14602 matches found
Search & Replace < 3.2.2 - Admin+ SQL injection
Description The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks such as within a multi-site network. PoC 1. Go to the Tools parameter 2. Select Search & Replace 3. Click "Do Search & Replace" 4. Change the...
Videojs HTML5 Player < 1.1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via videojs_video Shortcode
Description The Videojs HTML5 Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's videojsvideo shortcode in all versions up to, and including, 1.1.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...
Web Directory Free < 1.7.0 - Unauthenticated SQL Injection
Description The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection with different techniques like UNION, Time-Based and Error-Based. PoC curl --url...
ProfilePress < 4.15.9 - Contributor+ Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via the ProfilePress User Panel widget due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...
Event post < 5.9.5 - Missing Authorization
Description The Event post plugin for WordPress is vulnerable to unauthorized bulk metadata update due to a missing capability check on the savebulkdatas function in all versions up to, and including, 5.9.4. This makes it possible for authenticated attackers, with subscriber access or higher, to...
Unlimited Elements for Elementor < 1.5.108 - Contributor+ SQLi
Description The plugin is vulnerable to SQL Injection via the ‘datapostids0’ parameter due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and...
Themify Builder < 7.5.8 - Open Redirect
Description The plugin does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue PoC curl -kvL https://www.example.com/wp-login.php \ -e http://arbitrary-referer \ -d "log=invalidusername=invalidpasswordlogin=1redirectfail=https://malicious-site.com...
Schema App Structured Data <= 2.2.0 - Missing Authorization
Description The Schema App Structured Data plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the MarkupUpdate function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with subscriber access...
Floating Chat Widget < 3.2.3 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Go "Chaty Create New Widgets...
Email Log < 2.4.9 - Unauthenticated Hook Injection
Description The Email Log plugin for WordPress is vulnerable to Unauthenticated Hook Injection in all versions up to, and including, 2.4.8 via the checknonce function. This makes it possible for unauthenticated attackers to execute actions with hooks in WordPress under certain circumstances. The...
Advanced iFrame < 2024.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘addiframeurlasparamdirect’ parameter in versions up to, and including, 2024.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...
Premium Addons for Elementor < 4.10.32 - Contributor+ Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's menu and shape widgets due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to injec...
FooGallery < 2.4.15 - Author+ Stored XSS
Description The plugin does not validate and escape some of its Gallery settings before outputting them back in the page, which could allow users with a role as low as Author to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin PoC Create a...
EmbedPress < 3.9.13 - Contributor+ PDF Block Embedding
Description The plugin is vulnerable to unauthorized access of functionality due to insufficient authorization validation on the PDF embed block. This makes it possible for authenticated attackers, with contributor-level access and above, to embed PDF blocks...
Hash Form – Drag & Drop Form Builder < 1.1.1 - Unauthenticated Arbitrary File Upload to Remote Code Execution
Description The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fileuploadaction' function in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload...
Spectra – WordPress Gutenberg Blocks < 2.12.9 - Contributor+ Stored XSS via Image Gallery Block
Description The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's Image Gallery block due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...
Hash Form – Drag & Drop Form Builder < 1.1.1 - Unauthenticated PHP Object Injection
Description The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.0 via deserialization of untrusted input in the 'processentry' function. This makes it possible for unauthenticated attackers to inject a PHP...
YITH WooCommerce Ajax Search < 2.4.1 - Unauthenticated Stored Cross-Site Scripting
Description The YITH WooCommerce Ajax Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘item’ parameter in versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to injec...
Atarim < 3.30 - Unauthenticated Settings Update, Post Deletion etc
Description The plugin is vulnerable to unauthorized access due to the use of hardcoded credentials to authenticate all the incoming API requests. This makes it possible for unauthenticated attackers to modify plugin settings, delete posts, modify post titles, and upload images...
WP Photo Album Plus < 8.7.00.004 - Unauthenticated Arbitrary Shortcode Execution
Description The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.7.02.003. This is due to the plugin allowing unauthenticated users to execute an action that does not properly validate a value before running doshortcod...
Prime Slider < 3.14.2 - Contributor+ Stored XSS via Pagepiling Widget
Description The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's Pagepiling widget due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...
LottieFiles – JSON Based Animation Lottie & Bodymovin for Elementor < 1.10.10 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The LottieFiles – JSON Based Animation Lottie & Bodymovin for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.10.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
WP Fastest Cache < 1.2.7 - Admin+ Arbitrary File Deletion
Description The plugin for WordPress is vulnerable to Directory Traversal via the specificDeleteCache function. This makes it possible for authenticated attackers to delete arbitrary files on the server, which can include wp-config.php files of the affected site or other sites in a shared hosting...
Brizy – Page Builder < 2.4.44 - Missing Authorization
Description The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized plugin setting update due to a missing capability check on the functions actionrequestdisable, actionchangetemplate, and actionrequestenable in all versions up to, and including, 2.4.43. This makes it possible...
