14603 matches found
ActivityPub for WordPress < 1.0.1 - Contributor+ Stored XSS
Description The plugin does not sanitize and escape some data from post content, which could allow contributor and above role to perform Stored Cross-Site Scripting attacks PoC As a contributor, create or edit a post with the payload below while in code editor mode xyz The XSS will be triggered...
User Activity Log Pro < 2.3.4 - Unauthenticated Stored Cross-Site Scripting via User Agent
Description The plugin does not properly escape recorded User-Agents in the user activity logs dashboard, which may allow visitors to conduct Stored Cross-Site Scripting attacks. PoC 1 Make sure the plugin's Enable User Agent For Log setting is set at /wp-admin/admin.php?page=ualpsettings 2 If...
Bookly < 22.4 - Admin+ SQLi
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin PoC Go to Bookly Settings Logs Do a search and intercept the request The parameter columns%5B0%5D%5Bdata%5D wit...
WPSchoolPress < 2.2.5 - Teacher+ SQLi
Description The plugin uses the WordPress escsql function on a field not delimited by quotes and did not first prepare the query, leading to a SQL injection exploitable by relatively low-privilege users like Teachers. PoC 1. Install the WPSchoolpress plugin and Import Demo Data. 2. Log in as a...
PowerPress Podcasting < 11.0.12 - Contributor+ Stored XSS
Description The plugin does not sanitize and escape the media url field in posts, which could allow users with privileges as low as contributor to inject arbitrary web scripts that could target a site admin or superadmin. PoC Add the following payload to the Media URL field:...
ActivityPub for WordPress < 1.0.0 - Subscriber+ Arbitrary Post Title Disclosure
Description The plugin does not ensure that post titles to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the title of arbitrary post such as draft and private via an IDOR vector PoC Run the below command in the developer console ...
Simple Posts Ticker < 1.1.6 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC Add a post with the...
ActivityPub for WordPress < 1.0.0 - Contributor+ Stored XSS
Description The plugin does not escape user metadata before outputting them in mentions, which could allow users with a role of Contributor and above to perform Stored XSS attacks PoC As a contributor, put the following payload in a post the payload will have to be updated accordingly to watch th...
Tutor LMS < 2.3.0 - Subscriber+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow users such as subscriber to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Register a student account and go to the...
WordPress File Upload < 4.23.3 - Author+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as authors to perform Stored Cross-Site Scripting attacks. PoC 1. Add the following shortcode to a post: wordpressfileupload redirect="true" redirectlink="javascript:alert1" 2...
Testimonial Slider Shortcode < 1.1.9 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin PoC...
WP Matterport Shortcode < 2.1.7 - Reflected XSS
Description The plugin does not escape the PHPSELF server variable when outputting it in attributes, leading to Reflected Cross-Site Scripting issues which could be used against high privilege users such as admin PoC Make a logged in admin open...
PageLayer < 1.7.7 - Unauthenticated Stored XSS
Description The plugin doesn't prevent unauthenticated attackers from updating a post's header or footer code on scheduled posts. PoC Unauthenticated attacker Proof of Concept 1 As a legitimate administrator, schedule a post to be published in a few minutes. 2 Close every window to that site to...
NextGEN Gallery < 3.39 - Admin+ Local File Inclusion
Description The plugin does not validate some block attributes before using them to generate paths passed to include function/s, allowing Admin users to perform LFI attacks PoC 1. Create a gallery and upload an image. 2. Add the NextGEN Gallery block to a page and click Edit. Select the Gallery...
PageLayer < 1.7.8 - Author+ Stored XSS
Description The plugin doesn't prevent attackers with author privileges and higher from inserting malicious JavaScript inside a post's header or footer code. PoC - As a user with Author+ capabilities, create a new post draft - Save it, then edit it using the PageLayer page builder - Navigate to...
WP Job Openings < 3.4.3 - Sensitive Data Exposure via Directory Listing
Description The plugin does not block listing the contents of the directories where it stores attachments to job applications, allowing unauthenticated visitors to list and download private attachments if the autoindex feature of the web server is enabled. PoC...
Contact Form by FormGet <= 5.5.5 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...
Easy Registration Forms <= 2.1.1 - Subscriber+ Information Disclosure via Shortcode
Description The Easy Registration Forms for WordPress is vulnerable to Information Disclosure via the 'erformsusermeta' shortcode due to insufficient controls on the information retrievable via the shortcode...
WordPress Charts < 0.7.0 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...
Media Library Assistant < 3.11 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...
DoLogin Security < 3.7.1 - Subscriber+ IP Address leak
Description The plugin does not restrict the access of a widget that shows the IPs of failed logins to low privileged users. PoC Just login to subscriber account and go to: http://localhost/wp-admin/index.phplog...
