14603 matches found
Ninja Forms < 3.6.26 - Admin+ Stored HTML Injection
Description The plugin does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored HTML injection. Only users with the unfilteredhtml capability can perform this, and such users are already allowed to use JS in posts/comments etc however t...
WP Ultimate CSV Importer < 7.9.9 - Author+ RCE
Description The plugin does not validate imported files, which could allow authors and above roles who have been granted access to the plugin settings to perform RCE...
Custom Field Template < 2.6 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape the posttype parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Subscribers Text Counter < 1.7.1 - Settings Update via CSRF to Stored XSS
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, which also lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping PoC Create an HTML file with the...
User Access Manager < 2.2.18 - IP Spoofing
Description The plugin prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTEADDR, which makes it possible for attackers to access restricted content in certain situations. PoC Set HTTPXREALIP which is used in checkUserGroupAccess to use an IP from the allowlist...
Simple Blog Card < 1.31 - Contributor+ Stored XSS via Shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC As a contributor, put the...
PostX - Gutenberg Post Grid Blocks < 3.0.6 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open the URL below the post value is the ID of a post/page...
Stripe Payment Plugin for WooCommerce < 3.7.8 - Authentication Bypass
Description The plugin does not properly check users during the Stripe checkout process, which could allow unauthenticated attackers to log in as any users having placed an order when the Stripe checkout option is enabled...
Front Editor <= 4.3.5 - Admin+ Stored XSS
Description The plugin does not sanitize and escape some of its form settings, which could allow high-privilege users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Add a new form. 2. For the "Post Title",...
Bus Ticket Booking with Seat Reservation < 5.2.4 - Reflected XSS
Description The plugin does not sanitise and escape the tabdate and tabdater parameters before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
FormCraft < 1.2.7 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC There are two XSS issues: Example...
Upload Media By URL < 1.0.8 - Stored XSS via CSRF
Description The plugin does not have CSRF check when uploading files, which could allow attackers to make logged in admins upload files including HTML containing JS code for users with the unfilteredhtml capability on their behalf. PoC Have a logged in user with the unfilteredhtml capability open...
MultiParcels Shipping For WooCommerce < 1.15.2 - Arbitrary Shipment Deletion via CSRF
Description The plugin does not have CRSF check when deleting a shipment, allowing attackers to make any logged in user, delete arbitrary shipment via a CSRF attack PoC Make any logged in user open https://example.com/wp-admin/admin-post.php?action=multiparcelsdeleteshipping=1 to make them delete...
Blog2Social < 7.2.1 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open the URL below...
MultiParcels Shipping For WooCommerce 1.15.2-1.15.3 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open...
Ninja Forms < 3.6.26 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Ninja Forms < 3.6.26 - Subscriber+ Form Entries Export
Description The plugin does not have proper authorisation check in the processing function, which could allow any authenticated users, such as subscriber to export and download submitted form entries...
Ninja Forms < 3.6.26 - Contributor+ Form Entries Export
Description The plugin does not have proper authorisation check in the exportlisten function, which could allow Contributors and above roles to export and download submitted form entries...
Multiple Plugins from Inisev - Subscriber+ Plugin Installation
Description Multiple plugins from the Inisev vendor are lacking authorisation in the handleinstallation function hooked to the inisevinstallation AJAX action, allowing any authenticated users, such as subscriber to install plugins from Inisev on the blog...
Multiple Plugins from Inisev - Plugin Installation via CSRF
Description Multiple plugins from the Inisev vendor are lacking CSRF check in the handleinstallation function hooked to the inisevinstallation AJAX action, allowing unauthenticated attackers to make logged in admins install plugins from Inisev on the blog via a CSRF attack...
Change WP Admin < 1.1.4 - Secret Login Page Disclosure
Description The plugin discloses the URL of the hidden login page when accessing a crafted URL, bypassing the protection offered. PoC - Set custom Login URL under "Settings Permalinks". For example, login - As an unauthenticated visitor, open https://example.com/wp-admin/customize.php in a...
Video Conferencing with Zoom < 4.3.0 - Sensitive Data Disclosure
Description The plugin hardcodes its encryption key, which could allow unauthenticated attackers to decrypt the meeting id and password via the vczapiencryptdecrypt function...
Bit Assist < 1.1.9 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. In the plugin's settings, click...
ACF Photo Gallery Field < 2.0 - Subscriber+ UserMeta Update
Description The plugin does not check user meta to be updated, allowing any authenticated users, such as subscriber, to update any of their user meta to an arbitrary string...
InstaWP Connect < 0.0.9.19 - Unauthenticated Data Modification
Description The plugin does not have authorisation check in its eventsreceiver function, allowing unauthenticated users to create/update/delete posts/taxonomy, install/activate/deactivate plugin, update the customizer settings as well as create/update/delete arbitrary users...
