14602 matches found
Guest Author < 2.4 - Authenticated (Author+) Stored Cross-Site Scripting
Description The Guest Author plugin for WordPress is vulnerable to Stored Cross-Site Scripting via author name in versions up to, and including, 2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, ...
Structured Content < 1.6 - Contributor+ PHP Object Injection
Description The plugin is vulnerable to PHP Object Injection via deserialization of untrusted input. This makes it possible for attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an...
AppMySite < 3.11.1 - Unauthenticated Information Disclsoure
Description The plugin is vulnerable to Sensitive Information Exposure, allowing unauthenticated attackers to extract sensitive user or configuration data...
Symbiostock Lite <= 6.0.0 - Authenticated (Shop Manager+) Arbitrary File Upload
Description The Symbiostock – Sell Photos Online For Free! plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 6.0.0. This makes it possible for authenticated attackers, with shop manager-level access and above, to...
WPsoonOnlinePage <= 1.9 - Cross-Site Request Forgery
Description The WPsoonOnlinePage plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.9. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform an unauthorized...
WP Pocket URLs <= 1.0.2 - Reflected Cross-Site Scripting
Description The WP Pocket URLs plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages tha...
Crypto Converter Widget < 1.8.4 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Doofinder for WooCommerce < 2.1.8 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
teachPress < 9.0.6 - Cross-Site Request Forgery via delete_database()
Description The teachPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.0.5. This is due to missing or incorrect nonce validation on the deletedatabase function. This makes it possible for unauthenticated attackers to clear the database...
Formzu WP < 1.6.7 - Contributor+ Stored XSS via id
Description The plugin does not validate and escape the ‘id’ parameter, allowing users with the contributor role and above perform Stored XSS attacks...
BP Better Messages < 2.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Description The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 2.4.0 due to insufficient input sanitization and output...
ArtPlacer Widget < 2.20.7 - Editor+ SQLi
Description The plugin does not sanitize and escape the "id" parameter before submitting the query, leading to a SQLI exploitable by editors and above. Note: Due to the lack of CSRF check, the issue could also be exploited via a CSRF against a logged editor or above PoC As an editor, open...
Molongui < 4.6.20 - Authenticated (Administrator+) Stored Cross-Site Scripting
Description The Author Box, Guest Author and Co-Authors for Your Posts – Molongui plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.6.19 due to insufficient input sanitization and output escaping. This makes it possible fo...
Salon booking system < 8.7 - Authenticated (Editor+) Privilege Escalation
Description The Salon booking system plugin for WordPress is vulnerable to privilege escalation in all versions up to, but excluding, 8.7. This makes it possible for authenticated attackers, with editor-level access and above, to escalate their privileges to that of an administrator...
Easy Social Icons < 3.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Description The Easy Social Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
WP Mail Log < 1.1.3 – Contributor+ SQL Injection in wml_logs/send_mail endpoint
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Contributor. PoC Run the following within any page on the site. Notice that the request is delayed by the SLEEP call i...
BookingPress < 1.0.77 - Authenticated (Administrator+) Arbitrary File Upload
Description The BookingPress plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'bookingpressprocessupload' function in versions up to, and including, 1.0.76. This makes it possible for authenticated attackers with administrator-level...
MyBookTable Bookstore < 3.3.5 - API Key Update via CSRF
Description The plugin does not have CSRF check when updating its API key via the mbtapikeyrefreshajax function, which could allow attackers to make logged in admins update it via a CSRF attack...
GiveWP < 2.33.4 - Cross-Site Request Forgery to plugin deactivation
Description The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.33.3. This is due to missing or incorrect nonce validation on the givesendwpdisconnect function. This makes it possible for unauthenticated attackers to deactivate the SendW...
GiveWP < 2.33.4 - Cross-Site Request Forgery to Stripe Integration Deletion
Description The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.33.3. This is due to missing or incorrect nonce validation on the givestripedisconnectconnectstripeaccount function. This makes it possible for unauthenticated attackers to...
Folders < 2.9.3 - Authenticated (Author+) Arbitrary File Upload in handle_folders_file_upload
Description The Folders plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handlefoldersfileupload function in versions up to, and including, 2.9.2. This makes it possible for authenticated attackers, with author-level permissions or above, to...
miniorange otp verification < 4.2.2 - Missing Authorization via dismiss_notice
Description The miniorange otp verification plugin for WordPress is vulnerable to unauthorized admin notice dismissal due to a missing capability check on the dismissnotice function in versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with subscriber-level...
Parcel Pro < 1.6.12 - Open Redirect
Description The plugin does not validate the redirect parameter before redirecting the user to its value, leading to an Open Redirect issue...
