14603 matches found
Read More Excerpt Link <= 1.6 - Settings Update via CSRF
The plugin does not have CSRF check when updating its settings, which could allow attackers to make logged in admins perform such action via a CSRF attack...
Slimstat Analytics < 4.9.3.3 - Subscriber+ SQL Injection
The plugin does not prevent subscribers from rendering shortcodes that concatenates attributes directly into an SQL query. PoC While logged in as a subscriber, send the following request: await fetch'/wp-admin/admin-ajax.php',method:'POST', headers: 'Content-Type':...
Darcie < 1.1.6 - Reflected XSS
The theme does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Read More Excerpt Link < 1.6.1 - Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
Wholesale Suite < 2.1.5.1 - Subscriber+ Missing Authorization for Plugin Settings Change
The plugin does not adequately authorize settings changes, allowing users with a role as low as Subscriber to update plugin settings...
WP Google Tag Manager <= 1.1 - Cross-Site Request Forgery (CSRF)
The plugin does not protect some of its actions against CSRF attacks, allowing an unauthenticated attacker to perform actions on their behalf by tricking a logged in administrator to submit a crafted request...
WooCommerce Multiple Customer Addresses & Shipping < 21.7 - Arbitrary Address Creation/Deletion/Access/Update via IDOR
The plugin does not ensure that the address to add/update/retrieve/delete and duplicate belong to the user making the request, or is from a high privilege users, allowing any authenticated users, such as subscriber to add/update/duplicate/delete as well as retrieve addresses of other users. PoC R...
Paid Memberships Pro < 2.9.12 - Subscriber+ SQL Injection
The plugin does not prevent subscribers from rendering shortcodes that concatenate attributes directly into an SQL query. PoC While logged in as a subscriber, send the following request: await fetch'/wp-admin/admin-ajax.php',method:'POST', headers: 'Content-Type':...
Dashboard Widgets Suite < 3.2.2 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
GN Publisher < 1.5.6 - Reflected XSS
The plugin does not sanitise and escape the tab parameter before outputting it back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC...
Maspik – Spam blacklist < 0.7.9 - Cross-Site Request Forgery (CSRF)
The plugin does not protect some of its actions in the file /admin/partials/contact-forms-anti-spam-log.php against CSRF attacks, allowing an unauthenticated attacker to clear plugin logs and stat counter by tricking a logged in user to submit a crafted request...
WP Meta SEO < 4.5.3 - Subscriber+ SQLi
The plugin does not properly sanitize and escape inputs into SQL queries, leading to a blind SQL Injection vulnerability that can be exploited by subscriber+ users. PoC Run the following js code in your web console on the dashboard as a subscriber: fetch 'admin-ajax.php', method: 'POST', headers:...
WP Meta SEO < 4.5.4 - Subscriber+ SiteMap Settings Update
The plugin does not have authorisation check when updating its SiteMaps settings, which could allow any authenticated users, such as subscriber to update them...
Sp*tify Play Button for WordPress < 2.06 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Feed Them Social <= 3.0.2 - Settings Update via CSRF
The plugin does not have CSRF check when updating its settings, which could allow attackers to make logged in admins perform such action via a CSRF attack...
All in One SEO Pack < 4.3.0 - Admin+ Stored XSS
The plugin does not sanitise and escape multiple parameters, which could allow high privilege users such as admin to perform Stored XSS attacks even when unfilteredhtml is disallowed...
Chat Bee <= 1.1.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
All in One SEO Pack < 4.3.0 - Contributor+ Stored XSS
The plugin does not sanitise and escape multiple parameters, which could allow users with a role as low as contributor to perform Stored XSS attacks...
WP Meta SEO < 4.5.4 - Subscriber+ Google Analytics Settings Update
The plugin does not have authorisation check when updating its Google Analytics settings, which could allow any authenticated users, such as subscriber to update them...
The Post Grid <= 5.0.4 - Settings Update via CSRF
The plugin does not have CSRF check when updating its settings, which could allow attackers to make logged-in admins perform such action via a CSRF attack...
CPT - Speakers <= 1.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
ReviewX < 1.6.4 - Subscriber+ SQLi
The plugin does not properly sanitise and escape the filterValue and selectedColumns parameters before using them in SQL statements via the rxexportreview AJAX action available to any authenticated users, leading to a SQL injection exploitable by users with a role as low as subscriber PoC Run the...
