14602 matches found
MainWP Child < 4.1.8 - Admin+ SQL Injection
The plugin does not validate the orderby and order parameter before using them in a SQL statement, leading to an SQL injection exploitable by high privilege users such as admin when the Backup and Staging by WP Time Capsule plugin is installed PoC POST / HTTP/1.1 Accept:...
Core Tweaks WP Setup <= 4.1 - Arbitrary Admin Account Creation / Admin Email Update via CSRF
The plugin allows to bulk-set many settings in WordPress, including the admin email, as well as creating a new admin account. There is no CSRF protection in place, allowing an attacker to arbitrary change the admin email or create another admin account and takeover the website via CSRF attacks Po...
BetterLinks < 1.2.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of imported link fields, which could lead to Stored Cross-Site Scripting issues when an admin import a malicious CSV. PoC Go to Plugin's Settings page, in "Tool" tab, import a CSV file with Betterlinks option. Put a simple XSS payload into "linktitle"...
Advanced Access Manager < 6.8.0 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following payload in any of the plugin's settings with a text input: - v - v "Redirected to...
Insert Pages < 3.7.0 - Contributor+ Arbitrary Posts/Pages Access
The plugin allows users with a role as low as Contributor to access content and metadata from arbitrary posts/pages regardless of their author and status ie private, using a shortcode. Password protected posts/pages are not affected by such issue. PoC insert page='pageslug' display='all' Where...
Insert Pages < 3.7.0 - Contributor+ Stored Cross-Site Scripting
The plugin adds a shortcode that prints out other pages' content and custom fields. It can be used by users with a role as low as Contributor to perform Cross-Site Scripting attacks by storing the payload/s in another post's custom fields. PoC - Create a page A - Add a custom field containing JS...
WpGenius Job Listing <= 1.0.2 - Admin+ Stored Cross-Site Scripting
The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the /src/admin/class/class-wpgenious-job-listing-options.php file which allowed attackers with administrative user access to inject arbitrary web scripts...
Colorful Categories < 2.0.15 - Arbitrary Colors Update via CSRF
The plugin does not enforce nonce checks which could allow attackers to make a logged in admin or editor change taxonomy colors via a CSRF attack PoC...
Pie Register < 3.7.1.6 - Unauthenticated SQL Injection
The plugin does not properly escape user data before using it in a SQL statement in the wp-json/pie/v1/login REST API endpoint, leading to an SQL injection. PoC POST /wp-json/pie/v1/login HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding...
Affiliate Manager < 2.8.7 - Admin+ SQL injection
The plugin does not validate the orderby parameter before using it in an SQL statement in the admin dashboard, leading to an SQL Injection issue PoC POST /wp-admin/admin.php?page=wpam-affiliates=exportdata=if=0,1,SLEEP10 HTTP/1.1 Accept:...
Schreikasten <= 0.14.18 - Author+ SQL Injections
The plugin does not sanitise or escape the id GET parameter before using it in SQL statements in the comments dashboard from various actions, leading to authenticated SQL Injections which can be exploited by users as low as author PoC...
Perfect Survey < 1.5.2 - Unauthorised AJAX Call to Stored XSS / Survey Settings Update
The plugin does not have proper authorisation nor CSRF checks in the saveglobalsetting AJAX action, allowing unauthenticated users to edit surveys and modify settings. Given the lack of sanitisation and escaping in the settings, this could also lead to a Stored Cross-Site Scripting issue which wi...
Batch Cat <= 0.3 - Subscriber+ Arbitrary Categories Add/Set/Delete to Posts
The plugin defines 3 custom AJAX actions, which both require authentication but are available for all roles. As a result, any authenticated user including simple subscribers can add/set/delete arbitrary categories to posts. PoC Set the category 107 to the post 1537: POST /wp-admin/admin-ajax.php...
AutomatorWP < 1.7.6 - Missing Authorization and Privilege Escalation
The plugin does not perform capability checks which allows users with Subscriber roles to enumerate automations, disclose title of private posts or user emails, call functions, or perform privilege escalation via Ajax actions. PoC Attack Procedures 1 Run this in Dashboard while logged in as...
MainWP Child Reports < 2.0.8 - Admin+ SQL Injection
The plugin does not validate or sanitise the order parameter before using it in a SQL statement in the admin dashboard, leading to an SQL injection issue PoC https://example.com/wp-admin/options-general.php?page=mainwp-reports-page=+AND+SELECT+7332 FROM+SELECTSLEEP5qiXg - the web page freezes for...