Awesome Contact Form7 for Elementor < 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via AEP Contact Form 7 Widget
Description The Awesome Contact Form7 for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'AEP Contact Form 7' widget in all versions up to, and including, 2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
WP Ultimate Post Grid < 3.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpupg-text Shortcode
Description The WP Ultimate Post Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpupg-text' shortcode in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...
Element Pack Elementor Addons < 5.6.2 - Contributor+ Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via the customattributes value in widgets due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to...
LA-Studio Element Kit for Elementor < 1.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter
Description The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.3.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers...
LayerSlider 7.11.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via ls_search_form Shortcode
Description The LayerSlider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's lssearchform shortcode in version 7.11.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...
Responsive Contact Form Builder & Lead Generation Plugin < 1.9.2 - Authenticated (Subscriber+) Arbitrary Shortcode Execution
Description The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.9.1. This is due to the software allowing users to execute an action that does not properly validate a value before...
SiteOrigin Widgets Bundle < 1.61.0 - Contributor+ Stored XSS via siteorigin_widget Shortcode
Description The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's 'siteoriginwidget' shortcode due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to...
Arforms < 6.4.1 - Reflected XSS
Description The plugin does not properly escape user-controlled input when it is reflected in some of its AJAX actions. PoC https://www.example.com/wp-admin/admin-ajax.php?action=currentmodalmodal=...
RomethemeForm For Elementor < 1.1.6 - Missing Authorization via export_entries, rtformnewform, and rtformupdate
Description The RomethemeForm For Elementor plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the exportentries, rtformnewform, and rtformupdate functions in all versions up to, and including, 1.1.5. This makes it possible for...
WPCafe < 2.2.24 - Unauthenticated Blind Server-Side Request Forgery
Description The WPCafe – Restaurant Menu, Online Ordering for WooCommerce, Pickup / Delivery and Table Reservation plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.23 via the wpccheckforsubmission function. This makes it possible for...
ShareThis Share Buttons < 2.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via sharethis-inline-buttons Shortcode
Description The ShareThis Share Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sharethis-inline-button' shortcode in all versions up to, and including, 2.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This...
Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce < 5.7.18 - Missing Authorization
Description The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the gettemplatecontent function in all versions up to, and including,...
Opal Estate Pro <= 1.7.6 - Contributor+ Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via the agent latitude and longitude parameters due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in...
Contact Form Plugin by Fluent Forms < 5.1.16 - Contributor+ PHP Object Injection
Description The plugin is vulnerable to PHP Object Injection via deserialization of untrusted input in the extractDynamicValues function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. If a POP chain is present via an additiona...
WP DSGVO Tools (GDPR) < 3.1.33 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description The WP DSGVO Tools GDPR plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pplink' shortcode in all versions up to, and including, 3.1.32 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
Hash Elements < 1.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter in Multiple Widgets
Description The Hash Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' parameter within multiple widgets in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...
wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin < 3.4.2.14 - Unauthenticated Stored Cross-Site Scripting via CSV Import
Description The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the CSV import functionality in all versions up to, and including, 3.4.2.12 due to insufficient input sanitization and output escaping...
Oxygen Builder < 4.8.3 - Authenticated (Contributor+) Remote Code Execution
Description The Oxygen Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.8.2 via post metadata. This is due to the plugin storing custom data in post metadata without an underscore prefix. This makes it possible for lower privileged users,...
PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode <= 1.7 - Authenticated (Admin+) Stored Cross-Site Scripting
Description The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping. This makes it possible for...
Element Pack Elementor Addons < 5.6.4 - Form Submission Admin Email Bypass
Description The plugin is vulnerable to Form Submission Admin Email Bypass due to the plugin not properly checking for all variations of an administrators emails. This makes it possible for unauthenticated attackers to bypass the restriction using a +value when submitting the contact form...
Newsletter, SMTP, Email marketing and Subscribe forms by Brevo < 3.1.78 - Reflected XSS
Description The plugin is vulnerable to Reflected Cross-Site Scripting via the page parameter due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a use...
NextScripts: Social Networks Auto-Poster < 4.4.4 - Subscriber+ Sensitive Information Exposure
Description The plugin is vulnerable to Sensitive Information Exposure via the 'nxsgetExpSettings' function. This makes it possible for authenticated attackers, with subscriber access and above, to extract sensitive data including social network API keys and secrets...
Sassy social share < 3.3.63 Admin+ Stored Cross-Site scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to the plugin's settings. 2...
WordPress + Microsoft Office 365 / Azure AD | LOGIN < 28.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via pintra Shortcode
Description The WordPress + Microsoft Office 365 / Azure AD | LOGIN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pintra' shortcode in all versions up to, and including, 27.2 due to insufficient input sanitization and output escaping on user supplied...
iframe < 5.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Description The iframe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to and including 5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...
jQuery T(-) Countdown Widget <= 2.3.25 - Authenticated (Contributor+) Stored Cross-Site Scripting via tminus Shortcode
Description The jQuery T- Countdown Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's tminus shortcode in all versions up to, and including, 2.3.25 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...