14602 matches found
WD Instagram Feed <= 1.3.0 - XSS
The 10Web Social Photo Feed WordPress plugin was affected by a XSS security vulnerability...
Relevanssi <= 4.0.4 - Cross-Site Scripting (XSS)
The Relevanssi – A Better Search WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...
Ultimate Member <= 2.0 - Multiple XSS
The Ultimate Member – User Profile, User Registration, Login & Membership Plugin WordPress plugin was affected by a Multiple XSS security vulnerability...
Bookly #1 WordPress Booking Plugin (Lite) <= 13.2 – Unauthenticated Blind Stored XSS
An unauthenticated user can inject arbitrary persistent javascript code in the admin panel via Bookly plug-in...
Email Subscribers & Newsletters < 3.4.8 - Unauthenticated Subscriber Download
The Email Subscribers & Newsletters – Simple and Effective Email Marketing WordPress Plugin WordPress plugin was affected by an Unauthenticated Subscriber Download security vulnerability. PoC POST /?es=export ... option=viewallsubscribers...
Pinterest Feed <= 1.1.1 - Authenticated XSS & CSRF
The Weblizar Pin Feeds WordPress plugin was affected by an Authenticated XSS & CSRF security vulnerability...
Testimonial Slider <= 1.2.4 - Authenticated SQL Injection
During the security analysis, ThunderScan discovered SQL injection vulnerability in Testimonial Slider WordPress plugin. The easiest way to reproduce the vulnerability is to visit the provided URL while being logged in as administrator or another user that is authorized to access the plugin...
Smart Marketing SMS and Newsletters Forms <= 1.1.1 - Unauthenticated Cross-Site Scripting (XSS)
The Smart Marketing SMS and Newsletters Forms WordPress plugin was affected by an Unauthenticated Cross-Site Scripting XSS security vulnerability. PoC POST /wordpress/wp-content/plugins/smart-marketing-for-wp/admin/partials/custom/egoi-for-wp-formegoi.php HTTP/1.1 Host: 127.0.0.1 Content-Type:...
Ultimate Instagram Feed <= 1.3 - Authenticated Cross-Site Scripting (XSS)
Author: OmarK The vulnerability lies in the "accesstoken" parameter and can cause reflected XSS vulnerability. The issue is on the file ultimate-instagram-feed/admin/partials/uif-access-token-display.php line 19: the vulnerable code is the following: echo $GET'accesstoken'; There is an echo of th...
Qards - Stored Cross-Site Scripting (XSS)
Google Dork: inurl:"plugins/qards" Qards provides you easy option to drag and edit every part and element of your site in the front-end, you will never have to write any code to change the layout or to change any part of the site like the traditional WordPress way. PoC The vulnerable script...
Insert Pages < 3.2.4 - Directory Traversal
The Insert Pages WordPress plugin was affected by a Directory Traversal security vulnerability...
Content Audit <= 1.9.1 - Cross-Site Scripting (XSS) & CSRF
The Content Audit WordPress plugin was affected by a Cross-Site Scripting XSS & CSRF security vulnerability...
Smush Image Compression and Optimization <= 2.7.5 - File Transversal
The Smush – Lazy Load Images, Optimize & Compress Images WordPress plugin was affected by a File Transversal security vulnerability...
WordPress 2.3.0-4.7.4 - Authenticated SQL injection
Description Due bad solution of the database abstraction library WordPress exposes itself towards SQL Injection and validation bypass. Beside WordPress itself this issue have huge impact towards complete WP ecosystem. Up to WordPress 4.8.1 is vulnerable, but this time attack is dependent from...
Participants Database <= 1.7.5.9 - Cross-Site Scripting
Cross site scripting XSS vulnerability in the Wordpress Participants Database plugin 1.7.59 allows attackers to inject arbitrary javascript via the Name parameter. PoC curl -k -F action=signup -F subsource=participants-database -F shortcodepage=/?pageid=1 -F thankspage=/?pageid=1 -F instanceindex...
WPJobBoard <= 4.5.1 - Multiple Cross-Site Scripting (XSS)
The wpjobboard WordPress plugin was affected by Multiple XSS issues...
Loginizer <= 1.3.5 - Cross-Site Request Forgery (CSRF)
Due to insufficient security checks an attacker can remove blacklisted and whitelisted IP:s from the plugin using CSRF...
Weblibrarian < 3.4.8.5 - XSS
The WebLibrarian WordPress plugin was affected by a XSS security vulnerability...
Spiffy Calendar <= 3.2.0 - Reflected Cross-Site Scripting (XSS)
The Spiffy Calendar WordPress plugin was affected by a Reflected Cross-Site Scripting XSS security vulnerability...
Surveys 1.01.8 - Authenticated SQL Injection
The surveys WordPress plugin was affected by an Authenticated SQL Injection security vulnerability...
Easy WP Smtp < 1.2.5 - XSS
The Easy WP SMTP WordPress plugin was affected by a XSS security vulnerability...
Invite Anyone < 1.3.16 - Multiple Issues
The Invite Anyone WordPress plugin was affected by a Multiple Issues security vulnerability...
WP SlimStat <= 3.5.5 - Overview URI Stored XSS
The Slimstat Analytics WordPress plugin was affected by an Overview URI Stored XSS security vulnerability...
WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata
...
Kama Click Counter < 3.5.0 - XSS
The Kama Click Counter WordPress plugin was affected by a XSS security vulnerability...
