14603 matches found
ProfilePress < 4.5.1 - Admin+ Stored Cross-Site Scripting via Form Settings
The plugin does not sanitize and escape several form fields before outputting them to pages on the site, allowing authenticated admin+ users to inject arbitrary web scripts even when unfiltered html has been disabled such as in a multisite setup...
ProfilePress < 4.5.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape the ‘wpusercoverdefaultimageurl parameter before outputting it to the pages on the site, allowing an authenticated admin+ user to inject arbitrary web scripts even when unfilteredhtml has been disabled such as in a multisite setup...
WP Spell Check < 9.13 - Ignored Word Deletion via CSRF
The plugin does not have CSRF check in place when deleting ignored words, allowing attacker to make a logged in admin delete them via a CSRF attack PoC Make a logged in admin open https://example.com/wp-admin/admin.php?page=wp-spellcheck-ignore.php=4...
MonsterInsights < 8.9.1 - Stored Cross-Site Scripting via Google Analytics
The plugin does not sanitize or escape page titles in the top posts/pages section, allowing an unauthenticated attacker to inject arbitrary web scripts into the titles by spoofing requests to google analytics. PoC 1. Open a WP page with the plugin and Google analytics installed and search for...
Welcart e-Commerce < 2.8.9 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escapes one of its shortcode attributes, which could allow users with a role as low as a contributor to perform a Stored Cross-Site Scripting attack. PoC 1. Add a product item to the plugin. The item name, for example, "first". You will also use this in the...
Show All Comments < 7.0.1 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against a logged in high privilege users such as admin. PoC Visit the following URL authenticated or not to trigger an alert box:...
Real Cookie Banner < 3.4.10 - Contributor+ Stored XSS
The plugin does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks against logged-in admins. PoC Exploit shortcode: rcb-consent class='"...
User Post Gallery <= 2.19 - Unauthenticated RCE
The plugin does not limit what callback functions can be called by users, making it possible to any visitors to run code on sites running it. PoC Invoke the following curl command to execute the "id" command via PHP's exec function: curl -i...
Link Library < 7.4.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Install the plugin and go to:...
ConvertKit < 2.0.5 - Contributor+ Stored XSS
The plugin does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high-privilege users such as admins. PoC...
WP Spell Check < 9.13 - Admin+ Stored Cross-Site Scripting
The plugin does not escape ignored words, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Add a word to ignore via...
Themify Portfolio Post < 1.2.1 - Contributor+ Stored XSS
The plugin does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high privileged users such as admin. PoC Explo...
MashShare < 3.8.7 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Exploit:...
Greenshift – animation and page builder blocks < 4.8.9 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. PoC Exploit shortcode: wpreusablerender id='2' ajax='true' height='100px;width:100px;background:red;"...
Anti-Malware Security and Brute-Force Firewall < 4.21.86 - Admin+ PHP Object Injection
The plugin unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. PoC 1. To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void...
Font Awesome < 4.3.2 - Contributor+ Stored XSS
The plugin does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks against logged-in admins. PoC Exploit shortcode: icon...
Real Testimonials < 2.6.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Exploit...
Carousel, Slider, Gallery by WP Carousel < 2.5.3 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Exploit...
3D FlipBook < 1.13.3 - Contributor+ Stored XSS
The plugin does not validate or escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks against high privilege users like administrators. PoC 1. As an administrator,...
Woo Products Widgets For Elementor < 1.0.8 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC 1. Install WooCommerce and add a product...
Fontsy <= 1.8.6 - Multiple Unauthenticated SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. PoC curl -i 'http://example.com/wp-admin/admin-ajax.php?action=getfonts' \ --data 'id=1 AND SELECT 1 FROM...
Sidebar Widgets by CodeLights <= 1.4 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC Insert the following shortcode in a post...
WCK < 2.3.3 - Admin+ Stored XSS
The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. PoC 1. Create/edit a Post Type via the plugin...
Click to Chat < 3.18.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Exploit...
