14603 matches found
POST SMTP Mailer < 2.5.7 - Account Takeover via CSRF
The plugin does not have proper CSRF checks in some AJAX actions, which could allow attackers to make logged in users with the managepostmansmtp capability resend an email to an arbitrary address for example a password reset email could be resent to an attacker controlled email, and allow them to...
Coupon Affiliates < 5.4.4 - Unauthenticated Reflected XSS
The plugin was vulnerable to Unauthenticated Reflected Cross-Site Scripting XSS via the 'wcucoupons' parameter...
Login Configurator <= 2.1 - Reflected Cross-Site Scripting
The plugin does not properly escape a URL parameter before outputting it to the page, leading to a reflected cross-site scripting vulnerability targeting site administrators. PoC Visit the following path:...
Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite < 1.0.0 - CSRF to Stored XSS
The plugin does not have CSRF checks in place when saving its settings, and do not sanitise or escape them before outputting them back in the page, leading to a stored Cross-Site Scripting issue via a CSRF attack...
AN_GradeBook <= 5.0.1 - Subscriber+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber PoC Access the following URL to demonstrate SQLi:...
WooCommerce Google Sheet Connector <= 1.3.5 - Access Code Update via CSRF
The plugin does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a CSRF attack PoC Make a logged in admin open https://example.com/wp-admin/admin.php?page=wc-gsheetconnector-config=attacker-code...
Floating Chat Widget < 3.1.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Steps to Reproduce: 1. Open Chaty Plugin...
Lana Shortcodes < 1.2.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which allows users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC Insert any of the following shortcodes in a...
Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite < 1.0.0 - Subscriber+ Stored XSS
The plugin does not sanitize and escape reviews, which could allow users any authenticated users, such as Subscribers to perform Stored Cross-Site Scripting attacks...
EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor < 3.8.0 - Sensitive Data Disclosure
The plugin could expose backup files if the web server had Directory Listing enabled...
TheRoof < 1.0.4 - Unauthenticated Reflected XSS
The plugin does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against visitors following crafted links...
NEX-Forms < 8.4.4 - Authenticated Stored XSS
The plugin does not escape its form name, which could lead to Stored Cross-Site Scripting issues. By default only SuperAdmins in multisite / admins in single site can create forms, however there is a settings allowing them to give lower roles access to such feature. PoC Create a new form with the...
WooCommerce Stripe Payment Gateway < 7.4.1 - Subscriber+ Order Intent Update
The plugin does not properly restrict users from making a certain set of changes to other customers' orders. TODO: ADD link to Patchstack's post instead of H1 PoC Affected functions: createpaymentintentajax updatepaymentintentajax saveupeappearanceajax updateorderstatusajax updatefailedorderajax ...
Optin Forms <= 1.3.2 - Admin+ Stored XSS
The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Querlo Chatbot <= 1.2.4 - Stored Cross-Site Scripting
The plugin does not escape or sanitize chat messages, leading to a stored Cross-Site Scripting vulnerability. PoC Submit the following in the chat message: """ See the XSS in Querlo...
JS Help Desk – Best Help Desk & Support <= 2.7.7 - Ticket Manipulation via IDOR
Submission imported from CVE-2023-23679. Authorization Bypass Through User-Controlled Key vulnerability in JS Help Desk js-support-ticket allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JS Help Desk: from n/a through 2.7.7...
MStore API < 4.0.2 - Unauthenticated SQL Injection
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection...
Enable SVG, WebP & ICO Upload <= 1.0.3 - Author+ Stored XSS
The plugin does not sanitize SVG file contents, leading to a Cross-Site Scripting vulnerability. PoC 1. Upload an SVG file with the following contents. 2. View the SVG file on the frontend and see the alerts...
Supsystic Popup < 1.10.19 - Prototype Pollution
The plugin has a prototype pollution vulnerability that could allow an attacker to inject arbitrary properties into Object.prototype. PoC 1 Create a pop-up that is set to load on any page 2 Go to http://example.com/?protopoc=polluted 3 Open browser console 4 Type poc and see polluted as the resul...
MStore API < 3.9.8 - Unauthenticated SQL Injection
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users...
Lana Text to Image < 1.1.0 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitize or escape some of its settings before outputting them in the admin's dashboard, allowing Contributor+ privileged users to perform Cross-Site Scripting attacks against other users even when the unfilteredhtml capability is disallowed...
MainWP Child < 4.4.1.1 - Sensitive File Disclosure
The plugin uses an easily guessable path to store user files, bad actors could use that to access other users' sensitive files...
OOPSpam Anti-Spam < 1.1.45 - Cross-Site Request Forgery
The plugin does not adequately verify requests use nonces, leading to a potential Cross-Site Request Forgery vulnerability...
InventoryPress <= 1.7 - Author+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow users with the role of author and above to perform Stored Cross-Site Scripting attacks. PoC 1. Create a "New Inventory Item" 2. In the "Description" field, add the value " 3. Edit the created item and see the XSS...
