14602 matches found
News & Blog Designer Pack < 3.3 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. PoC Exploit shortcode: bdpmasonry grid='1" onmouseover="alert1" style="background:red;"'...
JetWidgets for Elementor < 1.0.13 - Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
CPT Bootstrap Carousel <= 1.12 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Note: Fir...
Google Analyticator < 6.5.6 - Admin+ PHP Object Injection
The plugin unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. PoC To simulate a gadget chain, put the following code in the plugin: class Evil public function wakeup : void...
Tickera < 3.5.1.0- Plugin Data Deletion via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack. PoC 1. Navigate to Tickera Settings » Delete info 2. Delete info request intercept like that POST...
Real Testimonials < 2.6.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Exploit...
Page Scroll To ID < 1.7.6 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Put the...
Ibtana – WordPress Website Builder < 1.1.8.8 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack PoC Exploit shortcode: ive t='2100-01-01' id='" onmouseover="alert1" style="background:red;"'...
Slimstat Analytics < 4.9.3 - Unauthenticated Stored XSS
The plugin does not sanitise and escape the URI when logging requests, which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks against logged in admin viewing the logs PoC As an unauthenticated user, open the following URL https://example.com/?s=" The XSS will b...
WP Table Reloaded <= 1.9.4 - Contributor+ Stored XSS
The plugin does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high privilege users such as admins. PoC Explo...
WPQA < 5.9.3 - Missing validation lead to functionality abuse
The plugin which is a companion plugin used with Discy and Himer themes incorrectly tries to validate that a user already follows another in the wpqafollowingyouajax action, allowing a user to inflate their score on the site by having another user send repeated follow actions to them. PoC...
LetsRecover < 1.2.0 - Unauthenticated SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. PoC GET /checkout/order-received/30/?key=wcorderKwss5kjkrhgKG HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 X11;...
WP AutoComplete Search <= 1.0.4 - Unauthenticated SQLi
The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users, leading to an unauthenticated SQL injection PoC Extract the nonce from the index page search for "wpautosearchconfig", look for the "nonce" field Invoke the...
Superio - Job Board < 1.2.33 - Subscriber+ Stored Cross-Site Scripting
The theme does not sanitise and escape some parameters, which could allow users with a role as low as a subscriber to perform Stored Cross-Site Scripting attacks. PoC As a candidate, add the following payload on the Social Network option: javascript:alert1 As a recruiter, access the candidate pag...
Panda Pods Repeater Field < 1.5.4 - Reflected XSS
The plugin does not sanitize and escapes a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against a user having at least Contributor permission. PoC 1. Install Pods plugin dependency - https://wordpress.org/plugins/pods 2. Install...
Contest Gallery < 19.1.5.1 - Author+ SQL Injection
The plugins do not escape the upload POST parameter before concatenating it to an SQL query in get-data-create-upload-v10.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. PoC POST...
Contest Gallery < 19.1.5.1 - Unauthenticated SQL Injection
The plugins do not escape the userid POST parameter before concatenating it to an SQL query in ajax-functions-backend.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Host:...
Paytium < 4.3.7 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Go to Playtium » Settings and in the 'Test...
Custom Product Tabs for WooCommerce < 1.8.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Simple:Press < 6.8.1 - Subscriber+ Stored XSS via Profile Signatures
The plugin does not sanitise and escape the postitem parameter when modifying profile signatures, which could allow any authenticated users, such as subscriber to perform Stored XSS attacks...
Manage Notification E-mails < 1.8.3 - Settings Reset via CSRF
The plugin does not have CSRF check in place when reseting its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack...
JobBoardWP < 1.2.2 - Unauthenticated Arbitrary File Upload
The plugin does not properly validate file names and types in its file upload functionalities, allowing unauthenticated users to upload arbitrary files such as PHP. PoC Setup: 1. Install the vulnerable plugin jobboardwp version 1.2.1 2. In the toast message that appears on the plugin's...
Popup Manager <= 1.6.6 - Unauthenticated Arbitrary Popup Deletion
The plugin does not have authorisation and CSRF checks when deleting popups, which could allow unauthenticated users to delete them PoC As an unauthenticated users, or via CSRF: fetch'/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type':...
All-In-One Security < 5.1.1 - Bulk Actions via CSRF
The plugin does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as delete arbitrary blocked IPs via CSRF attacks...
