14603 matches found
ND Shortcodes < 7.0 - Subscriber+ LFI
The plugin does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacks PoC Run the below command in the developer console of the web browser while being on the blog as a...
Forminator < 1.24.1 - Unauthenticated Race Condition on poll vote
The plugin does not use an atomic operation to check whether a user has already voted, and then update that information. This leads to a Race Condition that may allow a single user to vote multiple times on a poll. PoC 1. Create a poll and publish a page with a poll. 2. Visit the page with the...
Tutor LMS < 2.2.1 - Unauthenticated Access to Tutor LMS Lesson Resources via REST API
The plugin does not implement adequate permission checks for REST API endpoints, allowing unauthenticated attackers to access information from Lessons that should not be publicly available. PoC 1. Create a new Course, add a Topic, and add a Lesson to the Topic. 2. In Tutor LMS Settings Course,...
ND Shortcodes < 7.0 - Contributor+ Stored XSS via Shortcodes
The plugin does not validate and escape numerous of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC ndoptionsteam...
CF7 Google Sheets Connector (Free < 5.0.2, Pro < 2.3.7) - Reflected XSS
The plugins do not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open the URL below cf7-google-sheets-connector -...
GD Mail Queue < 4.0 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sufficiently sanitize input and escape output of email contents, resulting in a potential for arbitrary web script injection by unauthenticated users...
WP Mail Catcher < 2.1.3 - Unauthenticated Stored Cross-Site Scripting
The plugin does not adequately sanitize input or escape output in the email subject, which could lead to the injection of arbitrary web scripts...
WP EasyCart < 5.4.11 - Administrator+ Time-based SQL Injection
The plugin does not properly escape user-supplied 'orderby' parameter and lacks adequate preparation of SQL queries. This results in possible appending of additional SQL queries into pre-existing ones, potentially leading to extraction of sensitive data from the database...
Ultimate Addons for Contact Form 7 3.1.23 - Subscriber+ SQLi
The plugin does not properly sanitise and escape the id parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscribers...
FiboSearch - AJAX Search for WooCommerce < 1.24.0 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitize and escape input in admin settings, leading to a Stored Cross-Site Scripting vulnerability in affected pages for multi-site installations and instances where unfilteredhtml is disabled...
WP Mail Logging < 1.11.2 - Unauthenticated Stored Cross-Site Scripting
The plugin does not adequately sanitize and escape email contents, enabling the injection of arbitrary web scripts into pages...
WP-Members Membership < 3.4.8 - Subscriber+ Unauthorized Plugin Settings Update
The plugin does not correctly implement capability checks on the dofieldreorder function, allowing authenticated users with only subscriber-level access to reorder form elements on login forms...
Metform Elementor Contact Form Builder < 3.3.1 - Multiple Contributor+ Stored XSS via Shortcode
The plugin does not properly sanitize and escape user input when processed by many of its shortcodes, which could enable users with contributor privileges to conduct Stored Cross-Site Scripting attacks on the site. Affected shortcodes include mf, mffirstname, mflastname, and mfthankyou...
Metform Elementor Contact Form Builder < 3.3.2 - Multiple Subscriber+ Sensitive Information Disclosure Issues
The plugin does not prevent less privileged users, like subscribers, from accessing various sensitive information via the plugin's shortcodes. This includes payment statuses, transaction IDs, submitter's name information, and virtually all fields of any form submissions...
Metform Elementor Contact Form Builder < Unauthenticated CSV Injection
The plugin does not properly escape user-supplied input which is output in CSV files, which could be abused in CSV Injection attacks...
Ultimate Addons for Contact Form 7 < 3.1.24 - Subscriber+ SQL Injection
The plugin does not properly sanitize the 'id' parameter, leading to a SQL Injection vulnerability...
Kanban Boards for WordPress < 2.5.21 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to...
Lana Email Logger < 1.1.0 - Unauthenticated Stored Cross-Site Scripting
The plugin does not properly sanitize and escape input in email subjects, leading to potential Stored Cross-Site Scripting issues...
Directorist < 7.5.5 - Subscriber+ Arbitrary User Password Reset to Privilege Escalation
The plugin does not properly validates a user sent a valid password reset token, enabling attackers to take over other user accounts, like administrators...
Directorist < 7.5.5 - Subscriber+ Insecure Direct Object Reference to Arbitrary Post Deletion
The plugin does not properly validate that users are authorized to delete a given listing, or that it is a listing at all, making it possible for less-privileged users like subscribers to delete posts...
Abandoned Cart Lite for WooCommerce < 5.15.0 - Authentication Bypass
The plugin does not use adequate cryptographic practices to secure its cart link decoding process, allowing unauthenticated attackers to bypass authentication and login as customers who have abandoned their carts...
Getwid < 1.8.4 - Subscriber+ SSRF
The plugin does not validate a parameter via the getremotecontent REST API endpoint before making a request to it, which could allow any authenticated users, such as subscriber to perform SSRF attack. Note: We do not consider flushing of cache to be a security issue, therefore CVE-2023-1910 has n...
CodeColorer < 0.10.1 – Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. In the plugin's settings, add the payload "...
Ultimate Product Catalog < 5.2.6 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Navigate to the plugin setup page. 2. Go to...
KiviCare Management System < 3.2.1 - Multiple CSRF
The plugin does not have CSRF checks either flawed or missing completely in various AJAX actions, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. This includes, but is not limited to: Delete arbitrary appointments/medical records/etc, create/update...
WP ERP < 1.12.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the employeename parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. PoC As an admin user, visit the following URL on the site:...
