14602 matches found
Post Grid < 2.1.8 - Reflected Cross-Site Scripting (XSS)
The slider import search feature and tab parameter of the plugin settings are not properly sanitised before being output back in the pages, leading to Reflected Cross-Site Scripting issues PoC https://example.com/wp-admin/edit.php?posttype=postgrid=post-grid-settings="...
Awesome Weather Widget <= 3.0.2 - Reflected Cross-site Scripting (XSS)
The plugin does not sanitize the id parameter of its awesomeweatherrefresh AJAX action, leading to an unauthenticated Reflected Cross-Site Scripting XSS Vulnerability. Note WPScanTeam: The issue was reported to the WP plugins team on May 4th, 2021, then June 7th, 2021 due to lack of update. PoC...
Any Hostname <= 1.0.6 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise or escape its "Allowed hosts" setting, leading to an authenticated stored XSS issue as high privilege users are able to set XSS payloads in it PoC As admin, put the following payload in the "Allowed host" setting of the plugin /wp-admin/options-general.phpany-hostname...
ProfilePress 3.0 - 3.1.3 - Arbitrary File Upload in Image Uploader Component
The cover photo and profile photo upload functionalities of the plugin were vulnerable to arbitrary file uploads due to the use of exifimagetype for filetype checking. PoC 'Hax0r2', 'regemail' = '[email protected]', 'regpassword' = 'password', 'regpasswordpresent' = 'true', 'regfirstname' =...
myStickymenu < 2.5.2 - Authenticated Stored XSS
The plugin does not sanitise or escape its Bar Text settings, allowing hight privilege users to use malicious JavaScript in it, leading to a Stored Cross-Site Scripting issue, which will be triggered in the plugin's setting, as well as all front-page of the blog when the Welcome bar is active PoC...
Request a Quote < 2.3.4 - Authenticated Stored XSS
The plugin did not sanitise and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the 'All Quotes" table. Note: By default, admins and editors are allowed to use JavaScript in posts and page, unless the...
WP Google Maps Pro < 8.1.12 - Multiple Admin+ Stored Cross-Site Scripting
The plugin does not sanitise some of its fields, which could lead to Stored Cross-Site Scripting issues...
Vik Rent Car < 1.1.7 - CSRF to Stored XSS
In the plugin, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the order. However, the field name is not sanitised or escaped before being output back in the page, leading to a stored Cross-Site Scripting issue. There is also ...
Woocommerce Stock Manager < 2.6.0 - CSRF to Arbitrary File Upload
The plugin is vulnerable to CSRF leading to Arbitrary File Upload due to missing nonce and file validation in the /admin/views/import-export.php file. PoC File will upload to: /wp-content/plugins/woocommerce-stock-manager/admin/views/upload/PoC.php...
Sendit WP Newsletter <= 2.5.1 - Authenticated (admin+) SQL Injection
The page lists-management feature of the plugin, available to Administrator users does not sanitise, validate or escape the idlista POST parameter before using it in SQL statement, therefore leading to Blind SQL Injection. PoC time curl -i -s -k -X $'POST' \ -H $'Upgrade-Insecure-Requests: 1' -H...
Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Arbitrary Plugin Activation
In the plugin, a lack of capability checks and insufficient nonce check on the AJAX action, simple301redirects/admin/activateplugin, made it possible for authenticated users to activate arbitrary plugins installed on vulnerable sites. PoC $wpuser, 'pwd' = $wppass, 'rememberme' = 'forever',...
Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Unauthenticated Redirect Import
The importdata function of the plugin had no capability or nonce checks making it possible for unauthenticated users to import a set of site redirects. PoC curl -i -s -k -X $'POST' \ -H $'Host: URLHERE' -H $'Content-Length: 379' -H $'Cache-Control: max-age=0' -H $'Upgrade-Insecure-Requests: 1' -H...