Easy Video Player < 1.2.2.3 - Contributor+ Stored XSS
The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks. PoC 1. Add a new post and add the payload there: evpembedvideo url='" onerror=alert/XSS/ "' 2. Preview the post, and the XSS will trigger...
Betheme < 26.6 - Contributor+ PHP Object Injection
The plugin unserializes user input provided via the import, mfn-items-import-page, and mfn-items-import parameters passed through the mfnbuilderimport, mfnbuilderimportpage, importdata, importsinglepage, and importfromclipboard functions. This could allow users with a role as low as contributor t...
Booster for WooCommerce - Custom Role Creation/Deletion via CSRF
The plugins does not properly check for CSRF when creating and deleting Customer roles, allowing attackers to make logged admins create and delete arbitrary custom roles via CSRF attacks PoC To delete the custom role dj it's possible to delete roles created by other plugins, make a logged in admi...
Welcart e-Commerce < 2.8.4 - Multiple Subscriber+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting attacks PoC add new payment method with XSS exploit: fetch'http://localhost/tester-wp/wp-admin/admin-ajax.php', method: 'POST', headers: ne...
WooCommerce Shipping - DPD baltic < 1.2.57 - Subscriber+ Arbitrary Options Deletion
The plugin does not have authorisation and CSRF in an AJAX action, which could allow any authenticated users, such as subscriber to delete arbitrary options from the blog, which could make the blog unavailable. PoC Run the below command in the developer console of the web browser while being on t...
Betheme < 26.6 - Subscriber+ PHP Object Injection
The plugin unserialize user input, which could allow low privilege users such as subscriber to perform PHP Object Injection when a suitable gadget is present...
Advanced WP Columns <= 2.0.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC Put the following payload in the plugin setti...
REST API Authentication < 2.4.1 - Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
WPSmartContracts < 1.3.12 - Author+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as author PoC Logon as an author and open the following URL, which will result in a delayed response...
Analytics for WP <= 1.5.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. In the Settings page of this plugin, in th...
reCAPTCHA <= 1.6 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. On the setting page of this plugin, enter...
4ECPS Web Forms <= 0.2.17 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WP-Polls < 2.76.0 - IP Validation Bypass
The plugin prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTEADDR, which makes it possible to bypass IP-based limitations to vote in certain situations...
Restaurant Menu < 2.3.1 - Unauthorised AJAX Calls
The plugin does not have authorisation and CSRF checks in some AJAX actions, allowing any authenticated users, such as subscriber to call them and perform unauthorised actions such as update the plugin's settings...
Ultimate Member < 2.5.1 - Admin+ LFI via Traversal
The plugin does not validate and sanitize the pack parameter before using it in an include statement, which could allow high privilege users to perform local file inclusion attacks via a Traversal vector...
Ultimate Member < 2.5.1 - Contributor+ LFI via Traversal
The plugin does not validate and sanitize the template attribute of its shortcode before using it in an include statement, which could allow users with a role as low as contributor to perform local file inclusion attacks via a Traversal vector...
All in One SEO Pro < 4.2.6 - Admin+ SSRF
The plugin does not validate a parameter before making a request to it, which could allow users with a role as low as Admin to perform SSRF attack...
Quiz And Survey Master < 7.3.5 - Contributor+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks...
WP Page Builder < 1.2.7 - Author+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Author to perform Cross-Site Scripting attacks...
OAuth Client by DigitialPixies <= 1.1.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escapes some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. PoC Put the following payload in any of the...
WooCommerce Dropshipping < 4.4 - Unauthenticated SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via a REST endpoint available to unauthenticated users, leading to a SQL injection PoC curl -isk -X 'POST' -H "Content-Type: application/json" --data '"sku":"a" AND SELECT 42 FROM SELECTSLEEP5wlHd--...
AB Press Optimizer <= 1.1.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
AWP Classifieds Plugin < 4.3 - Unauthenticated SQLi
The plugin does not properly sanitise and escape some parameters before using them in a SQL statement via an AJAX action available to unauthenticated users and when a specific premium module is active, leading to a SQL injection PoC To read the userlogin and userpass columns from the wpusers tabl...
Retain Live Chat <= 0.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in the Rtain App ID...
Booking Ultra Pro <= 1.1.4 - Multiple CSRF
The plugin does not have CSRF check in some places, which could allow attackers to make logged in users perform unwanted actions...
FavIcon Switcher <= 1.2.11 - Arbitrary Settings Change via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...