Simple Portfolio Gallery <= 0.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Admin Block Country <= 7.1.4 - Cross-Site Request Forgery (CSRF)
The plugin does not protect some of its actions in the adminblockcountryinitialpage function against CSRF attacks, allowing an attacker to modify country blocks or methods on their behalf by tricking a logged in administrator to submit a crafted request...
VK All in One Expansion Unit < 9.87.1.0 - Reflected XSS
The plugin does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers PoC Make a logged in admin open the below URL using web browser which does not encode characters...
Organization chart < 1.4.5 - Multiple CSRF
The plugin does not have CSRF checks in some places, for example when updating/deleting/duplicating popups, tree and themes from the plugin, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
TypeSquare Webfonts for ConoHa < 2.0.4 - Admin+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Simple YouTube Responsive < 3.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
BuddyForms < 2.7.8 - Unauthenticated PHAR Deserialization
The plugin does not validate the url parameter of its uploadimagefromurl AJAX action, which could allow unauthenticated attackers to perform PHAR deserialisation granted they an upload a file to the server and a suitable gadget chain is present as well PoC 1. Create a malicious phar file. 2...
CM Answers < 3.2.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
ChatBot < 4.3.0 - Settings Reset via CSRF
The plugin does not have CSRF check when resetting its settings, which could allow attackers to make logged in admin perform such action via a CSRF attack...
For the visually impaired <= 0.58 - Cross-Site Request Forgery (CSRF)
The plugin does not protect its vipluginsetupmenu function against CSRF attacks, allowing an unauthenticated attacker to update plugin settings by tricking a logged in user to submit a crafted request...
Custom Login Page <= 2.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
GoToWP <= 5.1.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC registermeeting type='"...
Auto Affiliate Links < 6.3.0.3 - Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
Integration for Contact Form 7 and Zoho CRM, Bigin < 1.2.3 - Cross-Site Request Forgery (CSRF)
The plugin does not protect its settingspage action against CSRF attacks, allowing an attacker to update the plugin settings on their behalf by tricking a logged in admin to submit a crafted request...
Hero Banner Ultimate <= 1.3.4 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Top 10 < 3.2.5 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Accordions < 2.3.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Saan World Clock <= 1.8 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC wclock tz='" onmouseover="alert1"...
React Webcam <= 1.2.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC reactwebcam dir='" onmouseover="alert1"...
Educare – Students & Result Management System <= 1.4.2 - Cross-Site Request Forgery (CSRF)
The plugin does not protect some of its actions against CSRF attacks, allowing an attacker to perform actions on their behalf by tricking a logged in high privileged user to submit a crafted request...
WP OAuth Server < 4.3.0 - Subscriber+ Arbitrary Client Deletion
The plugin has a flawed CSRF and authorisation check when deleting a client, which could allow any authenticated users, such as subscriber to delete arbitrary client. PoC Run the below command in the developer console of the web browser while being on the blog as any authenticated users, such as...
GetResponse for WordPress <= 5.5.31 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC grwebform center='on'...
Advanced Database Cleaner <= 3.1.1 - Settings Update via CSRF
The plugin does not have CSRF check when updating its settings, which could allow attackers to make logged-in admins perform such action via a CSRF attack...
WP OAuth Server < 4.2.5 - Arbitrary Post Deletion via CSRF
The plugin does not have CSRF check when deleting a client, and does not ensure that the object to be deleted is actually a client, which could allow attackers to make a logged in admin delete arbitrary client and post via a CSRF attack. PoC fetch'/wp-admin/admin-ajax.php', method: 'POST', header...
ProfilePress < 4.5.5 - Reflected XSS
The plugin does not sanitise and escape various parameters before outputting them back in pages, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Minify HTML <= 2.1.7 - Settings Update via CSRF
The plugin does not have CSRF check when updating its settings, which could allow attackers to make logged in admins perform such action via a CSRF attack...
Japanized For WooCommerce < 2.5.5 - Reflected XSS
The plugin does not sanitise and escape the tab parameter before outputting it back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC https://example.com/wp-admin/admin.php?page=wc4jp-options=a...
real.Kit < 5.1.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC modal open='1' class='"...