability affects at least versions 2.6-2.8 current latest published version and allows unauthenticated users to upload any files to the site which by default will end up in...
Tutor LMS < 1.7.7 - SQL Injection via tutor_mark_answer_as_correct
The tutormarkanswerascorrect AJAX action from the plugin was vulnerable to blind and time based SQL injections that could be exploited by students. PoC python3 sqlmap.py -r /tutortime.txt --dbms=mysql --technique=T -p answerid --dump Where tutortime.txt is POST /wp-admin/admin-ajax.php HTTP/1.1...
Related Posts for WordPress < 2.0.4 - Authenticated Reflected Cross-Site Scripting (XSS)
Unvalidated input and lack of output encoding within the plugin lead to a Reflected Cross-Site Scripting XSS vulnerability within the 'lang' GET parameter while editing a post, triggered when users with the capability of editing posts access a malicious URL. PoC /wp-admin/post.php?post=1=edit〈='...
User Profile Picture < 2.5.0 - Sensitive Information Disclosure
The REST API endpoint getusers in the plugin returned more information than was required for its functionality to users with the uploadfiles capability. This included password hashes, hashed user activation keys, usernames, emails, and other less sensitive information. PoC Usage: php poc.php auth...
Advanced Order Export For WooCommerce < 3.1.8 - Reflected Cross-Site Scripting (XSS)
This plugin helps you to easily export WooCommerce order data. The tab parameter in the Admin Panel is vulnerable to reflected XSS. PoC wp-admin/admin.php?page=wc-order-export=alert/XSS/...
All In One WP Security & Firewall < 4.4.6 - Authenticated Cross-Site Scripting (XSS)
The plugin did not escape the banned user agents in its settings before output, which may allow administrators to enter malicious UA with XSS payloads under certain conditions. Note: We were not able to reproduce the issue...
Ultimate Maps by Supsystic < 1.1.17 - Authenticated SQL Injections
The GET parameters sidx and sord were used in a SQL statement without being sanitised when searching for maps in the dashboard, leading to an authenticated SQL Injection issues. PoC...
Contact Form 7 Style <= 3.1.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Due to the lack of sanitization and lack of nonce protection on the custom CSS feature, an attacker could craft a request to inject malicious JavaScript on a site using the plugin. If an attacker successfully tricked a site’s administrator into clicking a link or attachment, then the request coul...