14602 matches found
Simple Ajax Chat < 20220216 - Sensitive Information Disclosure
The plugin does not properly restrict access to the exported data via the sac-export.csv file, which could allow unauthenticated users to access it...
Fancy Product Designer < 4.7.6 - Arbitrary File Upload via CSRF
The plugin is vulnerable to Cross-Site Request Forgery via the FPDAdminImport class that makes it possible for attackers to upload malicious files that could be used to gain webshell access to a server via a CSRF attack...
Responsive Tabs < 4.0.6 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as author to perform Cross-Site Scripting attacks PoC As author or above, create/edit a new Tab and put the following payload as its content:...
Visual Form Builder < 3.0.7 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the form's 'Email to' field , which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Create/edit a form and put the following payload in the 'E-mail To' field: " The XSS will ...
Amr Users < 4.59.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following payload in the "Name of list" field in the User Lists...
ThirstyAffiliates Affiliate Link Manager < 3.10.5 - Subscriber+ Arbitrary Affiliate Links Creation
The plugin does not have authorisation and CSRF checks when creating affiliate links, which could allow any authenticated user, such as subscriber to create arbitrary affiliate links, which could then be used to redirect users to an arbitrary website PoC fetch"/wp-admin/admin-ajax.php", "headers"...
SearchIQ < 3.9 - Unauthenticated Stored XSS
The plugin contains a flag to disable the verification of CSRF nonces, granting unauthenticated attackers access to the siqajax AJAX action and allowing them to perform Cross-Site Scripting attacks due to the lack of sanitisation and escaping in the customCss parameter PoC Once the plugin is...
Hummingbird < 3.3.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Go to Hummingbird's Settings Configs edit the "Name and Description" and put the followi...
Ninja Forms < 3.6.8 - Unauthenticated Email Address Disclosure
The plugin does not delete the temporary files created when exporting submissions, which could allow unauthenticated attackers to download them and get sensitive information such as the email address of users who submitted a form given that the file is publicly accessible, and with a guessable na...
Responsive Menu < 4.1.8 - Subscriber+ Arbitrary File Upload / Theme Deletion / Plugin Settings Update
The plugin is missing authorisation on multiple of its AJAX actions such as savemenuglobalsettings, and relying on CSRF nonces which are disclosed to any authenticated users. As a result, it could allow them to call the affected actions and lead to arbitrary file upload, theme deletion as well as...
Drag and Drop Multiple File Upload - Contact Form 7 < 1.3.6.3 - Unauthenticated Stored XSS
The plugin allows SVG files to be uploaded by default via the dndcodedropzupload AJAX action, which could lead to Stored Cross-Site Scripting issue PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip...
Amelia < 1.0.46 - Manager+ RCE
The plugin stores image blobs into actual files whose extension is controlled by the user, which may lead to PHP backdoors being uploaded onto the site. This vulnerability can be exploited by logged-in users with the custom "Amelia Manager" role. PoC import requests import base64 BASEURL =...
Simple Theme Options < 1.7 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following payload in any of textarea field settings of the plugin such as 'Google Analytics':...
Petfinder Listings < 1.1 - Admin+ Stored Cross-Site Scripting
The plugin does not escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following payload in any of the text field settings of the plugin such as 'Your Petfinder API Key v1.0': "...
Event Manager for WooCommerce < 3.5.8 - Contributor+ SQL Injection
The plugin does not validate and escape the postauthorgutenberg parameter before using it in a SQL statement when creating/editing events, which could allow users with a role as low as contributor to perform SQL Injection attacks PoC Create or edit an event as a contributor, intercept the request...
Flexi - Guest Submit < 4.20 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape various parameters before outputting them back in some pages such as the user dashboard, leading to a Reflected Cross-Site Scripting PoC Open the following URL when authenticated as any user: https://example.com/user-dashboard/?search=keyword:...
