14602 matches found
301 Redirects - Easy Redirect Manager < 2.51 - Authenticated SQL Injection
The plugin does not sanitise its "Redirect From" column when importing a CSV file, allowing high privilege users to perform SQL injections. The PoC video provided mentioned 2.53 as vulnerable, however v2.45 was installed and used. The issue has been verified to have been fixed in 2.51 PoC POST...
Envira Gallery Lite < 1.8.3.3 - Authenticated Stored Cross-Site Scripting
The plugin does not properly sanitise the images metadata namely title before outputting them in the generated gallery. This allows privileged accounts such as editor+ to perform XSS attacks even without the unfilteredhtml capability against users visiting the gallery in the frontend. PoC As an...
Age Gate < 2.13.5 - Unauthenticated Open Redirect
The plugin takes the wphttpreferer parameter to redirect users after some actions as well as after invalid or missing nonces, leading to an Unauthenticated Open Redirect issue PoC...
Import and export users and customers < 1.16.3.6 - CSV Injection
The plugin did not validate or sanitise user data, such as first and last names from the profile, leading to a CSV injection when the data is exported by an administrator...
weForms < 1.6.4 - CSV Injection
The plugin allows CSV injection via a form's entry...
Child Theme Creator by Orbisius < 1.5.2 - CSRF to Arbitrary File Modification/Creation
This flaw gave attackers the ability to forge requests on behalf of an administrator in order to modify arbitrary theme files and create new PHP files, which could allow an attacker to achieve remote code execution RCE on a vulnerable site’s server. PoC The following will create hello.php in the...
Autoptimize < 2.7.8 - Race Condition leading to RCE
The plugin attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on the disk but not yet removed. It ...
WP Courses < 2.0.29 - Broken Access Controls leading to Courses Content Disclosure
The plugin does not protect the courses which could be accessed by unauthenticated users using the REST API /wp-jon/ endpoints. This could result in attackers accessing paying content without authorisation...
Cookiebot < 3.6.1 - CSRF & XSS
Antony Garand of Sucuri discovered that multiple WordPress plugins were vulnerable to Cross-Site Scripting XSS within the admin panel, which could be exploited by using s Cross-Site Request Forgery CSRF attack...
The Official WordPress Facebook Chat Plugin < 1.6 - Authenticated Options Change to Chat Takeover
This flaw made it possible for low-level authenticated attackers to connect their own Facebook Messenger account to any site running the vulnerable plugin and engage in chats with site visitors on affected sites. PoC Obtain PageID from a test Facebook Page found under page - about - pageID. Use...
TC Custom JavaScript < 1.2.2 - Unauthenticated Stored Cross-Site Scripting (XSS)
A stored Cross-Site Scripting XSS vulnerability in the TC Custom JavaScript plugin for WordPress allows unauthenticated remote attackers to inject arbitrary JavaScript via the tccj-content parameter. This is displayed in the page footer of every front-end page and executed in the browser of...
Login/Signup Popup < 1.5 - Authenticated Stored Cross-Site Scripting (XSS)
A lack of capability checks and security nonce allows any authenticated user to inject, via the AJAX API, JavaScript code into the plugin’s settings and to use it to target the administrator in the backend of WordPress. The vulnerability has been exploited for a couple of days...
Elementor Pro < 2.9.4 - Authenticated Arbitrary File Upload
According to Jerome Bruandet, from NintechNet, the vulnerability, currently exploited by attackers, allows any logged-in user to upload and execute PHP scripts on the blog. Chloe Chamberland from Wordfence also confirmed the issue and added that "This vulnerability is being used in conjunction wi...
Media Library Assistant < 2.82 - Authenticated RCE
Remote Code Execution can occur via the taxquery, metaquery, and datequery parameter of the mlagallery shortcode...
WPJobBoard < 5.6.0 - Unauthenticated Stored Cross-Site Scripting (XSS)
"An attacker can submit malicious javascript code persistent XSS on some fields of 'add job' form in frontend. Then, when an admin want to edit or delete this job in control page, the malicious payload will be executed." Edit WPScanTeam February 26th, 2020 - Vendor contacted via their page...
