14602 matches found
WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
...
WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed
Description A cross-site scripting XSS vulnerability was discovered in the oEmbed discovery. Reported by xknown of the WordPress Security Team...
Formidable Forms Pro <= 1.06.02 - ofc_upload_image.php Arbitrary File Upload
The Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress WordPress plugin was affected by an ofcuploadimage.php Arbitrary File Upload security vulnerability...
Forminator < 1.29.0 - Unauthenticated Arbitrary File Upload
Description The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.28.1. This makes it possible for unauthenticated attackers to upload arbitrary fil...
LayerSlider 7.9.11 - 7.10.0 - Unauthenticated SQL Injection
Description The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the lsgetpopupmarkup action in versions 7.9.11 and 7.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...
Matomo < 5.0.1 - Reflected Cross-Site Scripting via idsite
Description The Matomo Analytics – Ethical Stats. Powerful Insights. plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the idsite parameter in all versions up to, and including, 4.15.3 due to insufficient input sanitization and output escaping. This makes it possible for...
Happy Addons for Elementor < 3.10.2 - Missing Authorization via add_row_actions
Description The Happy Addons for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the addrowactions function in versions up to, and including, 3.10.1. This makes it possible for authenticated attackers, with contributor-level access...
Disable User Login < 1.3.9 - User Login Toggle via CSRF
Description The plugin does not have CSRF check in its bulk action, which could allow attackers to make logged in admins enable and disable login for arbitrary users via a CSRF attack...
Very Simple Google Maps < 2.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description The Very Simple Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vsgmap' shortcode in all versions up to, and including, 2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible fo...
The Events Calendar < 6.2.8.1 - Unauthenticated Arbitrary Password Protected Post Read
Description The plugin discloses the content of password protected posts to unauthenticated users via a crafted request PoC Append "?view=single-event" to a password protected post, then view the source of the page and find the post content disclosed in...
ChatBot 4.8.6 - 4.9.6 - Authenticated (Administrator+) Stored Cross-Site Scripting in FAQ Builder
Description The ChatBot for WordPress is vulnerable to Stored Cross-Site Scripting via the FAQ Builder in versions 4.8.6 through 4.9.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to...
User Registration < 3.0.2.1 - Subscriber+ Arbitrary File Upload
The plugin uses a static encryption key and does not validate the file path when renaming profile pictures, which could allow any authenticated users, such as subscriber, to upload arbitrary files such as PHP on the server...
Jetpack < 12.1.1 - Author+ Arbitrary File Manipulation via API
The plugin does not validate uploaded files, allowing users with author roles or above to manipulate existing files on the site, deleting arbitrary files, and in rare cases achieve Remote Code Execution via phar deserialization. PoC curl --json ' "media": "tmpname": "/WPCONTENTPATH/wp-config.php"...
Greenshift – animation and page builder blocks < 4.8.9 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. PoC Exploit shortcode: wpreusablerender id='2' ajax='true' height='100px;width:100px;background:red;"...
Simple Job Board < 2.10.0 - Resume Disclosure via Directory Listing
The plugin is susceptible to Directory Listing which allows the public listing of uploaded resumes in certain configurations. PoC curl https://example.com/wp-content/uploads/jobpost Search for this path / folder in search engines to find uploaded resumes...
Page Restriction WordPress < 1.2.7 - Admin+ Stored Cross-Site Scripting
The plugin allows bad actors with administrator privileges to the settings page to inject Javascript code to its settings leading to stored Cross-Site Scripting that will only affect administrator users. PoC In Page/Post Access tab, Use XSS Payload as " in any of the pages available. XSS will be...
LayerSlider < 7.1.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape Project's slug before outputting it back in various place, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed PoC Proof of Concept PoC: ======================= 1. The store...
Simple Link Directory < 7.7.2 - Unauthenticated SQL injection
The plugin does not validate and escape the postid parameter before using it in a SQL statement via the qcopdupvoteaction AJAX action available to unauthenticated and authenticated users, leading to an unauthenticated SQL Injection PoC curl 'http://example.com/wp-admin/admin-ajax.php' --data...
Photo Gallery by 10Web < 1.6.0 - Unauthenticated SQL Injection
The plugin does not validate and escape the bwgtagidbwgthumbnails0 parameter before using it in a SQL statement via the bwgfrontenddata AJAX action available to unauthenticated and authenticated users, leading to an unauthenticated SQL injection PoC...
WPS Hide Login < 1.9.1 - Protection Bypass with Referer-Header
The plugin has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user. PoC curl --referer "something" -sIXGET https://example.com/wp-admin/options.php HTTP/2 302 ... location:...
BuddyPress < 7.2.1 - REST API Privilege Escalation
The BuddyPress WordPress plugin, versions before 7.2.1, fixed a vulnerability that could allow a privilege escalation from a regular user to Administrator, using the BuddyPress REST API buddypress/v1/members/me endpoint...
Custom Banners < 3.3 - CSRF Nonce Bypass in saveCustomFields
The plugin did not properly check the CSRF nonce in the saveCustomFields method, which could allow attackers to make a logged in user with the editpost capability to save custom fields in a post. Numerous sanitisation fixes were also added to v3.3 PoC Send a request without the...
WP Amour < 1.5.7 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise and escape its setting fields, leading to Stored Cross-Site Scripting issues. Furthermore, the lack of CSRF checks could also allow attackers to trigger the XSS via CSRF attacks against a logged in administrator PoC...