GamePress <= 1.1.0 - Reflected Cross-Site Scripting
The plugin does not escape the opedit POST parameter before outputting it back in multiple Game Option pages, leading to Reflected Cross-Site Scripting issues PoC Affected pages: op=engines, op=perspectives, op=modes, op=genres, op=themes, op=platforms...
Shared Files < 1.6.57 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings before outputting them in attributes, which could lead to Stored Cross-Site Scripting issues. PoC Put the following payload in the "Folder for new files" and "Maximum size of uploaded file" settings of the plugin: "...
PlanSo Forms <= 2.6.3 - Authenticated Stored Cross-Site Scripting
The plugin does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even when the unfilteredhtml is disallowed, leading to an Authenticated Stored Cross-Site Scripting issue. Timeline July 12th, 2021 - Vendor...
Download from files <= 1.48 - Unauthenticated Arbitrary File Upload
The downloadfromfiles617fileupload AJAX action f the plugin, available to both unauthenticated and authenticated users does not properly restrict the files to be uploaded, which could allow unauthenticated users to upload PHP4 files for example PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...
wp-publications - Local File Inclusion
The plugin is vulnerable to restrictive local file inclusion via the QFILE parameter found in the /bibtexbrowser.php file which allows attackers to include local zip files and achieve remote code execution...
Bug Library < 2.0.4 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the via the successimportcount parameter found in the /bug-library.php file which allows attackers to inject arbitrary web scripts...
Advance Search < 1.1.3 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the wpasid parameter found in the /inc/admin/views/html-advance-search-admin-options.php file which allows attackers to inject arbitrary web scripts...
User Activation Email <= 1.3.0 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the uae-key parameter found in the /user-activation-email.php file which allows attackers to inject arbitrary web scripts...
simpleSAMLphp Authentication <= 0.7.0 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $SERVER"PHPSELF" value in the /simplesamlphp-authentication.php file which allows attackers to inject arbitrary web scripts...
More From Google <= 0.0.2 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $SERVER"PHPSELF" value in the /morefromgoogle.php file which allows attackers to inject arbitrary web scripts...
Pinterest Automatic < 4.14.4 - Unauthenticated Arbitrary Options Update
The plugin was vulnerable to Unauthenticated Arbitrary Options Update...
Appointment Hour Booking < 1.3.16 - Authenticated Stored Cross-Site Scripting
The plugin does not escape some of the Calendar Form settings, allowing high privilege users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Create a new Calendar Appointment Hour Booking Add new Put the following payload in the Form...
XO Event Calendar < 2.3.7 - Reflected Cross-Site Scripting
The plugin does not escape the selected-name parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue PoC https://example.com/wp-admin/edit.php?posttype=xoevent=xo-event-holiday-settings&selected-name;="...
CoolClock < 4.3.5 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape some shortcode attributes, allowing users with a role as low as Contributor toperform Stored Cross-Site Scripting attacks PoC As a user with a role as low as contributor, put the following shortcode in a post/page and view/preview it to trigger the XSS which is specific...
Podlove Podcast Publisher < 3.5.6 - Unauthenticated SQL Injection
The plugin contains a 'Social & Donations' module not activated by default, which adds the rest route '/services/contributor/?P\d+, takes an 'id' and 'category' parameters as arguments. Both parameters can be used for the SQLi. PoC With the 'Social & Donations' module of the plugin activated...
Recipe Card Blocks < 2.8.3 - Contributor+ Stored Cross-Site Scripting
The plugin does not properly sanitise or escape some of the properties of the Recipe Card Block such as ingredientsLayout, iconSet, steps, ingredients, recipeTitle, or settings, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks. PoC As a...
Shortcodes Ultimate < 5.10.2 - Contributor+ Stored XSS
The plugin allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its handling of shortcode attributes; some do escape, most don't, and there are even some attributes that are insecure by design like subutton's onclick attribute. Po...
Limit Login Attempts < 4.0.50 - Unauthenticated Stored Cross-Site Scripting
The plugin does not escape the IP addresses which can be controlled by attacker via headers such as X-Forwarded-For of attempted logins before outputting them in the reports table, leading to an Unauthenticated Stored Cross-Site Scripting issue. PoC POST /wp-login.php HTTP/1.1 Accept:...
OMGF < 4.5.4 - Subscriber+ Arbitrary File/Folder Deletion
The plugin does not enforce path validation, authorisation and CSRF checks in the omgfajaxemptydir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server. PoC As an authenticated user, with a role as low as subscriber, viewing the admin the dashboard...