Instant Images WordPress Plugin < 4.4.0.1 - Authenticated Stored XSS & XFS
The plugin did not properly validate and sanitise its unsplashdownloadw and unsplashdownloadh parameter settings /wp-admin/upload.php?page=instant-images, only validating them client side before saving them, leading to a Stored Cross-Site Scripting issue. PoC -- Payloads: $ "...
LifterLMS < 4.21.1 - Authenticated Stored XSS in Edit Profile
The 'State' field of the Edit profile page of the plugin is not properly sanitised when output in the About section of the profile page, leading to a stored Cross-Site Scripting issue. This could allow low privilege users such as students to elevate their privilege via an XSS attack when an admin...
Simple Giveaways < 2.36.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The method and share GET parameters of the Giveaway pages were not sanitised, validated or escaped before being output back in the pages, thus leading to reflected XSS PoC https://example.com/giveaway/mygiveaways/?share=%3Cscript%3Ealertdocument.domain%3C/script%3E...
Hana Flv Player <= 3.1.3 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin was vulnerable to an Authenticated Stored Cross-Site Scripting XSS vulnerability within the "Default Skin" field. PoC Step1: Install and activate the plugin. Step2: Go to the plugin setting. Step3: Enter the following payload in the field "Default Skin" xss"...
Goto < 2.1 - Reflected Cross-Site Scripting (XSS)
The theme did not properly sanitize the formvalue JSON POST parameter in its tlfilter AJAX action, leading to an unauthenticated Reflected Cross-site Scripting XSS vulnerability. PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate...
Download Manager < 3.1.19 - Authenticated (author+) PHP4 File Upload to RCE
The wpdmadminuploadfile AJAX action used a blacklist approach to forbid potential dangerous files, such as PHP, from being uploaded. However, other dangerous extensions, like .php4 were not forbidden. PoC As an author or any account with the uploadfiles capability, attach a .php4 file to a downlo...
Car Seller - Auto Classifieds Script <= 2.1.0 - Unauthenticated SQL Injection
The requestlistrequest AJAX call of the plugin, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the orderid POST parameter before using it in a SQL statement, leading to a SQL Injection issue. PoC curl 'https://example.com/wp-admin/admin-ajax.php' ...
Redirection for Contact Form 7 < 2.3.4 - Authenticated PHP Object Injection
In the plugin, any authenticated user, such as a subscriber, could use the importfromdebug AJAX action to inject PHP objects. PoC $wpuser, 'pwd' = $wppass, 'rememberme' = 'forever', 'wp-submit' = 'Log+In', ; $output = curlexec$ch; curlclose$ch; // OBJI $ch = curlinit; curlsetopt$ch, CURLOPTURL,...
Clever Addons for Elementor < 2.1.0 - Contributor+ Stored XSS
The “Clever Addons for Elementor” WordPress Plugin https://wordpress.org/plugins/cafe-lite/ before 2.1.0 has several widgets that are vulnerable to stored Cross-Site Scripting XSS by lower-privileged users such as contributors, all via a similar method. The “Banner” widget accepts a “titletag”...
DethemeKit For Elementor < 1.5.5.5 - Contributor+ Stored XSS
The “DeTheme Kit for Elementor” WordPress Plugin before 1.5.5.5 has a widget that is vulnerable to stored Cross-Site Scripting XSS by lower-privileged users such as contributors, all via a similar method. The “De Page/Post Title” widget accepts an “htmltag” parameter. Although the element control...
WooLentor - WooCommerce Elementor Addons + Builder < 1.8.6 - Contributor+ Stored XSS
The “WooLentor – WooCommerce Elementor Addons + Builder” WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting XSS by lower-privileged users such as contributors, all via a similar method. The “Product Title” widget accepts a “producttitlehtmltag” parameter...
All-in-One Addons for Elementor - WidgetKit < 2.3.10 - Contributor+ Stored XSS
The “All-in-One Addons for Elementor – WidgetKit” WordPress Plugin before 2.3.10 has several widgets that are vulnerable to stored Cross-Site Scripting XSS by lower-privileged users such as contributors, all via a similar method. The “Content Carousel” widget accepts “customheadertag” and...
