14603 matches found
WP Remote Users Sync < 1.2.12 - Subscriber+ Log Access
Description The plugin does not have authorisation in the refreshlogsasync function, allowing any authenticated users, such as subscriber to view logs...
AFFILIATE Solution <= 1.0 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WooCommerce Easy Duplicate Product < 0.3.0.1 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
a3 Portfolio < 3.1.1 - Author+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the author role and above to perform Stored Cross-Site Scripting attacks...
Multiple Themes - Reflected XSS
Description The themes suffer from the same issue about the search box reflecting the results causing XSS which allows an unauthenticated attacker to exploit against users if they click a malicious link. PoC https://example.com/?s=katana/asd/...
Media from FTP < 11.17 - Author+ Arbitrary File Access
Description The plugin does not properly limit who can use the plugin, which may allow users with author+ privileges to move files around, like wp-config.php, which may lead to RCE in some cases. In 11.16, the manageoptions capability was used, however is still insufficient in case of MultiSite...
Advanced File Manager < 5.1.1 - Admin+ Arbitrary File/Folder Access
Description The plugin does not adequately authorize its usage on multisite installations, allowing site admin users to list and read arbitrary files and folders on the server. PoC On a multisite installation, log in as a site admin. Notice that you are able to manage files on the server using th...
Robo Gallery < 3.2.16 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to:...
123.chat < 1.3.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC In the plugin's "User-ID" setting...
Orders Tracking for WooCommerce < 1.2.6 - Admin+ Arbitrary File Access/Read
Description The plugin doesn't validate the fileurl parameter when importing a CSV file, allowing high privilege users with the managewoocommerce capability to access any file on the web server via a Traversal attack. The content retrieved is however limited to the first line of the file. PoC As ...
User Activity Log < 1.6.7 - IP Spoofing
Description This plugin retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic. PoC 1. In User Activity Log Settings, enable the setting "Allow Ip Address of users to log." and save...
Leyka < 3.30.3 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Gestion-Pymes <= 1.5.6 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
AGP Font Awesome Collection <= 3.2.4 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
WP Project Manager < 2.6.5 - Subscriber+ Privilege Escalation
Description The plugin does not have authorisation and does not properly check for the user metadata to be updated via the saveusersmapname function, allowing any authenticated users, such as subscriber to update their role and gain administrator privileges...
Ninja Popups <= 4.7.5 - Unauthenticated Open Redirect
Description The plugin does not properly validate a redirect url, allowing unauthenticated attackers to redirect users to potentially malicious sites by clicking a link...
EmbedPress < 3.8.3 - Subscriber+ Plugin Settings Delete
Description The plugin does not properly authorize access to its adminpostremove and removeprivatedata actions, allowing low privileged users such as subscribers to delete plugin settings...
Contact Form Generator < 2.6.0 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Realia <= 1.4.0 - User Email Change via Cross-Site Request Forgery
Description The plugin does not protect its processchangeprofileform action against CSRF attacks, allowing an unauthenticated attacker to change a users email by tricking a logged in administrator to submit a crafted request...
EmbedPress < 3.8.3 - Contributor+ Stored Cross-Site Scripting via Shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back into the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high-privilege users such as admi...
Absolute Privacy <= 2.1 - User Email/Password Change via Cross-Site Request Forgery
Description The plugin does not protect its abprprofileShortcode action against CSRF attacks, allowing an unauthenticated attacker to change a users email or password by tricking a logged in administrator to submit a crafted request...
Store Locator WordPress < 1.4.13 - Reflected XSS
Description The plugin does not sanitise and escape an invalid nonce before outputting it back in an AJAX response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open the URL below...
Post Timeline < 2.2.6 - Reflected XSS
Description The plugin does not sanitise and escape an invalid nonce before outputting it back in an AJAX response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open the URL below...
User Activity Log < 1.6.6 - Subscriber+ Log Export
Description The plugin lacks proper authorisation when exporting its activity logs, allowing any authenticated users, such as subscriber to perform such action and retrieve PII such as email addresses. PoC As a subscriber, open the following URL...
Real Estate Manager <= 6.7.1 - Subscriber+ Privilege Escalation
Description The plugin does not validate user metadata to be updated via its remsaveprofilefront function, allowing any authenticated users, such as subscriber to change their role to administrator for example by giving the related wpcapabilities when they update their profile...