KiviCare Management System < 3.2.1 - Subscriber+ Sensitive Information Disclosure
The plugin does not restrict the information returned in a response and returns all user data, allowing low privilege users such as subscriber to retrieve sensitive information such as the user email and hashed password of other users PoC Run the below command in the developer console of the web...
USM Premium < 16.3 - Admin+ Stored XSS
The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. PoC Put the payload in any text field of the "8 ...
KiviCare Management System < 3.2.1 - Subscriber+ Unauthorised AJAX Calls
The plugin does not have proper CSRF and authorisation checks in various AJAX actions, allowing any authenticated users, such as subscriber to call them. Attacks include but are not limited to: Add arbitrary Clinic Admin/Doctors/etc and update plugin's settings PoC Run one of the below commands i...
Responsive CSS EDITOR <= 1.0 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high-privilege users such as admin. PoC 1. Send a request with the payload:...
Catalyst Connect Zoho CRM Client Portal < 2.1.0 - Reflected XSS
The plugin does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admin. PoC Make a logged-in admin a page with the code below: Note: Make sure in Client Portal the compan...
FormCraft Premium < 3.9.7 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. PoC 1. View the plugin settings and intercept the request and add the payload sortOrder=ASC%2cselectfromselectsleep20a 2...
WP ERP < 1.12.4 - Admin+ SQL Injection
The plugin does not properly sanitise and escape the type parameter in the erp/v1/accounting/v1/people REST API endpoint before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. PoC Sign in as an admin. In WP Admin, run the following code i...
Formidable Forms < 6.3.1 - Subscriber+ Remote Code Execution
The plugin does not adequately authorize the user or validate the plugin URL in its functionality for installing add-ons. This allows a user with a role as low as Subscriber to install and activate arbitrary plugins of arbitrary versions from the WordPress.org plugin repository onto the site,...
Social Media Share Buttons & Social Sharing Icons < 2.8.2 - Admin+ Stored XSS
The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. PoC Put the payload in any text field of the "8 ...
Aajoda Testimonials < 2.2.2 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. In Aajoda » Optional Aajoda Style, insert...
Accordion & FAQ < 1.9.9 - Reflected XSS
The plugin does not escape various generated URLs, before outputting them in attributes when some notices are displayed, leading to Reflected Cross-Site Scripting PoC Make a logged-in admin open one of the URLs below when the feature notice has not been dismissed yet...
WP Inventory Manager < 2.1.0.14 - Inventory Items Deletion via CSRF
The plugin does not have CSRF checks, which could allow attackers to make logged-in admins delete Inventory Items via a CSRF attack PoC Send a payload to logged-in admins with a request to http://127.0.0.1/wordpress/wp-admin/admin.php?page=wpimmanageinventoryitems=deleteid=2...
KiviCare Management System < 3.2.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as administrator PoC Make a logged in admin open...
WP User Switch < 1.0.3 - Subscriber+ Authentication Bypass
The plugin does not properly verify the 'wpuswhoswitch' cookie value, which allows attackers with low-privilege accounts like Subscribers to bypass authentication and login as any other existing user. PoC Log-in as a subscriber onto the affected site. Run the following JS script in your browser's...
B2BKing < 4.6.20 - Subscriber+ Arbitrary Products Price Update
The plugin does not have authorisation in some AJAX actions, allowing any authenticated users, such as subscriber to update the price of any WooCommerce products...
Don8 <= 0.4 - Admin+ Stored XSS
The plugin does not sanitize and escape some fields in the plugin settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfilteredhtml capability is disallowed for example in a multisite setup...
User Email Verification for WooCommerce <= 3.5.0 - Authentication bypass via weak token generation
The plugin uses a weak random token when resending email address verifications, allowing an unauthenticated attacker to impersonate users and trigger an email address verification for arbitrary accounts, including administrative accounts. Furthermore, if the Allow Automatic Login After Successful...
Premium Addons PRO < 2.8.25 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
JS Job Manager < 2.0.1 - Multiple CSRF
The plugin does not have CSRF checks in several functions, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Contact Form and Calls To Action by vcita < 2.7.1 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitize and escape the email and uid parameters in the plugin settings, which could allow users with roles as low as contributor to inject arbitrary web scripts into the settings, targeting higher-privileged users such as administrators. PoC...
Online Booking & Scheduling Calendar for WordPress by vcita <= 4.3.3 - Missing Capability Checks
The plugin does not apply capability checks on the vcitasavesettingscallback function, making it possible for attackers with low privileges, like subscribers, to modify the plugin's settings, upload media files, and conduct XSS attacks...
VK Blocks < 1.57.1.0 - Contributor+ Settings Update via REST API
The plugin uses improper authorization for the REST API vk-blocks/v1/updatevkblocksoptions, allowing users with a role as low as contributor to change plugin settings including default icons...
Online Booking & Scheduling Calendar for WordPress by vcita <= 4.3.3 - Missing authentication
The plugin does not validate authorization in its vcita-wordpress/v1/actions/auth REST route endpoint, allowing an unauthenticated attacker to set the connection parameters for the vcita account connection, including businessname and email address. Furthermore, the variables are stored in the...
Online Booking & Scheduling Calendar for WordPress by vcita <= 4.3.3 - Denial of Service via CSRF
The plugin does not protect its vcitalogout ajax action against CSRF attacks, allowing an unauthenticated attacker to log the site out from it's vcita account by tricking a logged in user to send a crafted request, causing a denial of service for the appointment scheduling functionality. PoC...