GDPR Cookie Consent < 1.8.3 - Improper Access Controls
Improper Access Controls issue in the clipolicygenerator AJAX call which could allow an authenticated user with low privileges such as a subscriber to: - Change the status of any post/page from published to draft, removing them from the frontend of the blog. - Put a payload in the content of one...
Registration Magic < 4.6.0.3 - Multiple Cross-Site Scripting (XSS)
The plugin is affected by an unauthenticated Stored XSS on the Contact Form which could allow attacks against administrators viewing the submissions. As well as multiple reflected XSS...
Chatbot with IBM Watson < 0.8.21 - DOM Cross-Site Scripting (XSS)
Note: The issue could be qualified of Self-XSS...
WP Database Reset < 3.15 - Unauthenticated Database Reset
This flaw "allowed any unauthenticated user to reset any table from the database to the initial WordPress set-up state." PoC URL/wp-admin/admin-post.php?db-reset-tables%5B%5D=comments&db-reset-code;=11111&db-reset-code-confirm;=11111 Where you can set db-reset-tables%5B%5D to any database table y...
InfiniteWP Client < 1.9.4.5 - Authentication Bypass
As per agreement between the researcher and developer, details will be released on January 14th. PoC It is possible to login as any administrator on the site due to logical mistakes in the code. The issue resides in the function iwpmmbsetrequest which is located in the init.php file. This checks ...
Anti-Spam by CleanTalk < 5.127.4 - Cross-Site Scripting Issue
The Spam protection, AntiSpam, FireWall by CleanTalk WordPress plugin was affected by a Cross-Site Scripting Issue security vulnerability...
WooCommerce Product Feed for Google, Facebook, eBay and Many More < 3.1.15 - Authenticated Reflected XSS
The WooCommerce Product Feed for Google, Bing, eBay and Many More WordPress plugin was affected by an Authenticated Reflected XSS security vulnerability...
HandL UTM Grabber < 2.6.5 - Authenticated Option Change via CSRF
The HandL UTM Grabber / Tracker WordPress plugin was affected by an Authenticated Option Change via CSRF security vulnerability...
Give <= 2.5.0 - SQL Injection
A SQL injection vulnerability exists in the Impress GiveWP Give plugin through 2.5.0 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via includes/payments/class-payments-query.php or...
ND Booking < 2.5 - Unauthenticated Options Change
The Hotel Booking WordPress plugin was affected by an Unauthenticated Options Change security vulnerability...
Adaptive Images for WordPress <= 0.6.66 - Local File Inclusion & Deletion
The Adaptive Images for WordPress WordPress plugin was affected by a Local File Inclusion & Deletion security vulnerability...
OneSignal Web Push Notifications - Stored XSS
The OneSignal – Web Push Notifications WordPress plugin was affected by a Stored XSS security vulnerability...
Ad Inserter <= 2.4.19 - Authenticated Path Traversal
Edit WPScanTeam: Even though the original advisory mentions that it only affect accounts with the administrator privilege, subscriber accounts and above can exploit the issue, as the nonce can be retrieved when submitting a request with a specific cookie, as described at...
Appointment Booking Calendar < 1.3.19 - Unauthenticated Stored XSS
Lack of authorisation check in the cpabcappointmentssaveedition function can lead to stored XSS via the editionarea parameter when cfwppedit is set to 'js' or 'css' PoC The payload will be triggered in all pages with a booking form...
Easy Forms for Mailchimp < 6.5.3 - Code Injection
The Easy Forms for Mailchimp WordPress plugin was affected by a Code Injection security vulnerability...
Admin Renamer Extender <= 3.2.1 - CSRF
CSRF leading to arbitrary username change...
Insert or Embed Articulate Content into WordPress <= 4.2998 - Authenticated RCE
Original issue fixed in 4.2998. However, it was also be possible to upload via articulateuploadajaxfile AJAX method which was lacking authorisation checks and has been fixed in 4.2999...
WP Booking System <= 1.5.1.1 - CSRF to Authenticated SQL Injection
According to the original researcher, no CSRF nonces were present and therefore could be exploited by chaining with the CSRF issue...