Essential Addons for Elementor < 4.5.4 - Contributor+ Stored Cross-Site Scripting (XSS)
The Essential Addons for Elementor Lite WordPress Plugin before 4.5.4 has two widgets that are vulnerable to stored Cross-Site Scripting XSS by lower-privileged users such as contributors, both via a similar method. The “Progress Bar” widget accepts a “progressbartitlehtmltag” parameter. Although...
Podcast Importer SecondLine < 1.1.5 - Server-Side Request Forgery (SSRF)
The plugin was vulnerable to Server-side request forgery SSRF...
Business Directory Plugin < 5.11.2 - Arbitrary Listing Export
The plugin suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator export files, which could then be downloaded by the attacker to get access to PII, such as email, home addresses etc PoC The state is base64 encoded and will need to be adapted to t...
Business Directory Plugin < 5.11.2 - Authenticated Stored Cross-Site Scripting
The plugin suffered from lack of sanitisation in the label of the Form Fields, leading to Authenticated Stored Cross-Site Scripting issues across various pages of the plugin. PoC Log on as an admin, create or edit a Form Field wp-admin/admin.php?page=wpbdpadminformfields and set the Field Label...
Business Directory Plugin < 5.11 - Arbitrary File Upload to RCE
The plugin suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator import files. As the plugin also did not validate uploaded files, it could lead to RCE. Note WPScanTeam: CSRF check and some file validation were added in v5.11, however a blacklist...
Contact Form Check Tester <= 1.0.2 - Broken Access Control to Cross-Site Scripting (XSS)
The plugin settings are visible to all registered users in the dashboard and are lacking any sanitisation. As a result, any registered user, such as subscriber, can leave an XSS payload in the plugin settings, which will be triggered by any user visiting them, and could allow for privilege...
Pie Register < 3.7.0.1 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise the invitaioncode GET parameter when outputting it in the Activation Code page, leading to a reflected Cross-Site Scripting issue. PoC https://example.com/wp-admin/admin.php?page=prnewregistrationformdashwidget=1code=PHNjcmlwdD5hbGVydCgxKTs8L3NjcmlwdD4=...
Business Hours Pro <= 5.5.0 - Unauthenticated Arbitrary File Upload to RCE
The plugin allows a remote attacker to upload arbitrary files using its manual update functionality, leading to an unauthenticated remote code execution vulnerability. Note WPScanTeam: - The issue has been escalated to Envato on March 30th, 2021 and the plugin has been removed from the...
Realteo < 1.2.4 - Arbitrary Property Deletion via IDOR
The plugin, used by the Findeo Theme, did not ensure that the requested property to be deleted belong to the user making the request, allowing any authenticated users to delete arbitrary properties by tampering with the propertyid parameter. PoC GET...
Advanced Booking Calendar < 1.6.8 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise the license error message when output in the settings page, leading to an authenticated reflected Cross-Site Scripting issue PoC https://plugins.trac.wordpress.org/browser/advanced-booking-calendar/tags/1.6.7/backend/settings.phpL550...
WP Page Builder < 1.2.4 - Insecure default configuration Allows Subscribers Editing Access to Posts
By default, the plugin allows subscriber-level users to edit and make changes to any and all posts pages - user roles must be specifically blocked from editing posts and pages. A subscriber, upon registering an account with a site with the WP Pagebuilder plugin, could immediately modify or delete...
Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Accordion Widget
In the plugin, the accordion widget includes/widgets/accordion.php accepts a ‘titlehtmltag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘savebuilder’ request containing JavaScri...
Tutor LMS < 1.8.3 - SQL Injection via tutor_quiz_builder_get_answers_by_question
The tutorquizbuildergetanswersbyquestion AJAX action from the plugin was vulnerable to UNION based SQL injection that could be exploited by students. PoC python3 sqlmap.py -r /tutorunion.txt --dbms=mysql --technique=U -p questionid --dump Where tutorunion.txt is POST /wp-admin/admin-ajax.php...
