14603 matches found
ImageRecycle pdf & image compression < 3.1.12 - Reflected XSS
Description The plugin does not sanitise and escape the page and s parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
WooCommerce PDF Invoice Builder < 1.2.91 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Font Awesome 4 Menus <= 4.7.0 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its fa and fa-stack shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Duplicate Post Page Menu & Custom Post Type < 2.4.0 - Subscriber+ Post Duplication
Description The plugin is vulnerable to unauthorized page and post duplication due to a missing capability check on the duplicateppmcpostasdraft function in versions up to, and including, 2.3.1. This makes it possible for authenticated attackers with subscriber access or higher to duplicate posts...
WordPress Social Login <= 3.0.4 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its wordpresssocialloginmeta shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Media Library Assistant < 3.10 - Unauthenticated Local/Remote File Inclusion & Remote Code Execution
Description The plugin is vulnerable to Local File Inclusion and Remote Code Execution in versions up to, and including, 3.09. This is due to insufficient controls on file paths being supplied to the 'mlastreamfile' parameter from the /includes/mla-stream-image.php file, where images are processe...
WooCommerce PDF Invoice Builder < 1.2.90 - Subscriber+ SQLi
Description The plugin does not properly sanitise and escape the pageId parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscribers...
WooCommerce PDF Invoice Builder < 1.2.91 - Invoice Update via CSRF
Description The plugin does not have CSRF check when updating invoices, which could allow attackers to make logged in admin perform such action via a CSRF attack...
User Email Verification for WooCommerce <= 3.5.0 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
ImageRecycle pdf & image compression < 3.1.11 - Reflected XSS
Description The plugin does not sanitise and escape the page parameters before outputting it back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
WooCommerce PDF Invoice Builder < 1.2.92 - Subscriber+ Arbitrary Invoice Access
Description The plugin does not have authorisation in the GetInvoiceDetail function, allowing any authenticated users, such as subscriber to access arbitrary invoice by knowing or guessing the order and invoice IDs...
PixTypes <= 1.4.15 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Woo Custom Emails <= 2.2 - Reflected XSS
Description The plugin does not sanitise and escape the wcemailsedit parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
BigBlueButton <= 3.0.0-beta.4 - Reflected XSS
Description The plugin does not sanitise and escape the username and tempentrypass parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Custom Admin Login Page | WPZest <= 1.2.0 - Admin+ Stored XSS
Description The plugin does not validate and escape some settings, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
My Account Page Editor < 1.3.2 - Subscriber+ Arbitrary File Upload
Description The plugin does not validate the profile picture to be uploaded, allowing any authenticated users, such as subscriber to upload arbitrary files to the server, leading to RCE PoC Prerequisite: This vulnerability requires the "Upload Profile Picture" option to be enabled, which isn't th...
Plausible Analytics < 1.3.4 - Reflected XSS
Description The plugin does not sanitise and escape the page-url parameter before outputting it back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
LINE Notify < 1.4.5 - Reflected XSS
Description The plugin does not sanitise and escape the uid parameter before outputting it back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Carrot <= 1.1.0 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Schedule Posts Calendar < 5.3 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Avartan Slider Lite <= 1.5.3 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
CT Commerce <= 2.0.1 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WRC Pricing Tables < 2.3.9 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WebLibrarian <= 3.5.8.4 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Newsletter < 7.9.0 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its newsletterform shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Online Booking & Scheduling Calendar for WordPress by vcita < 4.3.3 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
All in One B2B for WooCommerce <= 1.0.3 - Unauthenticated Privilege Escalation
Description The plugin does not properly validate parameters when updating user details, allowing an unauthenticated attacker to update the details of any user. Updating the password of an Admin user leads to privilege escalation. PoC curl 'https://example.com/' -d...
Library Viewer < 2.0.6.1 - Contributor+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
All in One B2B for WooCommerce <= 1.0.3 - Multiple CSRF
Description The plugin does not properly check nonce values in several actions, allowing an attacker to perform CSRF attacks. PoC This CSRF attack will reject a Quote in the database. 1. Go to All In One Quote Quotes 2. Click "Add quote", fill in the title, and save. 3. Find the Quote ID,...
Atarim < 3.9.4 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Audio Player with Playlist Ultimate < 1.3 - Contributor+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Social Share Boost <= 4.5 - Plugin Settings Update via CSRF
Description The plugin does not have CSRF checks in the syntaticalsettingscontent, which could allow attackers to make logged in users update plugin settings via CSRF attacks...
YourMembership Single Sign On < 1.1.4 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Activity Log < 2.8.8 - IP Spoofing
Description This plugin retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic. PoC Run the following code in the web browser and note on the backend that the IP address has been fake...
Multiple Plugins from ServMask - Unauthenticated Access Token Update
Description The plugins do not have authorisation in the init function hooked to the admininit action, allowing unauthenticated attackers to update the access token PoC With the All-in-One WP Migration Box Extension installed, open the below URL as unauthenticated:...
Order Tracking Pro < 3.3.7 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape the order status parameter, which could allow users with a role of Admin to perform Cross-Site Scripting attacks...
Order Tracking Pro < 3.3.7 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape the startdate and enddate parameters before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
NotifyVisitors <= 1.0 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Ditty < 3.1.25 - Reflected XSS
Description The plugin does not sanitise and escape some parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin. PoC...
FileOrganizer < 1.0.3 - Admin+ Arbitrary File Access
Description The plugin does not restrict functionality on multisite instances, allowing site admins to gain full control over the server. PoC On a multisite instance, log in as an admin. Click on File Organizer in the sidebar. The UI gives full control to the files on the server, despite not bein...
Popup Builder < 4.2.0 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. Note: The vendor was made aware of th...
Import XML and RSS Feeds < 2.1.4 - Admin+ Arbitrary File Upload
Description The plugin does not filter file extensions for uploaded files, allowing an attacker to upload a malicious PHP file, leading to Remote Code Execution. PoC NOTE: Because of an error in this version of the plugin, the following POC only works on PHP versions previous to 8.0. 1. As an...
WishSuite < 1.3.5 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Import XML and RSS Feeds < 2.1.5 - Unauthenticated RCE
Description The plugin contains a web shell, allowing unauthenticated attackers to perform RCE. The plugin/vendor was not compromised and the files are the result of running a PoC for a previously reported issue https://wpscan.com/vulnerability/d4220025-2272-4d5f-9703-4b2ac4a51c42 and not deletin...
WP Job Portal < 2.0.6 - Unauthenticated SQLi
Description The plugin does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users PoC Setup as admin: Create a dummy company and a job if there are none Attack as unauthenticated: time curl -X POST --data...
Translate WordPress with GTranslate < 3.0.4 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. This vulnerability affects multiple...
GDPR Cookie Consent Notice Box < 1.1.7 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
DoLogin Security < 3.7 - IP Spoofing
Description The plugin uses headers such as the X-Forwarded-For to retrieve the IP address of the request, which could lead to IP spoofing. PoC 1. Send login request with x-forwarded-for: REDACTEDIP 2. See spoofed IP address in the "Login Attempts Log"...
Forminator < 1.25.0 - Unauthenticated Arbitrary File Upload
Description The plugin does not validate files to be uploaded before writing them on the server, allowing unauthenticated users to upload arbitrary files and lead to RCE...
Locatoraid Store Locator < 3.9.24 - Reflected XSS
Description The plugin does not sanitise and escape the lpr-search parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. PoC Setup as admin: - Locatoraid Configuration Google Maps Enter "none" a...