14603 matches found
ChatBot < 4.4.7 - Unauthenticated PHP Object Injection
The plugin unserializes user input from cookies via an AJAX action available to unauthenticated users, which could allow them to perform PHP Object Injection when a suitable gadget is present on the blog PoC To simulate a gadget chain, put the following code in a plugin: class Evil public functio...
PowerPress < 10.0.2 - Contributor+ Stored Cross-Site Scripting
The plugin does not properly sanitize and escape user-supplied attributes in its shortcodes, leading to a Stored Cross-Site Scripting vulnerability...
Web Stories < 1.32 - Author+ Auth Bypass
The plugin does not check password protections on posts before performing some actions, allowing users with the Author role or higher to perform unauthorized actions on posts. The Web Stories for WordPress plugin supports the WordPress built-in functionality of protecting content with a password...
Product Catalog Feed by PixelYourSite < 2.1.1 - Reflected XSS
The plugin does not sanitise and escape the edit parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as administrators. PoC Make a logged in admin open the following URL:...
Product Catalog Feed by PixelYourSite < 2.1.1 - Reflected XSS
The plugin does not sanitise and escape the page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open a page with the code below...
Download Manager Pro < 6.3.0 - Unauthenticated Sensitive Information Disclosure
The plugin leaks master key information without the need for a password, allowing attackers to download arbitrary password-protected package files. PoC - Create a password protected package containing one or more files. - Navigate to the download page of the package e.g. /download/package1 -...
Advanced Custom Fields < 5.12.5 - Contributor+ PHP Object Injection
The plugin unserializes user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present. PoC Setup As admin - To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup :...
WP Custom Author URL < 1.0.5 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Login as Admin. 2. Go to...
Blocksy Companion < 1.8.82 - Subscriber+ Draft Post Access
The plugin does not ensure that posts to be accessed via a shortcode are already public and can be viewed, allowing any authenticated users, such as subscriber to access draft posts for example PoC Run the below command in the developer console of the web browser while being on the blog as a...
SEOPress < 6.5.0.3 - Admin+ PHP Object Injection
The plugin unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. PoC To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void...
Advanced Custom Fields < 6.1.0 - Contributor+ PHP Object Injection
The plugin unserializes user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present. PoC Setup As admin - To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup :...
Limit Login Attempts < 1.7.2 - Subscriber+ Stored XSS
The plugin does not sanitize and escape usernames when outputting them back in the logs dashboard, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting attacks PoC import requests import sys import re if lensys.argv != 4: print'USAGE: python %s ' %...
Comments Ratings < 1.1.7 - Cross-Site Request Forgery
The plugin does not properly validate requests use nonces, leading to a potential Cross-Site Request Forgery vulnerability...
PixTypes < 1.4.15 - Cross-Site Request Forgery
The plugin does not adequately verify requests use nonces, leading to a potential Cross-Site Request Forgery CSRF vulnerability...
WP Data Access < 5.3.8 - Subscriber+ Privilege Escalation
The plugin does not have authorisation in the multiplerolesupdate function, allowing any authenticated users, such as subscriber to update their role and set themselves as admin for example, when the 'Enable role management' setting is enabled...
Appointment and Event Booking Calendar for WordPress < 1.0.76 - Reflected XSS
The plugin does not sanitise and escape the code parameter before outputting it back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
WP Fatest Cache < 1.1.3 - Multiple CSRF
The plugin does not have CSRF checks in various functions, which could allow attackers to make logged in admins perform unwanted actions such as update CDN/Cache settings via CSRF attacks...
Formidable Forms < 6.2 - Unauthenticated PHP Object Injection
The plugin unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present. PoC To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void die"Arbitrary deserialization"; 1. Active this...
Easy Sign Up <= 3.4.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Transbank Webpay REST < 1.6.7 - Admin+ SQLi
The plugin does not properly sanitise and escape the orderby parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin...
The7 < 11.6.1 - Reflected XSS
The plugin does not sanitise and escape a parameter from the legacy DT Flickr widget before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Product Catalog Simple < 1.7.0 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
IMPress Listings <= 2.6.2 - Contributor+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks...
Maps Widget for Google Maps < 4.25 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
PHP Compatibility Checker < 1.6.0 - Cross-Site Request Forgery
The plugin does not adequately protect against Cross-Site Request Forgery CSRF, making it possible to force unsuspecting users to perform actions without their consent...