Advanced Woo Search < 2.00 - SQL query leak in ajax search
Every ajax search returns the raw SQL query in the response...
Rank Math 0.9~1.0.42.1 - Missing Access Controls to Disable Competitor Plugins
Missing access controls on the GET requests to deactivate competitors' plugins. This could allow any authenticated users such as subscribers to deactivate the SEO and Sitemap plugins from competitors. The attack could also be performed via CSRF. PoC...
WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion
Description This can lead to code execution if the wp-config.php file is deleted, forcing WordPress to start the installation process. Can be exploited by any user who is able to edit uploaded media...
WordPress 4.7.0-4.7.1 - Unauthenticated Page/Post Content Modification via REST API
...
WordPress <= 4.7 - Post via Email Checks mail.example.com by Default
...
WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)
PoC The following payload placed in a page or post does not work in comments: TEST!!!caption width="1" caption='Click me'...
WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)
PoC " onmouseover="alert'hello';"...
Contact Form 7 <= 3.5.2 - File Upload Remote Code Execution
The Contact Form 7 WordPress plugin was affected by a File Upload Remote Code Execution security vulnerability...
WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php
...
Elementor Website Builder Pro < 3.20.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Form Widget SVGZ File Upload
Description The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an SVGZ file uploaded via the Form widget in all versions up to, and including, 3.20.1 due to insufficient input sanitization and output escaping. This makes it possible for...
File Manager Pro < 8.3.5 - Authenticated (Subscriber+) Arbitrary File Upload
Description The File Manager Pro plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 8.3.4 via the mkcheckfilemanagerphpsyntax AJAX function. This makes it possible for authenticated attackers, with subscriber access and above, to execute code on the...
Flatsome < 3.17.6 - Unauthenticated PHP Object Injection
Description The Flatsome theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.17.5 via deserialization of untrusted input. This allows unauthenticated attackers to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed o...
Multiple Plugins from Inisev - Subscriber+ Plugin Installation
Description Multiple plugins from the Inisev vendor are lacking authorisation in the handleinstallation function hooked to the inisevinstallation AJAX action, allowing any authenticated users, such as subscriber to install plugins from Inisev on the blog...
WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) < 7.6.5 - Authentication Bypass
The improper credential validation on the plugin allows unauthenticated attackers to escalate privileges if administrator's emails is known...
Metform Elementor Contact Form Builder < 3.3.1 - Multiple Contributor+ Stored XSS via Shortcode
The plugin does not properly sanitize and escape user input when processed by many of its shortcodes, which could enable users with contributor privileges to conduct Stored Cross-Site Scripting attacks on the site. Affected shortcodes include mf, mffirstname, mflastname, and mfthankyou...
Product Addons & Fields for WooCommerce < 32.0.7 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape some URL parameters, leading to Reflected Cross-Site Scripting. PoC Ensure WooCommerce is installed. Visit the following path, while logged in as an Admin: /wp-admin/admin.php?page=ppomid=5meta=edit&"=1...
YARPP - Yet Another Related Posts Plugin < 5.30.5 - Subscriber+ LFI
The plugin does not validate a parameter before using it in an include statement, allowing any authenticated users, such as subscriber to perform LFI attacks...
YellowPencil Visual CSS Style Editor < 7.5.9 - Admin+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow users with a role of Admin to perform Cross-Site Scripting attacks...
TreePress – Easy Family Trees & Ancestor Profiles < 3.0.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with the Admin role to perform Cross-Site Scripting attacks...
Multiple e-plugins - Subscriber+ Privilege Escalation
The plugins, sold by the same developer e-plugins, do not implementing any security measures in some AJAX calls. For example in the file plugin.php, the function ivdirectoriesupdateprofilesetting uses updateusermeta with any data provided by the ajax call, which can be used to give the logged in...
Smart Slider 3 < 3.5.1.14 - Contributor+ Stored XSS
The plugin does not properly validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC smartslider3...
Beautiful Cookie Consent Banner < 2.10.2 - Unauthenticated Stored XSS
The plugin does not have authorisation and CSRF check when updating its settings, and does not escape some of them when outputting them, which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks. An initial fix was released in version 2.10.1, and completed in...
Transposh WordPress Translation <= 1.0.8 - Usernames Disclosure
The plugin does not have any authorisation in its tphistory AJAX action, allowing unauthenticated users to call it and retrieve a list of usernames which translated text...
Photo Gallery < 1.6.3 - Unauthenticated SQL Injection
The plugin does not properly escape the $POST'filtertag' parameter, which is appended to an SQL query, making SQL Injection attacks possible. PoC POST /wp-admin/admin-ajax.php?imageid=123 HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: zh,en;q=0.5 Accept-Encoding:...
WP Reset Pro < 5.99 - Database Reset via CSRF
The plugin does not have CSRF check when resetting the database, which could allow attacker to make logged in users reset it Note: This affect only the pro version of the plugin, however both the free and pro have the same slug...
Filebird 4.7.3 - Unauthenticated SQL Injection
The Filebird Plugin 4.7.3 introduced a SQL injection vulnerability as it is making SQL queries without escaping user input data from a HTTP post request. This is a major vulnerability as the user input is not escaped and passed directly to the getcol function and it allows SQL injection. The Rest...
SP Project & Document Manager < 4.22 - Authenticated Shell Upload
The plugin allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension's case, for...