WP-Board <= 1.1 (beta) - Unauthenticated SQL Injection
The options.php file of the plugin accepts a postid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. This is a time based SQLI and in the same function vulnerable parameter is passed twice so if we pass time as 5 seconds it take...
Gutenslider < 5.2.0 - Contributor+ Stored XSS
The plugin does not escape the minWidth attribute of a Gutenburg block, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks PoC As a contributor or above, create/edit a post, put the below code while in Code Editor mode, and view/preview the post The...
Visual Link Preview < 2.2.3 - Unauthorised AJAX Calls
The plugin does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user such as subscriber to call them and 1 Get and search through title and content of Draft post, 2 Get title of a password-protected post as...
WPFront Notification Bar < 2.1.0.08087 - Authenticated Stored XSS
The plugin does not properly sanitise and escape its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC To execute the XSS on all frontend pages and plugin's setting page, add the following payload in...
Stop Spammers Security < 2021.18 - Authenticated Stored XSS
The plugin does not escape some of its settings, allowing high privilege users such as admin to set Cross-Site Scripting payloads in them even when the unfilteredhtml capability is disallowed PoC Put the following payload in any of the API field of the Web Services settings: " autofocus...
Block and Stop Bad Bots < 6.60 - Authenticated SQL Injections
The plugin did not validate or escape the order and orderby GET parameter in some of its admin dashboard pages, leading to Authenticated SQL Injections PoC https://example.com/wp-admin/admin.php?page=sbbmy-custom-submenu-page=1+AND+%28SELECT+4242+FROM+%28SELECT%28SLEEP%285%29%29%29aaa%29=asc...
Availability Calendar < 1.2.1 - Authenticated SQL Injection
The plugin does not escape the category attribute from its shortcode before using it in a SQL statement, leading to a SQL Injection issue, which can be exploited by any user able to add shortcode to posts/pages, such as contributor+ PoC With an account role as low as contributor, put the followin...
Sitewide Notice WP < 2.3 - Authenticated Stored XSS
The plugin does not sanitise some of its settings before outputting them in frontend pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following payload in the Message setting of the plugin: The XSS will ...
Favicon by RealFaviconGenerator < 1.3.22 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise or escape one of its parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting XSS which is executed in the context of a logged administrator. Timeline WPScanTeam: June 28th, 2021 - Details sent to vendor July 9th, 2021 - Escalat...
uListing < 2.0.6 - Authenticated IDOR
An Authenticated User IDOR vulnerability was discovered in the plugin. PoC Important: userid and listingid values are dependent on each other, that is, if the author ID == 4, the data can only be modified for those ADs and pages that relate to this particular ID. You can find out the author of...
uListing < 2.0.4 - Unauthenticated SQL Injection
An Unauthenticated SQL Injection vulnerability was discovered in the plugin. Vulnerable parameters: custom. SQL Injection types: Error-based, Boolean-based Blind, Time-based Blind. PoC PoC 1 | Unauthenticated SQL Injection | Tables: sqlmap...
Email Subscriber <= 1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
The kentoemailsubscriberajax AJAX action of the plugin, does not properly sanitise, validate and escape the submitted subscribeemail and subscribename POST parameters, inserting them in the DB and then outputting them back in the Subscriber list...
WordPress Membership SwiftCloud.io <= 1.0 - Authenticated SQL Injection
An id GET parameter of the plugin is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. PoC GET /wp-admin/admin.php?page=swiftbookaddemailtemplate=0%20UNION%20ALL%20SELECT%20NULL,NULL,user,NULL,NULL-- HTTP/1.1 Cache-Control: max-age=0...
HM Multiple Roles < 1.3 - Arbitrary Role Change
The plugin does not have any access control to prevent low privilege users to set themselves as admin via their profile page PoC As any authenticated user, go to your Profile page and Tick the Administrator Role checkbox. In v1.2, the checkboxes are disabled in the UI but can be tampered with by...
Wonder PDF Embed < 1.7 - Contributor+ Stored XSS
The plugin does not escape parameters of its wonderpluginpdf shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks. PoC wonderpluginpdf src="a" onload="alert1"...
Popular Brand SVG Icons - Simple Icons < 2.7.8 - Contributor+ Stored XSS
The plugin does not sanitise or validate some of its shortcode parameters, such as "color", "size" or "class", allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS triggered in...