Page Scroll To ID < 1.7.6 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Put the...
WP Attachments < 5.0.6 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC Put the following payload in the "List Head" ...
JetWidgets For Elementor < 1.0.14 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC jw-posts showimage='yes'...
Seriously Simple Podcasting < 2.19.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC 1. Create...
Simple Membership < 4.2.2 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin. PoC 1. Exploit...
Images Optimize and Upload CF7 <= 2.1.4 - Unauthenticated Arbitrary File Deletion
The plugin does not validate the file to be deleted via an AJAX action available to unauthenticated users, which could allow them to delete arbitrary files on the server via path traversal attack. PoC 1. Install contact-form-7 dependency 2. Install the vulnerable plugin...
Mesmerize Companion < 1.6.135 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Required...
WOOCS < 1.3.9.4 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC...
WOOCS < 1.3.9.3 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC...
WP Pipes < 1.4.0 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin...
Download Manager < 3.2.62 - Contributor+ Stored XSS
The plugin does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks against logged-in admins. PoC 1. “Enable modal login form” option in the...
Ibtana – WordPress Website Builder < 1.1.8.8 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack PoC Exploit shortcode: ive t='2100-01-01' id='" onmouseover="alert1" style="background:red;"'...
Metricool < 1.18 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. In the settings page of the plugin, add th...
WordPress Events Calendar Plugin < 1.4.5 - Multiple Reflected XSS
The plugin does not sanitize and escapes a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both unauthenticated and authenticated users such as high-privilege ones like admin. PoC 1. Create a new calendar in the plugin's...
Table of Contents Plus < 2212 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC toc...
Jetpack CRM < 5.5 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins PoC As a...
Slimstat Analytics < 4.9.3 - Unauthenticated Stored XSS
The plugin does not sanitise and escape the URI when logging requests, which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks against logged in admin viewing the logs PoC As an unauthenticated user, open the following URL https://example.com/?s=" The XSS will b...
Mautic Integration For WooCommerce < 1.0.3 - Arbitrary Options Update via CSRF
The plugin does not have proper CSRF check when updating settings, and does not ensure that the options to be updated belong to the plugin, allowing attackers to make a logged in admin change arbitrary blog options via a CSRF attack. The attack could also be performed via a LFI if one is present ...
WP Recipe Maker < 8.6.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin. PoC Exploit...
Sidebar Widgets by CodeLights <= 1.4 - Admin+ Stored Cross Site Scripting
The plugin does not properly sanitize or escape the Extra CSS class parameter, allowing high privileged users, such as an administrator to inject arbitrary web scripts into pages, even when the unfiltered html capability is disabled e.g in multisite setups...
Bg Bible References <= 3.8.14 - Reflected XSS
The plugin does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. PoC Steps to reproduce: 1. Install the vulnerable plugin bg-biblie-references 3.18.4 2. As an unauthenticated or authenticated user, visit the following URL...
Multi Step Form < 1.7.8 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its form fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Create/edit a Form via the plugin. 2...
iPanorama 360 WordPress Virtual Tour Builder < 1.6.30 - Contributor+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow users such as contributor+ to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC 1. Create a new panorama item with whatever role, even if it's an Administrator. 2...
Starter Templates by Kadence WP < 1.2.17 - Admin+ PHP Object Injection
The plugin unserialises the content of an imported file, which could lead to PHP object injection issues when an admin import intentionally or not a malicious file and a suitable gadget chain is present on the blog. PoC To simulate a gadget chain, put the following code in a plugin: class Evil...
ActiveCampaign for WooCommerce < 1.9.8 - Subscriber+ Error Log Cleanup
The plugin does not have authorisation check when cleaning up its error logs via an AJAX action, which could allow any authenticated users, such as subscriber to call it and remove error logs. PoC Run the below command in the developer console of the web browser while being on the blog as a...
Logo Slider < 3.6.0 - Contributor+ Stored XSS in Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC Note: First, you need to add a Logo...