Thrive Theme Builder < 3.24.2 - Cross-Site Request Forgery
Description The theme does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
ANAC XML Bandi di Gara <= 7.5 - Authenticated (Editor+) Stored Cross-Site Scripting
Description The ANAC XML Bandi di Gara plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in versions up to, and including, 7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level...
News & Blog Designer Pack – WordPress Blog Plugin < 3.4.2 - Unauthenticated Remote Code Execution via Local File Inclusion
Description The News & Blog Designer Pack – WordPress Blog Plugin — Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry plugin for WordPress is vulnerable to Remote Code Execution via Local File Inclusion in all versions up to, and including, 3.4.1 via the...
PHP to Page <= 0.3 - Authenticated (Subscriber+) Local File Inclusion to Remote Code Execution via Shortcode
Description The PHP to Page plugin for WordPress is vulnerable Local File Inclusion to Remote Code Execution in versions up to, and including, 0.3 via the 'php-to-page' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to include local file and potentially...
Post Sliders & Post Grids <= 1.0.20 - Authenticated (Administrator+) Stored Cross-Site Scripting
Description The Post Sliders & Post Grids plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
E2Pdf < 1.20.19 - Authenticated (Administrator+) PHP Object Injection
Description The E2Pdf plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.20.18 via deserialization of untrusted input within the importaction and ajaxupload functions. This makes it possible for authenticated attackers, with administrative-level...
Admin Bar & Dashboard Control < 1.2.9 - Authenticated (Administrator+) Stored Cross-Site Scripting
Description The Admin Bar & Dashboard Access Control plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to 1.2.9 exclusive due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
Delete Duplicate Posts < 4.9 - Missing Authorization via AJAX Actions
Description The Delete Duplicate Posts plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on some of its AJAX actions in all versions up to 4.9 exclusive. This makes it possible for authenticated attackers, with subscriber access or higher, to...
Tab Ultimate < 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description The Tab Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
Integration for Contact Form 7 and Constant Contact < 1.1.5 - Open Redirect
Description The Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.1.4. This is due to insufficient validation a redirect url. This makes it possible for unauthenticated...
ImageMapper <= 1.2.6 - Subscriber+ Arbitrary Post Deletion
Description The plugin does not authoring in its imgmapdeleteareaajax AJAX action, allowing any authenticated users, such as subscriber to delete arbitrary posts and pages...
Forminator < 1.28.0 - Admin+ Arbitrary File Upload
Description The plugin does not properly blacklist files via the forminatorallowedmimetypes function, which could allow administrator to upload arbitrary file. However, RCE can not be achieved due to htaccess configuration...
PowerPress Podcasting < 11.0.7 - Contributor+ SSRF
Description The plugin does not validate a parameter before making a request to it via the powerpressmediainfo AJAX action, which could allow Contributor and above role to perform SSRF attacks...
Simple Giveaways < 2.46.1 - CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Basic Interactive World Map < 2.7 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
wpDiscuz < 7.6.12 - Missing Authorization in AJAX Actions
Description The plugin is vulnerable to unauthorized use of functionality due to a missing capability check on functions corresponding to AJAX actions in versions up to, and including, 7.6.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to view user...
kk Star Ratings < 5.4.6 - Rating Tampering via Race Condition
Description The plugin does not implement atomic operations, allowing one user vote multiple times on a poll due to a Race Condition. PoC 1- Install and activate kk Star Ratings. 2- Go to the page that displays the star rating. 3- Using Burp and the Turbo Intruder extension, intercept the rating...
Groundhogg < 2.7.11.11 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
User Feedback < 1.0.10 - Unauthenticated Stored XSS
Description The plugin does not validate and escape some parameters, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks...
Article Analytics <= 1.0 - Unauthenticated SQL injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection vulnerability. PoC On a Wordpress blog using MySQL the following PoC allows to extract the hash of the...
WP Post Popup <= 3.7.3 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its inputs, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Enter the following payload in the...
Conversios.io < 6.5.4 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
WP Hotel Booking < 2.0.9 - Contributor+ Arbitrary Post Deletion
Description The plugin does not have proper authorisation when deleting a package, allowing Contributor and above roles to delete posts that do no belong to them PoC Run the below command in the developer console of the web browser while being on the blog as a Contributor user. This will put the...
Internal Link Building <= 1.2.3 - CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Google Calendar Events < 3.2.6 - Cross-Site Request Forgery (CSRF)
Description The Plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
AI ChatBot < 4.9.1 - Missing authorization in AJAX calls
Description The plugin does not check capabilities when processing AJAX actions, allowing unauthenticated attackers to perform actions intended for higher privileged users...
WP ULike < 4.6.9 - Contributor+ Stored Cross Site Scripting via Shortcode
Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...