14602 matches found
Booster for WooCommerce - Subscriber+ Order Status Update
The plugins allow users to update their own order status via a settings defined by admins when the My Account module is enabled, however does not ensure that the status set is allowed. As a result, users could set arbitrary status to their own orders, making them paid without actually paying for...
Advanced Comment Form < 1.2.1 - Admin+ Authenticated Stored XSS
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC In the settings of the plugin, add the following payload to the text before the form:...
Ketchup Restaurant Reservations <= 1.0.0 - Unauthenticated Stored XSS
The plugin does not sanitise and escape some of the reservation user inputs, allowing unauthenticated attackers to perform Cross-Site Scripting attacks logged in admin viewing the malicious reservation made PoC As unauthenticated, make a reservation ie on a page where the reservationform is embed...
Ldap WP Login / Active Directory Integration < 3.0.2 - Reflected Cross-Site Scripting
The plugin does not escape generated URLs before outputing them in attrubutes, leading to Reflected Cross-Site Scripting PoC Make a logged in admin open https://example.com/wp-admin/admin.php?page=LDAP+authentication+intergrating+with+AD"...
NinjaForms < 3.6.13 - Admin+ PHP Objection Injection
The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import intentionally or not a malicious file and a suitable gadget chain is present on the blog. PoC To simulate a gadget chain, put the following code in a plugin class Evil...
add2fav <= 1.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Notification Bar for WordPress <= 1.1.8 - Unauthenticated Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some parameters which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks...
BadgeOS < 3.7.1.3 - Subscriber+ SQLi
The plugin does not sanitise and escape parameters before using them in SQL statements via AJAX actions available to any authenticated users, leading to SQL Injections PoC Open the following URL as any authenticated user such as subscriber:...
Ajax Load More < 5.5.4 - Admin+ Arbitrary File Read
The plugin does not validate a path which could allow high privilege users such as admin to read arbitrary files from the server...
Broken Link Checker < 1.11.17 - Admin+ PHAR Deserialization
The plugin does not validate a parameter, which could allow high privilege users such as admin to perform PHAR deserialisation when a suitable gadget chain is also present...
WP Database Backup < 5.9 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in any of the Destination FTP Settings...
Anti-Malware Security and Brute-Force Firewall < 4.21.83 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in an admin dashboard, leading to Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=GOTMLS-settingsdebug=%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%281%29%3B%3E Also possible with the...
Download Manager < 3.2.49 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters which could allow users with a role as low as contruibutor to perform Stored Cross-Site Scripting attacks...
Button Plugin MaxButtons < 9.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WP Edit Menu <= 1.5.0 - Arbitrary Post Deletion via CSRF
The plugin does not have CSRF in an AJAX action, which could allow attackers to make a logged in admin delete arbitrary posts/pages from the blog via a CSRF attack PoC...
WordPress Team Members Showcase < 4.1.2 - Subscriber+ Arbitrary File Read and Deletion
The plugin contains a file which could allow any authenticated users to download arbitrary files from the server via a path traversal vector. Furthermore, the file will also be deleted after its content is returned to the user PoC...
Simple Banner < 2.12.0 - Admin+ Stored Cross Site Scripting
The plugin does not properly sanitize its "Simple Banner Text" Settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payloads in the "Simple Banner Text" settings of the plugin: Firefox...
WP Libre Form 2-2.0.8 - Unauthenticated Arbitrary Submissions Listing & Deletion
The plugin does not have proper authorisation in some of its REST endpoints, which could allow unauthenticated attackers to list and delete arbitrary submissions...
Elementor Contact Form DB < 1.8.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting PoC When there is at least one submission: https://example.com/wp-admin/edit.php?posttype=elementorcfdb=sbelemcfdid="...
WP Comments Fields < 4.1 - Admin+ Stored Cross-Site Scripting
The plugin does not escape Field Error Message, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed PoC Create/edit a Comment Fields Comments Comment Fields and put the following payload in the Error Message setting: "autofocus...
CAPTCHA 4WP < 7.1.0 - Local File Inclusion via CSRF
The plugin lets user input reach a sensitive requireonce call in one of its admin-side templates. This can be abused by attackers, via a Cross-Site Request Forgery attack to run arbitrary code on the server. PoC 1 Create a malicious PHP script $ echo ' shell.php 2 Add it to a fake .doc file, who...
Flexi Quote Rotator <= 0.9.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Add the following payload to a new quote:...
Accordions < 2.0.3 - Unauthenticated Arbitrary Options Update
The plugin does not have any authorisation in a REST endpoint, which could allow unauthenticated users to update arbitrary WordPress options...
Request a Quote <= 2.3.7 - CSV Injection
The plugin does not validate uploaded CSV files, allowing unauthenticated users to attach a malicious CSV file to a quote, which could lead to a CSV injection once an admin download and open it PoC On a page with a Quote Request form, upload the following CSV as an attachment: "First Name","Last...
Woo Discount Rules < 2.4.2 - Reflected Cross-Site Scripting
The plugin does not escape a parameter before outputting it back in an attribute of the plugin's discount rule page, leading to Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=woodiscountrules="+style=animation-name:rotation+onanimationstart=alert/XSS///...
Jquery Validation For Contact Form 7 < 5.3 - Arbitrary Options Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change Blog options like defaultrole, userscanregister via a CSRF attack PoC...
