14603 matches found
Solidres <= 0.9.4 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Add a new currency...
Regina Lite <= 2.0.7 - Reflected XSS
The theme does not sanitise and escape the id parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Brilliance <= 1.3.1 - Subscriber+ Stored XSS
The theme does not sanitise and escape some parameters, which could allow users with a role as low as subscriber to perform Stored Cross-Site Scripting attacks...
Shopping Cart & eCommerce Store < 5.4.3 - Admin+ LFI
The plugin does not validate HTTP requests, allowing authenticated users with admin privileges to perform LFI attacks. PoC 1. Login as Admin. 2. Go to wp-admin/admin.php?page=wp-easycart-products=products 3. Click on Import Products. Browse any file and click on import file. Intercept the...
Klaviyo < 3.0.8 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Robo Gallery < 3.2.13 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Site Reviews < 6.6.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
User Role by BestWebSoft < 1.6.7 - Privilege Escalation via CSRF
The plugin does not protect against CSRF in requests to update role capabilities, leading to arbitrary privilege escalation of any role. PoC Make a logged in admin open a page with the code below. Then, log in as a subscriber and see that you have full admin access...
Solidres <= 0.9.4 - Multiple Reflected XSS
The plugin does not sanitise and escape numerous parameter before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open...
Intrepidity <= 1.5.1 - File Upload and Option Update via CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
WH Testimonials <= 3.0.0 - Unauthenticated Stored XSS
The plugin does not sanitise and escape the whhomepage, whtextshort and whtextfull parameters of submitted Testimonials, which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks PoC curl -X POST 'http://example.com/add/' \ -H 'Content-Type: multipart/form-data;...
FluentCRM - Marketing Automation For WordPress < 2.8.0 - Unauthenticated Subscriptions Update
The plugin does not properly secure the use of MD5 hash without a salt to control subscriptions, making it possible for unauthenticated attackers to unsubscribe users from lists and manage subscriptions...
RapidLoad Power-Up for Autoptimize < 1.7.2 - Unauthorised AJAX Calls
The plugin does not have authorisation and CSRF checks in various AJAX actions such as deleting logs files etc, allowing them to be called by any authenticated users, such a subscriber or via CSRF attacks...
Redirection < 1.1.4 - Redirect Creation via CSRF
The plugin does not add nonce verification in place when adding the redirect, which could allow attackers to add redirects via a CSRF attack. PoC POST /wp-admin/admin-ajax.php HTTP/2 Host: sawcup.s2-tastewp.com Cookie: test=test; User-Agent: useragent Accept: / Accept-Language: en-US,en;q=0.5...
Mass Delete Unused Tags < 3.0.0 - Tags Deletion via CSRF
The plugin does not have CSRF checks when deleting tag, which could allow attackers to make logged in admins perform such action via a CSRF attack...
GiveWP < 2.25.2 - Cross-Site Request Forgery
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
GiveWP < 2.25.2 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Author to perform Cross-Site Scripting attacks...
RapidLoad Power-Up for Autoptimize < 1.7.2 - Multiple Subscriber+ Unauthorised AJAX Calls
The plugin does not have authorisation and CSRF checks in multiple AJAX actions, which could allow users with a role as low as subscriber or an attacker making any authenticated user open a malicious page to call them and modify the plugins cache, add a new license, delete logs files, update cach...
GiveWP < 2.25.2 - Contributor+ Arbitrary Content Deletion
The plugin does not correctly authorize some actions, allowing low-privileged users to delete content from the site which they should not be permitted to delete...
Easy Forms for MailChimp < 6.8.9 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its from parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Edit a form and put the following paylo...
Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations < 5.0.6.3 - Path Traversal
The plugin does not properly check the value of the input "uploaddir", which is modifiable by the user. As a result, by changing the value of this input, it's possible to upload a file anywhere writable in the webserver. PoC 1. Create a contact form and add a "multiple file upload" field. 2. Add...
Image Over Image For WPBakery Page Builder < 3.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC imageoverimagevc...
GiveWP < 2.25.2 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard < 2.11.0 - Path Traversal
The plugin does not properly check the value of the input "uploaddir", which is modifiable by the user. As a result, by changing the value of this input, it's possible to upload a file anywhere writable in the webserver. PoC 1. Create a contact form and add a "multiple file upload" field. 2. Add...