Limit Login Attempts < 1.7.2 - Unauthenticated Stored XSS
The plugin does not sanitize and escape the IP address retrieved from headers such as X-Forwarded-For when the "Site Connection" settings is set to "From behind a reversy proxy", which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks PoC Setup: As admin, set th...
WP SMTP Mailing Queue < 2.0.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Navigate to "Settings SMTP Mailing Queue...
WCFM Membership < 2.10.1 - Unauthenticated Privilege Escalation
The plugin does not have authorisation in the wcfmajaxcontroller AJAX action, allowing unauthenticated attackers to change membership registration form and set the default role to administrator...
YourChannel < 1.2.4 - Unauthenticated Settings Reset
The plugin does not have authorisation check when reset its settings, allowing unauthenticated attackers to reset them and remove YT channels from the plugin...
WCFM Membership < 2.10.0 - Multiple CSRF
The plugin does not have CSRF checks in various AJAX actions, allowing attackers to make logged in admins call them and modify membership details/renewal information etc via CSRF attacks...
WCFM Frontend Manager < 6.6.1 - Subscriber+ Unauthorised AJAX Calls
The plugin does not have authorisation in various AJAX actions, allowing any authenticated users, such as subscriber to call them and modify knowledge bases/notices/payments, manage vendors etc...
Stagtools < 2.3.7 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC 1. Create a Post and add a Shortcode...
WCFM Frontend Manager < 6.6.0 - Multiple CSRF
The plugin does not have CSRF checks in numerous AJAX actions, allowing any attackers to make logged in admin modify knowledge bases/notices/payments, manage vendors/capabilities etc via CSRF attacks...
WCFM Marketplace < 3.4.12 - Subscriber+ Unauthorised AJAX Calls
The plugin does not have authorisation in various AJAX actions, allowing any authenticated users, such as subscriber to call them and modify shipping method details/products, delete arbitrary posts, as well as lead to privilege escalation...
Weaver Xtreme Theme < 6.2 - Contributor+ Stored Cross-Site Scripting
The theme does not properly escape the profile display name, leading to a stored Cross-Site Scripting vulnerability...
WCFM Marketplace < 3.5.0 - Multiple CSRF
The plugin does not have CSRF in various AJAX actions, allowing attackers to make logged in admin modify shipping method details/products, delete arbitrary posts, etc via CSRF attacks...
WCFM Membership < 2.10.1 - Unauthenticated AJAX Calls
The plugin does not have authorisation in various AJAX actions, allowing unauthenticated attackers to call them and modify membership details/renewal information etc...
Site Reviews < 6.7.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Login as Admin. 2. Go to...
YourChannel < 1.2.5 - Multiple CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in admins to reset and change the plugin's quick language translation, general and channel settings via CSRF attacks...
Slimstat Analytics < 4.9.4 - Subscriber+ SQL Injection
The plugin does not prevent subscribers from rendering certain shortcodes that concatenate attributes directly into an SQL query. PoC...
Zyrex Popup < 1.1 - Admin+ Arbitrary File Upload
The plugin does not validate the type of files uploaded when creating a popup, allowing a high privileged user such as an Administrator to upload arbitrary files, even when modifying the file system is disallowed, such as in a multisite install. PoC Create a new popup by filling in anything in th...
Sp*tify Play Button for WordPress < 2.08 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Outdoor < 3.9.7 - Reflected XSS
The theme does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Amr Ical Events Lists <= 6.6 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Login as Admin. 2. Go to...
Quick Paypal Payments < 5.7.26.4 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Original request - with sandbox=checked POST...
Comment Reply Notification <= 1.4 - Cross-Site Request Forgery
The plugin does not properly validate requests use nonces, leading to a Cross-Site Request Forgery CSRF vulnerability...
Ajax Search Lite < 4.11.1, Pro < 4.26.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in a response of an AJAX action, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open a page with the code below...
Product Enquiry for WooCommerce < 2.2.13 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WP FEvents Book <= 0.46 - Subscriber+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Cross-Site Scripting attacks PoC 1. Create an event page using the plugin. 2. Access the page using an account with Subscriber role. 3. In the 'User notes' section,...
Albo Pretorio Online < 4.6.2 - Reflected XSS
The plugin does not sanitise and escape the Ente parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...