Brizy Page Builder < 2.4.2 - Contributor+ Stored Cross-Site Scripting via Element URL
The plugin does not sanitise and escape some element URL, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks PoC As a contributor or above, create a post using Brizy editor, add an Icon or Button element and put the following payload in the...
OAuth 2.0 client for SSO < 1.11.4 - Authenticated Bypass
The plugin allows attackers to login as any user by just knowing their email address PoC POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded [email protected]...
WooCommerce - Product Importer <= 1.5.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the imported data before outputting it back in the page, leading to a Reflected Cross-Site Scripting PoC POST /wp-admin/admin.php?page=woopi=import HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8...
Nested Pages < 3.1.21 - Admin+ Stored Cross Site Scripting
The plugin does not escape and sanitize the some of its settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfilteredhtml is disallowed PoC Put the following payload on the "Menu Name" settings of the plugin: "onmouseover=alert"XSS"//...
Image Gallery - Grid Gallery < 1.1.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape some of its Image fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed PoC Create a gallery with the "Gallery Theme" set to "Gallery Image 2", add an image and put the...
New User Approve < 2.4 - Arbitrary Settings Update & Invitation Code Creation via CSRF
The plugin does not have CSRF check in place when updating its settings and adding invitation codes, which could allow attackers to add invitation codes for bypassing the provided restrictions and to change plugin settings by tricking admin users into visiting specially crafted websites. PoC Add...
Modern Events Calendar Lite < 6.3.0 - Authenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow low privilege users to perform Stored Cross-Site Scripting attacks...
Social Share Buttons by Supsystic < 2.2.4 - Multiple CSRF
The plugin does not perform CSRF checks in it's ajax endpoints and admin pages, allowing an attacker to trick any logged in user to manipulate or change the plugin settings, as well as create, delete and rename projects and networks. PoC...
Cimy Header Image Rotator <= 6.1.1 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC...
Plausible Analytics < 1.2.4 - Subscriber+ Arbitrary Settings Update
The plugin has a flawed logic when checking for authorisation and CSRF before updating its settings, allowing any authenticated users, such as subscriber, to update the plugin's settings. The attack is also possible via CSRF against any authenticated user. PoC POST /wp-admin/admin-ajax.php HTTP/1...
Static Page eXtended <= 2.1 - Arbitrary Settings Update via CSRF to Stored XSS
Due to missing checks the plugin is vulnerable to CSRF attacks which allows changing the plugin settings, including required user levels for specific features. This could also lead to Stored Cross-Site Scripting due to the lack of escaping in some of the settings PoC...
Keep Backup Daily < 2.0.3 - Reflected Cross-Site Scripting
The plugin does not escape and sanitise the t parameter before outputting it back in a page, leading to a Reflected Cross-Site Scripting...
WP-chgFontSize <= 1.8 - Arbitrary Settings Update via CSRF to Stored XSS
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping PoC...
Zephyr Project Manager < 3.2.41 - Reflected Cross-Site Scripting
The plugin does not escape and sanitise the project parameter before outputting it back in a page, leading to a Reflected Cross-Site Scripting...
Five Minute Webshop <= 1.3.2 - Admin+ SQLi via orderby
The plugin does not properly validate and sanitise the orderby parameter before using it in a SQL statement via the Manage Products admin page, leading to an SQL Injection PoC https://example.com/wp-admin/admin.php?page=fmwesproducts=id+AND+SELECT+7394+FROM+SELECTSLEEP5UrUZ...
Note Press <= 0.1.10 - Admin+ SQLi via id
The plugin does not sanitise and escape the id parameter before using it in various SQL statement via the admin dashboard, leading to SQL Injections PoC https://example.com/wp-admin/admin.php?page=NotePress-Main-Menu=view=17+AND+SELECT+3630+FROM+SELECTSLEEP5KdTt...
Slideshow <= 2.3.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape some of its default slideshow settings, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC As admin, put the following payload in the "Number of seconds the...
Five Minute Webshop <= 1.3.2 - Admin+ SQLi via id
The plugin does not sanitise and escape the id parameter before using it in a SQL statement when editing a product via the admin dashboard, leading to an SQL Injection PoC https://example/wp-admin/admin.php?page=fmweseditproduct=1+AND+SELECT+6037+FROM+SELECTSLEEP5Uiuu...
JivoChat < 1.3.5.4 - Stored Cross-Site Scripting via CSRF
The plugin does not properly check CSRF tokens on POST requests to the plugins admin page, and does not sanitise some parameters, leading to a stored Cross-Site Scripting vulnerability where an attacker can trick a logged in administrator to inject arbitrary javascript. PoC XSS will be triggered...
Andrea Pernici News Sitemap for Google <= 1.0.16 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks...
WP Slider <= 1.4.5 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed...
Check & Log email < 1.0.6 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=check-email-settings="...
WPC Smart Wishlist for WooCommerce < 2.9.9 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in an attribute via an AJAX action, leading to a Reflected Cross-Site Scripting issue. PoC Against any authenticated user:...
Call Now Button < 1.1.2 - Reflected Cross-Site Scripting
The plugin does not escape a parameter before outputting it back in an attribute of a hidden input, leading to a Reflected Cross-Site Scripting when the premium is enabled PoC With premium enabled: http://example.com/wp-admin/admin.php?page=call-now-button=xxxxx" accesskey=X onclick=alert/XSS/...