14603 matches found
Elementor Website Builder < 3.13.2 - Missing Authorization
The plugin does not check user capabilities on several functions, allowing authenticated attackers with a low amount of privilege such as Subscribers to perform actions that should only be available to users with higher privileges...
10WebSocial < 1.2.9 - Reflected XSS
The plugin does not sanitise and escape some parameter before outputting it back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open a page with the code below The XSS will be triggered when pressing...
Essential Addons for Elementor 5.4.0-5.7.1 - Unauthenticated Privilege Escalation
The plugin does not validate the password reset key, which could allow unauthenticated attackers to reset arbitrary account's password to anything they want, by knowing the related email or username, gaining access to them...
Slimstat Analytics < 5.0.5 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Slimstat Analytics < 5.0.5 - Admin+ SQLi
The plugin does not sanitise and escape the misclimitresults parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin...
Frontend Post WordPress Plugin <= 2.8.4 - Contributor+ Arbitrary Redirect
The plugin does not validate an attribute of one of its shortcode, which could allow users with a role as low as contributor to add a malicious shortcode to a page/post, which will redirect users to an arbitrary domain. PoC ap-form-message redirect="https://wpscan.com"...
WoodMart < 7.2.2 - Subscriber+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as subscriber to perform Stored Cross-Site Scripting attacks...
Tiny carousel horizontal slider plus <= 3.2 - Admin+ Stored XSS
The plugin does not escape several fields in the edit gallery and edit image forms, which could allow high-privilege users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Seo By 10Web < 1.2.7 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Go to SEO by 10Web » Sitemap section. 2...
Brands for WooCommerce < 3.8.2 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
WP Replicate Post < 4.1 - Contributor+ SQL Injection
The plugin does not properly escape the postid parameter and lacks sufficient preparation on the SQL query, leading to SQL Injection vulnerability...
Directorist < 7.5.4 - Admin+ LFI
The plugin is vulnerable to Local File Inclusion as it does not validate the file parameter when importing CSV files. PoC This PoC will work on Linux systems. 1. Navigate to the URL path: /wp-admin/edit.php?posttype=atbizdir=tools=2=/etc/passwd=; 2.. You will be presented with the first couple...
AP Pricing Tables Lite <= 1.1.6 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high-privilege users such as admins. PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Content-Length: 115 Accept: / Content-Type:...
Google Analytics by Monster Insights < 8.14.1- Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Hostel < 1.1.5.2 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Go to Manage Rooms and click on "Click her...
VK Blocks < 1.54.0 - Multiple Stored XSS
The plugins do not sanitise and escape some parameters, which could lead to Stored Cross-Site Scripting issues...
Wholesale Suite < 2.1.5.1 - Cross-Site Request Forgery
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
SALERT < 1.2.2 - Subscriber+ Missing Authorization
The plugin is vulnerable to unauthorized modification of data due to a missing capability check on the salertsavesettingswithajax function...
Ultimate Addons for Contact Form 7 < 3.1.24 - Unauthenticated SQLi
The plugin does not properly sanitise and escape the id and formid parameters before using them in a SQL statement, leading to a SQL injection exploitable by unauthenticated users...
VK All in One Expansion Unit < 9.88.2 - Multiple Stored XSS
The plugins do not sanitise and escape some parameters, which could lead to Stored Cross-Site Scripting issues...
Team Circle Image Slider With Lightbox < 1.0.18 - Reflected Cross-Site Scripting
The plugin does not properly sanitize and escape the 'searchterm' parameter, leading to Reflected Cross-Site Scripting vulnerability...
SALERT < 1.2.2 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
HollerBox < 2.1.4 - Admin+ SQL Injection
The plugin concatenates user input into an SQL query without escaping it first in the plugin's report API endpoint, which could allow administrators in multi-site configuration to leak sensitive information from the site's database. PoC 1. Login as admin 2. Make sure HollerBox is installed and...
Download Manager < 3.2.71 - Broken Access Controls
The plugin does not adequately validate passwords for password-protected files. Upon validation, a master key is generated and exposed to the user, which may be used to download any password-protected file on the server, allowing a user to download any file with the knowledge of any one file's...
WP Abstracts <= 2.6.2 - Unauthenticated Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Hide My WP Ghost – Security < 5.0.20 - IP Address Spoofing
The plugin does not adequately restrict where IP Address information is retrieved from, leading to an IP Address Spoofing vulnerabilities. Attackers may use this to bypass IP blocking features provided by the plugin...
Easy Appointments < 3.11.10 - Cross-Site Request Forgery
The plugin does not properly validate requests use nonces, leading to potential Cross-Site Request Forgery CSRF vulnerabilities...
WP Job Portal <= 2.0.1 - Unauthenticated Settings Update
The plugin does not have authorisation and CSRF checks when updating its settings, which could allow unauthenticated attackers to change them...