W4 Post List < 2.4.5 - Contributor+ Stored XSS
The plugin does not sanitise and escape the w4plnoitemstext parameter, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks...
CformsII <15.0.4 - Settings Update via CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
HT Easy GA4 ( Google Analytics 4 ) < 1.0.7 - Plugin Activation via CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Daily Prayer Time <= 2023.05.04 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Daily Prayer Time <= 2023.05.04 - Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
GiveWP < 2.25.2 - Admin+ Server-Side Request Forgery
The plugin does not validate a parameter before making a request to it, which could allow users with a role of Administrator to perform an SSRF attack...
Coming Soon & Maintenance < 4.1.7 - Unauthenticated Post/Page Access in Maintenance Mode
The plugin does not restrict access to published and non protected posts/pages when the maintenance mode is enabled, allowing unauthenticated users to access them PoC Run the below command in the developer console of the web browser while being on the blog as unauthenticated, when maintenance mod...
WP Dark Mode < 4.0.8 - Subscriber+ Local File Inclusion
The plugin does not properly sanitize the style parameter in shortcodes before using it to load a PHP template. This leads to Local File Inclusion on servers where non-existent directories may be traversed, or when chained with another vulnerability allowing arbitrary directory creation. PoC As a...
Gallery Blocks with Lightbox < 3.0.8 - Subscriber+ Arbitrary Options Update
The plugin has an AJAX endpoint that can be accessed by any authenticated users, such as subscriber. The callback function allows numerous actions, the most serious one being reading and updating the WordPress options which could be used to enable registration with a default administrator user...
Formidable Forms < 6.1 - IP Spoofing
The plugin uses several potentially untrusted headers to determine the IP address of the client, leading to IP Address spoofing and bypass of anti-spam protections. PoC 1. In WordPress's Settings Discussion page, add your IP address to the Disallowed Comment Keys field. This will block form...
Multiple e-plugins - Subscriber+ Privilege Escalation
The plugins, sold by the same developer e-plugins, do not implementing any security measures in some AJAX calls. For example in the file plugin.php, the function ivdirectoriesupdateprofilesetting uses updateusermeta with any data provided by the ajax call, which can be used to give the logged in...
WP Statistics < 14.0 - Authenticated SQLi
The plugin does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manageoptions capability admin+, however the plugin has a settings to allow low privilege users to access it as well. PoC...
Cookie Notice & Compliance for GDPR / CCPA < 2.4.7 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC As a contributor, put the below shortcod...
clickfunnels <= 3.1.1 - Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
Complianz - GDPR/CCPA Cookie Consent < 6.4.2 - Contributor+ Stored XSS
The plugins do not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC cmplz-consent-area...
Jetpack CRM < 5.5.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CPO Content Types <= 1.1.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
FareHarbor for WordPress < 3.6.7 - Admin+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow users with a role of Admin to perform Cross-Site Scripting attacks...
WP Clean Up <= 1.2.3 - Cross-Site Request Forgery (CSRF)
The plugin does not protect its wpcleanupoptimize action against CSRF attacks, allowing an unauthenticated attacker to perform various database clean-up operations by tricking a logged in user to submit a crafted request...
Yet Another Stars Rating < 3.1.3 - Subscriber+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Stored Cross-Site Scripting attacks...
Resize at Upload Plus <= 1.3 - Cross-Site Request Forgery (CSRF)
The plugin is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3. This is due to missing or incorrect nonce validation when saving settings. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a sit...
WP Image Carousel <= 1.0.2 - Contributor+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks. PoC 1. Go to the plugin settings and insert all the settings, then save. 2. Insert the following shortcode in a post/page: wpic speed='"";...
Leyka < 3.30 - Unauthenticated Stored XSS
The plugin does not sanitise and escape some parameters, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks...
New Adman <= 1.6.8 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
About Me 3000 widget <= 2.2.6 - CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
New Adman <= 1.6.8 - Settings Update via CSRF
The plugin does not have CSRF check when updating its settings, which could allow attackers to make logged in users perform such action via a CSRF attack...