LoginPress < 1.5.12 - Reflected Cross-Site Scripting
The plugin does not escape the redirect-page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting PoC...
UsersWP < 1.2.3.1 - Subscriber+ User Avatar Override
The plugin is missing access controls when updating a user avatar, and does not make sure file names for user avatars are unique, allowing a logged in user to overwrite another users avatar. PoC - Right click the thumbnail of another user and copy the image URL. It will be something like:...
Catch Themes Demo Import < 2.1.1 - Admin+ Remote Code Execution
The plugin does not validate one of the file to be imported, which could allow high privivilege admin to upload an arbitrary PHP file and gain RCE even in the case of an hardened blog ie DISALLOWUNFILTEREDHTML, DISALLOWFILEEDIT and DISALLOWFILEMODS constants set to true PoC Author : qerogram impo...
Price Table <= 0.2.2 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Store Cross-Site Scripting attacks...
Access Demo Importer < 1.0.8 - Data Reset via CSRF
The plugin does not have CSRF check in place which could allow an attacker to make a logged in admin reset the data of post/page/media...
Access Demo Importer < 1.0.8 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check in place when activating installed plugins, which could allow an attacker to make a logged in admin perform such action via a CSRF attack...
Duplicate Page or Post < 1.5.1 - Arbitrary Settings Update to Stored XSS
The plugin does not have any authorisation and has a flawed CSRF check in the wpdevartduplicatepostparametrssaveindb AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings, or perform such attack via CSRF. Furthermore, due to the lack of...
Image Photo Gallery Final Tiles Grid < 3.5.3 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Description field when editing a gallery, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks against other users having access to the gallery dashboard PoC As a contributor, create/edit a gallery and add the followi...
Five Star Business Profile and Schema < 2.1.7 - Subscriber+ Page Creation & Settings Update to Stored XSS
The plugin does not have any authorisation and CSRF in its bpfwpwelcomeaddcontactpage and bpfwpwelcomesetcontactinformation AJAX action, allowing any authenticated users, such as subscribers, to call them. Furthermore, due to the lack of sanitisation, it also lead to Stored Cross-Site Scripting...
SpiderCalendar <= 1.5.65 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the callback parameter before outputting it back in the page via the window AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting issue. Note: Vendor decided to close the plugin and it won't be...
PHP Everywhere < 2.0.3 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
Ultimate Reviews < 3.0.16 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters available to high privilege users such as admin which could allow them to perform Cross-Site Scripting attacks woven when the unfilteredhtml capability is disallowed...
Learning Courses < 5.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Email PDT identity token settings, which could allow high privilege users to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Visit to Paypal Setting Under Learning Plugin Enter the XSS payload " in Email PD...
WP Cookie User Info < 1.0.9 - Admin+ SQL Injection
The plugin does not sanitise or escape the id GET parameter before using it in a SQL statement, when retrieving the setting to edit in the admin dashboard, leading to an authenticated SQL Injection PoC...
Event Calendar < 1.1.51 - Subscriber+ Event Creation
The plugin does not have proper authorisation and CSRF checks in the addcalendarevent AJAX actions, allowing users with a role as low as subscriber to create events PoC Adding calendar events: fetch"https://example.com/wp-admin/admin-ajax.php", "headers": "content-type":...
SEUR Oficial < 1.7.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following payload in one of the plugin's settings: " Affected files:...
Landing Page Builder < 1.4.9.6 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin was affected by a reflected XSS in page-builder-add on the ulpbpost admin page. PoC http://127.0.0.1:8001/wp-admin/edit.php?posttype=ulpbpost=page-builder-new-landing-page="+style=animation-name:rotation+onanimationstart=alert1+x=...
WP Google Map < 1.8.1 - Subscriber+ Arbitrary Post Deletion and Plugin's Settings Update
The plugin does not have proper authorisation and CSRF in most of its AJAX actions, which could allow any authenticated users, such as subscriber to delete arbitrary posts and update the plugin's settings. v1.8.1 added authorisation checks, however CSRF was still missing and a separate advisory h...