Metform Elementor Contact Form Builder < 3.3.3 - Cross-Site Request Forgery
The plugin does not correctly validate nonces on the permalinksetup function. This can potentially enable the alteration of permalink structure via a forged request, if an administrator is tricked into clicking a deceptive link. Verification only takes place when a nonce is provided, leaving the...
Ninja Forms < 3.6.25 - Admin+ Arbitrary File Deletion
The plugin does not validate the path of files to be deleted, which could allow administrators to delete arbitrary files on the server even when they should not be able to...
Event Manager for WooCommerce < 3.9.6 - Editor+ Stored Cross-Site Scripting
The plugin does not correctly sanitize user inputs, leading to potential Stored Cross-Site Scripting XSS vulnerabilities...
WPBakery Page Builder < 6.13.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
WooCommerce Payments < 4.5.1 - Intent Parameter Tampering
The plugin allows customer to complete an order on a merchant’s site without paying for it...
Gallery Metabox <= 1.5 - Subscriber+ Unauthorized Data Access
The plugin does not correctly implement capability checks on the refreshmetabox function, leading to unauthorized access of data. As a result, subscribers can obtain a list of images attached to a post...
Mail Queue < 1.2 - Unauthenticated Stored Cross-Site Scripting
The plugin does not properly sanitize and escape user input for the email subject field. This can lead to the injection of arbitrary web scripts that execute whenever a page is accessed...
About Me 3000 widget <= 2.2.6 - Administrator Stored Cross-Site Scripting
The plugin does not sufficiently sanitize user inputs nor escape output in the admin settings, leading to a Stored Cross-Site Scripting vulnerability. This can result in the injection of arbitrary web scripts in pages that execute when a user accesses an injected page. The issue primarily affects...
WooCommerce Product Vendors < 2.1.77 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open a page with the code below html...
Gravity Forms < 2.7.5 - Reflected XSS
The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high-privileged users such as admin. PoC Make a logged in admin open the following URL:...
WooCommerce Pre-Orders < 2.0.1 - Contributor+ Stored XSS
The plugin does not validate and escape its layout shortcode attribute before outputting it back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC woocommercepreordercountdown productid="64"...
WooCommerce Product Vendors < 2.1.77 - Vendor Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as Admin Vendor and above PoC As an Admin vendor, open the URL below...
Potent Donations for WooCommerce < 1.1.10 - Cross-Site Request Forgery
Cross-Site Request Forgery CSRF vulnerability in WP Zone Potent Donations for WooCommerce plugin = 1.1.9 versions...
BookIt < 2.3.8 - Authentication Bypass
The plugin does not perform any authorisation check when a user book an appointment using an email from an existing account, allowing unauthenticated attackers to login as any user from the blog by providing their email address PoC On a page where the bookit is embed, book an appointment using an...
WooCommerce Bulk Stock Management < 2.2.34 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open the URL below...
3DPrint < 3.5.6.9 - CSRF to arbitrary file downlad
Description The plugin does not protect against CSRF attacks in the modified version of Tiny File Manager included with the plugin, allowing an attacker to craft a malicious request that will create an archive of any files or directories on the target server by tricking a logged in admin into...
Mailtree Log Mail < 1.0.1 - Unauthenticated Stored Cross-Site Scripting
The plugin does not properly sanitize and escape the input received through the email subject, leading to potential Stored Cross-Site Scripting XSS. This can result in the execution of arbitrary web scripts whenever a user accesses a compromised page...
WooCommerce PayPal Payments < 2.0.5 - Merchant ID Details Update via CSRF
The plugin does not have CSRF checks when updating the merchant ID details, which could allow attackers to make logged in users update them via a CSRF attack...
Form Builder <= 1.9.9.0 - CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
All In One Redirection < 2.2.0 - Admin+ SQLi
The plugin does not properly sanitise and escape multiple parameters before using them in an SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. PoC When adding a redirection, sourceurlinsert is vulnerable with the payload: sourceurlinsert...
WP Sticky Social 1.0.1 - Stored XSS via CSRF
The plugin does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...
MStore API < 3.9.7 - Subscriber+ Unauthorized Settings Update
The plugin does not secure most of its AJAX actions by implementing privilege checks, nonce checks, or a combination of both. PoC Make sure the site also has WooCommerce installed and activated, then, while logged-in as a subscriber, visit the following URLs: -...
Smoothscroller <= 1.0.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CMS Commander < 2.288 - Unauthenticated Authorisation Bypass
The plugin does not use a sufficient unique cryptographic signature in its cmscaddsite feature, which could allow unauthenticated users to update the cmscpublickey settings when the plugin has not been configured yet, and get access to the plugin's remote control features such as creating an...
Simple Iframe < 1.2.0 - Contributor+ Stored XSS
The plugin does not properly validate one of its WordPress block attribute's content, which may allow users whose role is at least that of a contributor to conduct Stored Cross-Site Scripting attacks. PoC POST /wp-json/wp/v2/posts/60?locale=user HTTP/1.1 Host: 127.0.0.1 Content-Length: 378...
TinyMCE Custom Styles < 1.1.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Go to "Settings" » "TinyMCE Custom Styles"...