Freemius SDK < 2.5.10 - Reflected Cross-Site Scripting
Description The Freemius SDK for WordPress does not adequately sanitize inputs or escape outputs, leading to Reflected Cross-Site Scripting. This directly affects over 1000 plugins and themes that use this SDK...
Freemius SDK < 2.5.10 - Reflected Cross-Site Scripting
Description The Freemius SDK for WordPress does not adequately sanitize inputs or escape outputs, leading to Reflected Cross-Site Scripting. This directly affects over 1000 plugins and themes that use this SDK...
Freemius SDK < 2.5.10 - Reflected Cross-Site Scripting
Description The Freemius SDK for WordPress does not adequately sanitize inputs or escape outputs, leading to Reflected Cross-Site Scripting. This directly affects over 1000 plugins and themes that use this SDK...
Freemius SDK < 2.5.10 - Reflected Cross-Site Scripting
Description The Freemius SDK for WordPress does not adequately sanitize inputs or escape outputs, leading to Reflected Cross-Site Scripting. This directly affects over 1000 plugins and themes that use this SDK...
Freemius SDK < 2.5.10 - Reflected Cross-Site Scripting
Description The Freemius SDK for WordPress does not adequately sanitize inputs or escape outputs, leading to Reflected Cross-Site Scripting. This directly affects over 1000 plugins and themes that use this SDK...
Freemius SDK < 2.5.10 - Reflected Cross-Site Scripting
Description The Freemius SDK for WordPress does not adequately sanitize inputs or escape outputs, leading to Reflected Cross-Site Scripting. This directly affects over 1000 plugins and themes that use this SDK...
WordPress Database Administrator <= 1.0.3 - Unauthenticated SQL Injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. PoC Run the command: curl -i -s -k -X POST --data-binary...
Contact Form Builder by Bit Form < 2.2.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Create a Blank form or select...
WP Brutal AI < 2.06 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC In the plugin settings, for a...
Custom Field For WP Job Manager < 1.2 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC To test, you also need to have WP...
Jupiter X Core <= 2.5.0 - Unauthenticated Arbitrary File Download
Description The plugin does not have authorisation checks and does not validate file paths in the handlefiledownload function, allowing unauthenticated users to download arbitrary files from the server when the premium version of the plugin is activated...
WP-EMail < 2.69.1 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. In the "Email Options" section...
IURNY by INDIGITALL < 3.2.3 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to the plugin's settings. 2...
Simple Author Box < 2.52 - Contributor+ Arbitrary User Information Disclosure via IDOR
Description The plugin does not verify a user ID before outputting information about that user, leading to arbitrary user information disclosure to users with a role as low as Contributor. PoC 1. Create a new Post as a Contributor user. 2. Add the "Simple Author Box" block. 3. Intercept the...
Ultimate Addons for Contact Form 7 < 3.1.29 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Ensure Contact Form 7 is...
User Activity Log < 1.6.5 - Unauthenticated SQLi
Description The plugin does not correctly sanitise and escape several parameters before using it in a SQL statement as part of its exportation feature, allowing unauthenticated attackers to conduct SQL injection attacks. Version 1.6.4 mitigates the issue for unauthenticated users but it is still...
Ultimate Addons for Contact Form 7 < 3.1.29 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. PoC 1. Ensure Contact Form 7 is installed, along with this plugin 2. Visit Contact...
WP Donate < 1.5 - Unauthenticated SQL Injection
Description A vulnerability was found in wp-donate Plugin up to 1.4 on WordPress. It has been classified as critical. This affects an unknown part of the file includes/donate-display.php. The manipulation leads to sql injection. It is possible to initiate the attack remotely. Upgrading to version...
Custom Post Type Generator <= 2.4.2 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Essential Addons For Elementor < 5.8.2 - Unauthenticated MailChimp API Key Disclosure
Description The plugin discloses the MailChimp API key in pages with the MailChimp block, allowing unauthenticated users to obtain such key...
Multiple DeoThemes Themes - Reflected Cross-Site Scripting
Description Several themes for WordPress by DeoThemes are vulnerable to Reflected Cross-Site Scripting via breadcrumbs in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that...
Easy Captcha <= 1.0 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Easy Captcha <= 1.0 - Missing Authorization
Description The plugin does not have authorisation in various AJAX actions, which could allow unauthenticated users to call them and perform unauthorised actions...
OAuth Single Sign On – SSO (OAuth Client) < 6.23.4 - Improper Authentication
Description The plugin does not have authorisation in various AJAX actions, which could allow users with a role as low as Subscriber to call them and perform unauthorised actions...
ARMember (free and premium) - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some parameters, which could allow users with a role of Admin and above to perform Cross-Site Scripting attacks...