Drag and Drop Multiple File Upload < 1.1.1 - Unauthenticated Stored Cross-Site Scripting
Description The plugin does not filter all potentially dangerous file extensions. Therefore, an attacker can upload unsafe .shtml or .svg files containing malicious scripts. PoC Using malicious SVG files: Go to a product page that features the file upload form, and paste the following in your...
EventON < 2.2 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Create a new events. 2. In the...
Shared Files < 1.7.6 - Unauthenticated Stored Cross-Site Scripting
Description The plugin does not return the right Content-Type header for the specified uploaded file. Therefore, an attacker can upload an allowed file extension injected with malicious scripts. PoC Upload an allowed WordPress extension such as JPG and inject it with a script such as: . To access...
Magee Shortcodes <= 2.1.1 - Contributor+ Stored XSS via shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC msalert...
Enable Media Replace < 4.1.3 - Author+ PHP Object Injection
Description The plugin unserializes user input via the Remove Background feature, which could allow Author+ users to perform PHP Object Injection when a suitable gadget is present on the blog PoC Step 1: Add the following code to the end of the file located at...
WordPress File Sharing < 2.0.4 - Admin+ Stored XSS
Description The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Funnelforms Free < 3.4 Unauthenticated Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks PoC 1. Create a contact form 2. Embed the contact form shortcode on a post or page. 3. As an Unauthitncated user, inject the inputs for a malicious...
User Submitted Posts < 20230901 - Contributor+ Stored XSS via Shortcode
Description The User Submitted Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's uspgallery shortcode in versions up to, and including, 20230811 due to insufficient input sanitization and output escaping on user supplied attributes like 'before'. This makes ...
Super Store Finder < 6.9.4 - Unauthenticated Email Creation/Sending
Description The Super Store Finder plugin for WordPress is vulnerable to unauthenticated arbitrary email creation and relay. This makes it possible for unauthenticated attackers to send emails utilizing the vulnerable site's server, with arbitrary content...
WP User Control <= 1.5.3 - Unauthenticated password reset
Description The WP User Control plugin for WordPress is vulnerable to unauthorized password resets due to the plugin using native password reset functionality. It is worth mentioning that the new password is only sent to the affected user's email, not being leaked to the attacker...
Awesome Weather Widget for WordPress <= 3.0.2 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...
Allow PHP in Posts and Pages < 3.0.4 - Authenticated Remote Code Execution (RCE)
Description The Allow PHP in Posts and Pages plugin for WordPress is vulnerable to Remote Code Execution via the 'php' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to execute code on the server...
Simple Download Counter < 1.6.1 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...
JQuery Accordion Menu Widget for WordPress <= 3.1.2 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...
intergeo-maps <= 2.3.2 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...
WS Facebook Like Box Widget for WordPress <= 5.0 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...
WooCommerce CVR Payment Gateway < 6.1.0 - Missing Authorization to Authenticated (Contributor+) CVR Update
Description The WooCommerce CVR Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the refreshordercvrdata AJAX action. This makes it possible for authenticated attackers with contributor-level access and above, to update C...
Defender Security < 4.1.0 - Protection Bypass (Hidden Login Page)
Description The plugin does not prevent redirects to the login page via the authredirect WordPress function, allowing an unauthenticated visitor to access the login page, even when the hide login page functionality of the plugin is enabled. PoC Example using GravityForms to redirect to the login...
Form-Maker < 1.15.20 - Unauthenticated Arbitrary File Upload
Description The plugin does not validate signatures when creating them on the server from user input, allowing unauthenticated users to create arbitrary files and lead to RCE PoC On a page where there is a form with a Signature field, run the following code in the web developer console while...
File Manager Pro < 1.8.1 - Admin+ Stored Cross-Site Scripting
Description The plugin does not adequately validate and escape some inputs, leading to XSS by high-privilege users. PoC As an admin, open the File Manager and run the following JS code: fetch"http://localhost:10008/wp-admin/admin-ajax.php", "headers": "content-type":...
File Manager Pro < 1.8.1 - Admin+ Remote Code Execution
Description The plugin allows admin users to upload arbitrary files, even in environments where such a user should not be able to gain full control of the server, such as a multisite installation. This leads to remote code execution. PoC As an admin, use the File Manager UI to upload a file...
Weaver Xtreme Theme Support < 6.3.1 - Admin+ PHP Object Injection
Description The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import a malicious file and a suitable gadget chain is present on the blog. PoC To simulate a gadget chain, put the following code in a plugin: class Te...
WP Abstracts <= 2.6.3 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Reservation.Studio widget < 1.0.12 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Dropbox Folder Share <= 1.9.7 - Unauthenticated Server-Side Request Forgery via 'link'
Description The Dropbox Folder Share plugin plugin was affected by an Unauthenticated Server-Side Request Forgery SSRF security vulnerability...
Easy Admin Menu <= 1.3 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Livestream Notice < 1.3.0 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Fitness calculators <= 2.0.7 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Cookie Monster <= 1.51 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...