Chaty Free < 2.8.3 & Pro < 2.8.2 - Reflected Cross-Site Scripting
The plugins do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting PoC http://example.com/wp-admin/admin.php?page=chaty-contact-form-feed=%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%28/XSS/%29%3E...
OMGF < 4.5.12 - Admin+ Arbitrary Folder Deletion via Path Traversal
The plugin does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and delete arbitrary folders when uninstalling the plugin PoC As admin, put the following payload in the "Fonts Cache Directory" setting of the plugin: ../wp-includes, tick the...
Typebot < 1.4.3 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape the Publish ID setting, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payload in the 'Publish ID or Full URL" setting and save: "...
Gwolle Guestbook < 4.2.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the gwollegbuseremail parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue in an admin page PoC...
Pixel Cat Lite < 2.6.3 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed PoC Put the following payload in the Google Product Category setting of the plugin at wp-admin/admin.php?page=fcapcsettingspag...
Contact Form Advanced Database <= 1.0.8 - Unauthorised AJAX Calls
The plugin does not have any authorisation as well as CSRF checks in its deletecf7data and exportcf7data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The deletecf7data would lead to arbitrary metadata deletion, as well ...
Bookly < 20.3.1 - Staff Member Stored Cross-Site Scripting
The plugin does not escape the Staff Full Name field before outputting it back in a page, which could lead to a Stored Cross-Site Scripting issue PoC As a Staff Member, put the following payload in your Full Name Booklyn -- Profile -- Edit -- Full Name: The XSS will be triggered when an admin ope...
WooCommerce Currency Switcher < 1.3.7.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the key parameter of the woocsupdateprofilesdata AJAX action available to any authenticated user before outputting it back in the response, leading to a Reflected cross-Site Scripting issue PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...
GenerateBlocks < 1.4.0 - Contributor+ Stored Cross-Site Scripting
The plugin does not validate the generateblocks/container block's tagName attribute, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks. PoC Add the following code in a post/page while in code editor mode with an Contributor account: Then view/previe...
Check & Log Email < 1.0.4 - Reflected Cross-Site Scripting
The plugin does not escape the d parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting PoC With the "Enable Logs" setting activated: https://example.com/wp-admin/admin.php?page=check-email-logs="+style=animation-name:rotation+onanimationstart=alert/XSS//...
Floating Social Media Icon <= 4.3.5 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise some parameter in the Social media Configuration form, which could allow high privilege users to perform Cross-Site Scripting...
Mang Board WP < 1.6.9 - SQL Injection
The plugin does not validate and sanitise the ordertype parameter before using it in a SQL statement, leading to a SQL injection issue...
Ninja Tables < 4.1.8 - Admin+ Stored Cross-Site Cross-Site Scripting
The plugin does not sanitise and escape some of its table fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Create a table, add a column with the following payload " as Name, then add data with the...
MainWP Child < 4.1.8 - Admin+ SQL Injection
The plugin does not validate the orderby and order parameter before using them in a SQL statement, leading to an SQL injection exploitable by high privilege users such as admin when the Backup and Staging by WP Time Capsule plugin is installed PoC POST / HTTP/1.1 Accept:...
Core Tweaks WP Setup <= 4.1 - Arbitrary Admin Account Creation / Admin Email Update via CSRF
The plugin allows to bulk-set many settings in WordPress, including the admin email, as well as creating a new admin account. There is no CSRF protection in place, allowing an attacker to arbitrary change the admin email or create another admin account and takeover the website via CSRF attacks Po...
BetterLinks < 1.2.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of imported link fields, which could lead to Stored Cross-Site Scripting issues when an admin import a malicious CSV. PoC Go to Plugin's Settings page, in "Tool" tab, import a CSV file with Betterlinks option. Put a simple XSS payload into "linktitle"...