14603 matches found
WP Meta SEO < 4.5.5 - Author+ PHAR Deserialization
The plugin does not validate image file paths before attempting to manipulate the image files, leading to a PHAR deserialization vulnerability. Furthermore, the plugin contains a gadget chain which may be used in certain configurations to achieve remote code execution. PoC 1. Use a WordPress...
Pagination by BestWebSoft < 1.2.3 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Contact Forms by Cimatti < 1.5.5 - Unauthenticated Stored XSS
The plugin does not sanitise and escape some parameters, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks...
WooCommerce Payments < 5.6.2 - Unauthenticated Privilege Escalation
The plugin has a flaw allowing unauthenticated attackers to create an admin account and take over the blog PoC POST /wp-json/wp/v2/users HTTP/1.1 Host: 127.0.0.1 Upgrade-Insecure-Requests: 1 Accept:...
GiveWP < 2.25.3 - Cross-Site Request Forgery
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Woo Bulk Price Update < 2.2.2 - Reflected XSS
The plugin does not sanitize and escape escape the page parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open...
Events Made Easy <= 2.3.14 - Subscriber+ SQLi
The plugin does not properly sanitise and escape the searchname parameter before using it in a SQL statement via the emerecurrenceslist AJAX action, leading to a SQL injection exploitable by any authenticated users, such as subscriber PoC Open the URL below while being on the blog as subscriber...
Pricing Tables For WPBakery Page Builder < 3.0 - Subscriber+ LFI
The plugin does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacks PoC Run the below command in the developer console of the web browser while being on the blog as a...
Formidable PRO2PDF < 3.11 - Subscriber+ SQLi
The plugin does not properly sanitise and escape the fieldmap parameter before using it in a SQL statement via the fpropdfexportfile AJAX action, leading to a SQL injection exploitable by any authenticated users, such as subscriber PoC Run the below command in the developer console of the web...
I Recommend This <= 3.8.3 - CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
W4 Post List < 2.4.6 - Subscriber+ Password Protected Post Content Disclosure
The plugin does not ensure that password protected posts can be accessed before displaying their content, which could allow any authenticated users to access them PoC Setup: Create a default Post list, and create a password protected post with secret content Then, run the below command in the...
W4 Post List < 2.4.6 - Reflected XSS
The plugin does not escape some URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting PoC Make a logged in admin open https://example.com/wp-admin/edit.php?posttype=w4pl=w4pl-docs" On a page where there is a list with navigation displayed put a nav in the template o...
LiteSpeed Cache <= 5.3 - CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
WooCommerce JazzCash Gateway <= 2.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Thank You Page Customizer for WooCommerce – Increase Your Sales < 1.0.14 - CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Product Feed PRO for WooCommerce < 12.4.5 - Multiple CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as update the plugin's settings as well as update projects via CSRF attacks...
WP Popup Banners <= 1.2.5 - Subscriber+ SQLi
The plugin does not properly sanitise and escape the value parameter before using it in a SQL statement via the getpopupdata AJAX action, leading to a SQL injection exploitable by any authenticated users, such as subscriber PoC Run the below command in the developer console of the web browser whi...
MDTF < 1.3.1 - Reflected XSS
The plugin does not sanitise and escape the taxname parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open...
W4 Post List < 2.4.6 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC On a post, add a "W4 Post List" block, select a li...
InPost Gallery <= 2.1.4.1 - Reflected XSS
The plugin does not sanitise and escape the imgurl parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open...
Gift Voucher < 4.3.3 - Subscriber+ SQLi
The plugin does not properly sanitise and escape the template parameter before using it in a SQL statement via the wpgvdoajaxvoucherpdfsavefunc AJAX action, leading to a SQL injection exploitable by any authenticated users, such as subscriber PoC curl "http://$TARGETHOST/wp-admin/admin-ajax.php"...
Waiting: One-click Countdowns <= 0.6.2 - Subscriber+ SQLi
The plugin does not properly sanitise and escape the pbcdownmetaid parameter before using it in a SQL statement via the pbcsavedowns AJAX action, leading to a SQL injection exploitable by any authenticated users, such as subscriber PoC Run the below command in the developer console of the web...