FULL - Customer < 2.3 - Subscriber+ Health Check Disclosure
Description The plugin does not have proper authorisation in its health REST API, allowing any authenticated user, such as subscriber to access it and retrieve sensitive information from the WordPress health check...
Profile Builder < 3.9.8 - Unauthenticated Plugin's Pages Creation
Description The plugin lacks authorisation and CSRF in its page creation function which allows unauthenticated users to create the register, log-in and edit-profile pages from the plugin on the blog PoC 1. Access the URL:...
FULL - Customer < 2.3 - Subscriber+ Arbitrary Plugin Installation
Description The plugin does not have proper authorisation in its install-plugin REST API, allowing any authenticated users, such as subscriber to install plugins from arbitrary sources...
Chat Button < 1.8.10 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
eaSYNC <= 1.3.8 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Divi < 4.20.3 - Contributor+ Stored XSS
Description The theme does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
PDQ CSV <= 1.0.0 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitize and escape some fields in the plugin settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfilteredhtml capability is disallowed for example in a multisite setup...
Post Connector < 1.0.10 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitize and escape some fields in the plugin settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfilteredhtml capability is disallowed for example in a multisite setup...
Chatbot < 4.7.8 - Admin+ Stored XSS in Language Settings
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. In the plugin settings, select...
WPBulky < 1.0.10 - Contributor+ Stored Cross-Site Scripting
Description The plugin does not properly sanitize user input via its sanitize function, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Chatbot < 4.7.8 - Admin+ Stored XSS in FAQ Builder
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Navigate to "WPBot Lite -...
Biometric Login for WooCommerce < 1.0.4 - Unauthenticated Privilege Escalation
Description The plugin does not validate that a user's WebAuthn authentication request succeeded before sending them authentication cookies, making it possible for unauthenticated attackers to take over any accounts having WebAuthn credentials set up on affected sites. PoC While on the site not...
Rank Math SEO < 1.0.119.1 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Simple Blog Card < 1.32 - Subscriber+ Arbitrary Post Access
Description The plugin does not ensure that posts to be displayed via a shortcode are public, allowing any authenticated users, such as subscriber, to retrieve arbitrary post title and their content such as draft, private and password protected ones PoC Run the below command in the developer...
GDPR Cookie Compliance < 4.12.5 - License Update/Deactivation via CSRF
Description The plugin does not have proper CSRF checks when managing its license, which could allow attackers to make logged in admins update and deactivate the plugin's license via CSRF attacks PoC Make a logged in admin open a page with the code below To make them deactivate the license To mak...
CartFlows Pro < 1.11.13 - CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
WP Ultimate CSV Importer < 7.9.9 - Imported Files Disclosure
Description The plugin does not protect its imported files, which could allow unauthenticated users to list and view exported files...
POEditor < 0.9.8 - Settings Reset via CSRF
Description The plugin does not have CSRF checks in various places, which could allow attackers to make logged in admins perform unwanted actions, such as reset the plugin's settings and update its API key via CSRF attacks. PoC...
CodeBard's Patron Button and Widgets for Patreon < 2.1.9 - Reflected XSS
Description The plugin does not sanitise and escape the siteaccount parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
All Users Messenger <= 1.24 - Subscriber+ Message Deletion via IDOR
Description The plugin does not prevent non-administrator users from deleting messages from the all-users messenger. PoC 1 Go to the messenger 2 Catch a request that is constantly running at intervals of 3 seconds 3 Change the message time argument to true 4 Set true for permission to delete a...
wpShopGermany IT-RECHT KANZLEI < 1.8 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WP Ultimate CSV Importer < 7.9.9 - Author+ Privilege Escalation
Description The plugin does not validate User Metadata, which could allow author and above roles who have been granted access to the plugin settings to update their role to administrator...
User Activity Tracking and Log < 4.0.9 - License Update/Deactivation via CSRF
Description The plugin does not have proper CSRF checks when managing its license, which could allow attackers to make logged in admins update and deactivate the plugin's license via CSRF attacks PoC Make a logged in admin open a page with the code below To make them deactivate the license To mak...
WpStream < 4.5.5 - Local Event Settings Update via CSRF
Description The plugin does not have CSRF check when updating its local event settings, which could allow attackers to make logged in admin perform such action via a CSRF attack...
CartFlows Pro < 1.11.12 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...