Metform Elementor Contact Form Builder < 3.3.2 - Unauthenticated Permalink Structure Update
The plugin does not properly implement capability checks on the permalinksetup function, leading to unauthorized permalink structure updates...
Cart Lift < 3.1.6 - Reflected XSS
The plugin does not sanitise and escape the cartsearch parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Advanced Custom Fields < 6.1.6 - Reflected XSS
The plugins do not escape the poststatus parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open...
WCFM Membership < 2.11.0 - Unauthenticated Arbitrary Password Update via IDOR
The plugin allows unauthenticated attackers to update the password of arbitrary account via an IDOR attack, which could allow them to gain access to high privilege ones such as administrator...
OSM – OpenStreetMap <= 6.01 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. PoC osmmap mapborder='3px solid black;background:red;width:100px;height:100px;" onmouseover="alert1"'...
UserAgent-Spy <= 1.3.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Loginizer 1.7.8 - Reflected XSS
The plugin does not escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open a page with the code below...
Newsletter Popup <= 1.2 - Unauthenticated Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks PoC 1. Create a Newsletter popup any will do and publish it. 2. Use an incognito window and open the website involved, then run the following code...
Otter - Gutenberg Blocks < 2.2.6 - Author+ PHAR Deserialization
The plugin does not sanitize some user-controlled file paths before performing file operations on them. This leads to a PHAR deserialization vulnerability on PHP addFromString'test.png', 'text'; $phar-setStub"\xff\xd8\xff\n"; $phar-setMetadatanew Evil; $phar-stopBuffering; 2. As an Author user,...
Easy Digital Downloads < 3.1.1.4.2 - Unauthenticated Privilege Escalation
The plugin does not have authorisation and CSRF in its AJAX action, allowing unauthenticated users to call it, one in particular could allow them to reset any account's password by knowing the username...
WP Fatest Cache < 1.1.5 - Blind SSRF via CSRF
The plugin does not have CSRF check in an AJAX action, and does not validate user input before using it in the wpremoteget function, leading to a Blind SSRF issue Note: CSRF was fixed in 1.1.4, the SSRF in 1.1.5 PoC Make a logged in admin open...
Newsletter Popup <= 1.2 - Record Deletion via CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks as the wpnewslettershowlocalrecord page is not protected with a nonce. PoC https://localhost/wp-admin/admin.php?page=wpnewslettershowlocalrecord=delet...
Image Optimizer by 10web < 1.0.27 - Admin+ Path Traversal
The plugin does not sanitize the dir parameter when handling the getsubdirs ajax action, allowing a high privileged users such as admins to inspect names of files and directories outside of the sites root. PoC - Payload: ../../../../../../../../../../../../../../../../../../../ - At the "Other...
Add to Feedly <= 1.2.11 - Admin+ Stored XSS
The plugin does not sanitize and escape its settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Install the plugin and insert the following payload in the field "Feed URL http://...": 1" Save the...
Orbit Fox < 2.10.24 - Author+ Server-Side Request Forgery
The plugin does not limit URLs which may be used for the stock photo import feature, allowing the user to specify arbitrary URLs. This leads to a server-side request forgery as the user may force the server to access any URL of their choosing. PoC 1. Install the Log HTTP Requests plugin to inspec...
AnyWhere Elementor < 1.2.8 - Freemius API Key Disclosure
The plugin discloses a Freemius Secret Key which could be used by an attacker to purchase the pro subscription using test credit card numbers without actually paying the amount. Such key has been revoked. PoC See the disclosed secret key in includes/pro.php...
Elementor Website Builder < 3.12.2 - Admin+ SQLi
The plugin does not properly sanitize and escape the Replace URL parameter in the Tools module before using it in a SQL statement, leading to a SQL injection exploitable by users with the Administrator role. PoC 1. Go to Elementor Tools Replace URL 2. Fill the first field with...
Login Rebuilder < 2.8.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Go to Settings » Login rebuilder 2. In...
WP EasyPay < 4.1 - Reflected Cross-Site Scripting
The plugin does not escape some generated URLs before outputting them back in pages, leading to Reflected Cross-Site Scripting issues which could be used against high privilege users such as admin PoC When there is no account connected, make a logged in admin open...
Product Addons & Fields for WooCommerce < 32.0.7 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape some URL parameters, leading to Reflected Cross-Site Scripting. PoC Ensure WooCommerce is installed. Visit the following path, while logged in as an Admin: /wp-admin/admin.php?page=ppomid=5meta=edit&"=1...
Advanced Woo Search < 2.78 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitize input and escape output in admin settings, leading to Stored Cross-Site Scripting vulnerabilities. This issue affects multi-site installations and those with unfilteredhtml disabled...
I Recommend This <= 3.8.3 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...