Pricing Tables For WPBakery Page Builder < 3.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC Note: The plugin requires WPBakery Page...
Open Graphite < 1.6.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the "topic" parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Weather Station <= 3.8.12 - Cross-Site Request Forgery
Cross-Site Request Forgery CSRF vulnerability in Jason Rouet Weather Station plugin = 3.8.12 versions...
Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard < 2.11.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins. PoC Visit the following path on the site as an admin user:...
Userlike – WordPress Live Chat < 2.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Team Member < 4.5 - Editor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Editor to perform Cross-Site Scripting attacks...
Disqus Conditional Load < 11.1.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
JS Job Manager < 2.0.1 - Missing Authorization
The plugin does not have authorisation in various AJAX actions, which could allow users with a role as low as Subscriber to call them and perform unauthorised actions...
Redirection < 1.1.5 - Plugin Reset via CSRF
The plugin does not have CSRF checks in the uninstall action, which could allow attackers to make logged in admins delete all the redirections through a CSRF attack. PoC https://example.com/wp-admin/admin-post.php?action=iruninstall...
Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations < 5.0.6.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins. PoC Visit the following path on the site as an admin user:...
Update Image Tag Alt Attribute <= 2.4.5 - Cross-Site Request Forgery
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
VigilanTor <= 1.3.10 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Simple Custom Author Profiles <= 1.0.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
User Registration < 2.3.3 - Subscriber+ PHP Object Injection
The plugin unserializes user input via the urgetuserextrafields and userregistrationformfield function, which could allow any authenticated users, such as subscriber to perform PHP Object Injection when a suitable gadget is present on the blog...
Vertical scroll recent post <= 14.0 - Contributor+ Stored Cross-Site Scripting
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Lazy Social Comments <= 2.0.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
ConvertBox Auto Embed WordPress < 1.0.20 - Contributor+ Stored Cross-Site Scripting
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Hummingbird < 3.4.2 - Unauthenticated Path Traversal
The plugin does not validate the generated file path for page cache files before writing them, leading to a path traversal vulnerability in the page cache module. This allows an attacker to: - Enumerate file system directories where the user who starts the web server process has write access. -...
Google XML Sitemap for Mobile <= 1.6.1 - Cross-Site Request Forgery
Cross-Site Request Forgery CSRF vulnerability in Amit Agarwal Google XML Sitemap for Mobile plugin = 1.6.1 versions...
Scheduled Announcements Widget < 1.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC Note: First you need to add an...
Stylish Cost Calculator Premium < 7.9.0 - Unauthenticated Stored XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Stored Cross-Site Scripting which could be used against admins when viewing submissions submitted through the Email Quote Form. PoC POST /wp-admin/admin-ajax.php HTTP/2 Host: hosthere...
FluentForms < 4.3.25 - Contributor+ Stored XSS via Custom HTML Form Field
The plugin does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to the form or admins previewing or editing the...
Simple Giveaways < 2.45.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Login with admin user and navigate to "Giveawa...
All-In-One Security (AIOS) < 5.1.5 - Admin+ Stored XSS
The plugin does not escape the content of log files before outputting it to the plugin admin page, allowing an authorized user admin+ to plant bogus log files containing malicious JavaScript code that will be executed in the context of any administrator visiting this page. PoC Just create a...
All-In-One Security (AIOS) < 5.1.5 - Admin+ Arbitrary File/Folder Access via Traversal
The plugin does not limit what log files to display in it's settings pages, allowing an authorized user admin+ to view the contents of arbitrary files and list directories anywhere on the server to which the web server has access. The plugin only displays the last 50 lines of the file. PoC POST...
Store Locator WordPress < 1.4.10 - Editor+ Stored XSS
The plugin does not sanitise and escape some parameters such as categoryname, description, description2 etc, which could allow users with a role as low as Editor to perform Cross-Site Scripting attacks...
Event Manager for WooCommerce < 3.8.7 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
JetEngine < 3.1.3.1 - Author+ Remote Code Execution
The plugin includes uploaded files without adequately ensuring that they are not executable, leading to a remote code execution vulnerability. PoC fetch"/wp-admin/admin.php?action=jetengineformsimport", "headers": "accept": "text/html", "content-type": "multipart/form-data;...