Raygun4WP <= 1.8.0 - Unauthenticated Reflected XSS
The Raygun4WP WordPress plugin was affected by an Unauthenticated Reflected XSS security vulnerability. PoC http://www.example.com/wp-content/plugins/raygun4wp/sendtesterror.php?backurl="...
FormBuilder <= 1.0.7 - Cross-Site Request Forgery (CSRF)
The FormBuilder WordPress plugin was affected by a Cross-Site Request Forgery CSRF security vulnerability...
WooCommerce <= 2.6.8 - Authenticated Tax-Rate CSV XSS
The WooCommerce WordPress plugin was affected by an Authenticated Tax-Rate CSV XSS security vulnerability...
Vospari Forms <= 1.3 - Cross-Site Scripting (XSS)
The Vospari Forms WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...
CampTix Event Ticketing <= 1.4.2 - CSV Injection and XSS
The CampTix Event Ticketing WordPress plugin was affected by a CSV Injection and XSS security vulnerability...
WP Database Backup < 4.3.1 - CSRF & XSS
The WP Database Backup WordPress plugin was affected by a CSRF & XSS security vulnerability...
Sermon Browser < 0.45.16 - Multiple XSS
The Sermon Browser WordPress plugin was affected by a Multiple XSS security vulnerability...
New Year Firework <= 1.1.9 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The new-year-firework WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. PoC http://www.example.com/wp-content/plugins/new-year-firework/firework/index.php?text=""...
Tidio Gallery <= 1.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The tidio-gallery WordPress plugin was affected by a Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. PoC http://www.example.com/wp-content/plugins/tidio-gallery/popup-insert-help.php?galleryId=""...
WP Customer Reviews < 3.0.9 - CSRF & XSS
The WP Customer Reviews WordPress plugin was affected by a CSRF & XSS security vulnerability...
Anti-Malware Security & Brute-Force Firewall <= 4.15.42 - XSS & CSRF
The Anti-Malware Security and Brute-Force Firewall WordPress plugin was affected by a XSS & CSRF security vulnerability. PoC XSS vulnerability in https://wordpress.org/plugins/gotmls/ has been identified. While I scan a site with that plugin , i had a file '".png and it was skippped , but result...
Ocim MP3 Plugin - Unauthenticated Reflected Cross-Site Scripting (XSS)
Credits to : Soufiane Boussali PoC http://www.example.com/wp-content/plugins/ocim-mp3/source/pages.php?id=XSSPayload...
OptionTree <= 2.5.5 - Authenticated Cross-Site Scripting (XSS)
The OptionTree WordPress plugin was affected by an Authenticated Cross-Site Scripting XSS security vulnerability...
Users Ultra Membership Plugin <= 1.5.62 - Authenticated Stored Cross-Site Scripting (XSS) & CSRF
Both pname and pdesc are vulnerable. No nonce on form so also vulnerable to CSRF. Original researcher's PoC does not work as all parameters are needed to be submitted not just the pname parameter...
Websimon Tables <= 1.3.4 - Authenticated Reflected Cross-Site Scripting (XSS)
The websimon-tables WordPress plugin was affected by an Authenticated Reflected Cross-Site Scripting XSS security vulnerability...
WordPress File Upload <= 3.4.0 - Unauthenticated Malicious File Upload
The WordPress plugin wp-file-upload does not adequately check the filetype before allowing it to be uploaded. It also uploaded files with execute permissions, allowing malicious payloads to be uploaded. PoC 1. Install wp-file-upload on a WordPress site and activate it. 2. Create an upload form on...
wp-championship <= 5.8 - Authenticated Blind SQL Injection
The wp-championship WordPress plugin was affected by an Authenticated Blind SQL Injection security vulnerability. PoC $ sqlmap -u 'http://www.example.com/wp-admin/wp-championship/csadminusers.php=' --data="isadmin=1" --cookie=AUTHCOOKIEHERE --level=5 --risk=3...
Support Ticket System <= 1.2 - Unauthenticated SQL Injection
The Support Ticket System WordPress plugin was affected by an Unauthenticated SQL Injection security vulnerability...
Easy2Map <= 1.2.9 - Local File Inclusion
The Easy2Map WordPress plugin was affected by a Local File Inclusion security vulnerability...
mTheme Unus < 2.3 - Directory Traversal
The mTheme-Unus WordPress theme was affected by a Directory Traversal security vulnerability...
xPinner Lite <= 2.2 - Cross-Site Scripting (XSS) & CSRF
The xpinner-lite WordPress plugin was affected by a Cross-Site Scripting XSS & CSRF security vulnerability...
MyPixs <= 0.3 - Unauthenticated Local File Inclusion (LFI)
Plugin is still affected and has been closed. Typical local file inclusion vulnerability: from downloadpage.php: I've tried to get RCE but didn't have success reading from /proc/self/environ or /var/log/apache2/access.log include: Failed opening '/proc/self/environ' for inclusion...
Manual Image Crop <= 1.10 - Authenticated Reflected Cross-Site Scripting (XSS)
The Manual Image Crop WordPress plugin was affected by an Authenticated Reflected Cross-Site Scripting XSS security vulnerability...
Dynamic Widgets <= 1.5.10 - Authenticated Cross-Site Scripting (XSS) & CSRF
The Dynamic Widgets WordPress plugin was affected by an Authenticated Cross-Site Scripting XSS & CSRF security vulnerability...
Monetize <= 1.03 - Cross-Site Scripting (XSS) & CSRF
The monetize WordPress plugin was affected by a Cross-Site Scripting XSS & CSRF security vulnerability...