WP Live Chat Support Pro - File Upload Bypass
Note: The free and pro version have been merged in WP Live Chat Support 8.0.27...
Carts Guru <= 1.4.4 - Unauthenticated Object Injection
The Carts Guru WordPress plugin was affected by an Unauthenticated Object Injection security vulnerability...
WooCommerce Checkout Manager <= 4.2.6 - Arbitrary File Upload
The Checkout Manager for WooCommerce WordPress plugin was affected by an Arbitrary File Upload security vulnerability...
JobCareer < 2.5.1 - Authenticated Stored Cross-Site Scripting
Bad input fields data filtering has been discovered in the 'JobCareer | Job Board Responsive WordPress Theme'. PoC http://jobcareer.chimpgroup.com/candidate/asdasdasdasdasd/ Register a new account on the demo website: http://jobcareer.chimpgroup.com/ , then go to the «Resume» profile tab:...
CarSpot Theme <= 2.1.6 - Authenticated Stored XSS
Bad input field data filtering has been discovered in the 'CarSpot – Automotive Car Dealer Wordpress Classified Theme'. Current version of this Premium Theme is 2.1.5. PoC Authorize on the demo website for tests: https://carspot.scriptsbundle.com/, login is [email protected] and passow...
Download Manager <= 2.9.93 - Authenticated Cross-Site Scripting (XSS)
In the pro features of the WordPress download manager plugin, there is a Category Short-code feature witch can use to sort categories with order by a function which will be used as ?orderby=title,publishdate . By adding parameter " and add any XSS payload , the xss payload will execute. To...
WooCommerce <= 3.5.4 - Stored Cross-Site Scripting (XSS)
Security - Improved escaping for Photoswipe captions. Security - Improved escaping for JSON attributes and structured data...
NextScripts: Social Networks Auto-Poster < 4.2.8 - Authenticated Reflected Cross-Site Scripting (XSS)
The NextScripts: Social Networks Auto-Poster WordPress plugin was affected by an Authenticated Reflected Cross-Site Scripting XSS security vulnerability...
MapSVG Lite <= 3.2.3 - Cross-Site Request Forgery (CSRF)
CSRF in the mapsvgsave AJAX method PoC...
WordPress <= 5.0 - Authenticated Cross-Site Scripting (XSS)
Description According to WordPress: "Tim Coen discovered that contributors could edit new comments from higher-privileged users, potentially leading to a cross-site scripting vulnerability."...
JobCareer < 2.4.1 - User enumeration & Reset password
The theme used a vulnerable version of the WP-jobhunt plugin affected by the issues below: CVE-2018-19487: The WP-jobhunt plugin before version 2.4 for WordPress does not control AJAX requests sent to the csemployerajaxprofile function through the admin-ajax.php file, which allows remote...
Master Slider <= 3.7.0 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not properly sanitise the slider name when creating or editing a slider, leading to an Authenticated editor+ Stored Cross-Site Scripting issue which will be triggered in the Slider table /wp-admin/admin.php?page=master-slider. Edit WPScanTeam: - The original report was from 2018,...
Multi Step Form <= 1.2.5 - Cross-Site Scripting (XSS)
The Multi Step Form WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...
Support Board - Chat And Help Desk | Support & Chat <= 1.2.3 - XSS
The supportboard WordPress plugin was affected by a Chat And Help Desk | Support & Chat = 1.2.3 - XSS security vulnerability...
Localize My Post 1.0 - Unauthenticated Local File Inclusion (LFI)
The localize-my-post WordPress plugin was affected by an Unauthenticated Local File Inclusion LFI security vulnerability. PoC http://www.example.com/wp-content/plugins/localize-my-post/ajax/include.php?file=../../../../../../../../../../etc/passwd...
JS Support Ticket < 2.0.6 - CSRF
The JS Help Desk – Best Help Desk & Support Plugin WordPress plugin was affected by a CSRF security vulnerability...
CF7 Invisible reCaptcha <= 1.3.1 - XSS
The CF7 Invisible reCAPTCHA WordPress plugin was affected by a XSS security vulnerability...