Tutor LMS < 1.8.3 - SQL Injection via tutor_answering_quiz_question/get_answer_by_id
The tutoransweringquizquestion/getanswerbyid function pair from the plugin was vulnerable to UNION based SQL injection that could be exploited by students. PoC POST /courses/first-class/tutorquiz/test/ HTTP/1.1 Host: URL Content-Length: 413 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1...
JH 404 Logger <= 1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
The plugin doesn't sanitise the referer and path of 404 pages, when they are output in the dashboard, which leads to executing arbitrary JavaScript code in the WordPress dashboard. PoC curl 'https://example.com/non-existing-page"' -e '"'...
Five Star Restaurant Menu < 2.2.1 - Unauthenticated PHP Object Injection
The plugin unserialised the fdmcart cookie value without any sanitisation or validation first, when the Ordering setting of the plugin was enabled, leading to a PHP object injection which could lead to RCE...
eCommerce Product Catalog < 3.0.18 - CSRF Nonce Bypass
The plugin did not properly check the CSRF nonce in the icorders.save function, which could allow attackers to make a logged in user with the editdigitalorder capability save arbitrary digital orders...
NextGen Gallery < 3.5.0 - CSRF allows File Upload
It was possible to bypass the "validateajaxrequest" function used to control access to ajax functions by sending a request without a nonce parameter. This could be used to upload arbitrary code to an image file. Although the uploaded file must be a valid image, it is possible to include PHP code ...
Membership by Supsystic <= 1.5.0 - Authenticated SQL Injection
The GET parameter "sidx" and "search are used in a SQL statement without being sanitised when searching for badges in the dashboard, leading to authenticated SQL Injection issues. v1.4.8 attempted a fix, which was found to not be sufficient PoC The PoC will be displayed once the issue has been...
Advanced Custom Field Pro < 5.9.1 - Reflected Cross-Site Scripting (XSS)
The plugin did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in the update settings page. PoC The PoC will be displayed on April 16, 2021, to give users the time to update...
Site Offline < 1.4.4 - Multiple Cross-Site Request Forgery
The lack of CSRF checks could allow attackers to make a logged administrator change some of the plugin's settings...
Directories Pro < 1.3.46 - Authenticated Self-Reflected Cross-Site Scripting
The plugin did not sanitise the column names when importing a malicious CSV file, allowing for HTML or JavaScript injection. PoC Iimport a CSV file containing the following in the header: 'term" autofocus onfocus=alert'Complex\u0020XSS';alertdocument.cookie;//'"...
DiveBook <= 1.1.4 - Unauthenticated Reflected XSS
:A reflected Cross-Site Scripting vulnerability exists within the DiveBook log's filter functionality. Arbitrary URL parameters are reflected into the application's response, rendered by the browser as HTML or JavaScript. An attacker may abuse this functionality by sending a victim a crafted link...
Greenmart < 2.4.3 - Reflected Cross-Site Scripting (XSS)
The greenmartautocompletesearch AJAX action, available to both authenticated and unauthenticated users does not properly sanitise the callback parameter passed to it, resulting in a reflected Cross-Site Scripting issue. Edit WPScanTeam: The vendor 'fixed' the issue for authenticated users by addi...
WP Smart CRM & Invoices FREE <= 1.8.7 - Authenticated Stored Cross-Site Scripting
Multiple fields from the customer model, such as The Business Name and Tax Code, are affected by stored cross-site scripting issues...
RSS Feed Widget < 2.8.1 - Authenticated Cross-Site Scripting (XSS)
The RSS Feed Widget WordPress plugin version 2.8.0 and below was vulnerable to Authenticated Cross-Site Scripting XSS within the "t" GET parameter. PoC http://www.example.com/wp-admin/admin.php?page=rfwoptions=1"...