14603 matches found
ImageLinks Interactive Image Builder for WordPress < 1.5.4 - Contributor+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow users such as contributor+ to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC 1. Create a new vision item with whatever role, even if it's an Administrator. 2...
Vision Interactive For WordPress < 1.5.4 - Contributor+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow users such as contributor+ to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC 1. Create a new vision item with whatever role, even if it's an Administrator 2...
iPages Flipbook For WordPress < 1.4.7 - Contributor+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow users such as contributor+ to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC 1. Create a new book item with whatever role, even if it's an Administrator. 2...
WP CSV <= 1.8.0.0 - Reflected XSS via CSV Import
The plugin does not sanitize and escape a parameter before outputting it back in the page when importing a CSV, and doe snot have CSRF checks in place as well, leading to a Reflected Cross-Site Scripting. PoC Create a .txt file and the below line there: $ echo "" Make a logged in admin import the...
WP CSV to Database <= 2.6 - CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Post Status Notifier Lite < 1.10.1 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which can be used against high privilege users such as admin. PoC Make a logged in high privilege user such as admin open the URL below...
404 to Start <= 1.6.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. In the settings of the plugin,...
Permalink Manager Lite < 2.3.0 - Authenticated Stored XSS
The plugin does not escape page/post and media titles, which could allow attackers to perform Stored XSS attacks when another plugin/theme allowing low privilege users to modify such titles is active on the blog as well...
Mega Addons For WPBakery Page Builder <= 4.2.7 - Subscriber+ Settings Update
The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them...
ipBlockList <= 1.0 - CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
WP Table Reloaded <= 1.9.4 - Contributor+ Stored XSS
The plugin does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high privilege users such as admins. PoC Explo...
WPQA < 5.9.3 - Missing validation lead to functionality abuse
The plugin which is a companion plugin used with Discy and Himer themes incorrectly tries to validate that a user already follows another in the wpqafollowingyouajax action, allowing a user to inflate their score on the site by having another user send repeated follow actions to them. PoC...
Image Hover Effects Ultimate 9.8.1-9.8.4 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WP <= 6.2 - Unauthenticated Blind SSRF via DNS Rebinding
Description WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden. PoC...
WP Custom Admin Interface < 7.29 - Admin+ PHP Object Injection
The plugin unserialize user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. PoC action=importsettings=O%3a4%3a%22Evil%22%3a0%3a%7b%7d%3b=6960d7bb50...
Launchpad <= 10.13 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Web Invoice <= 2.1.3 - Authenticated SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL Injection exploitable by high privilege users such as admin by default. However, depending on the plugin configuration, other users, such as subscriber could exploit this as well PoC...
WP AutoComplete Search <= 1.0.4 - Unauthenticated SQLi
The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users, leading to an unauthenticated SQL injection PoC Extract the nonce from the index page search for "wpautosearchconfig", look for the "nonce" field Invoke the...
WP Cerber < 9.3.3 - User Enumeration Bypass via Rest API
The plugin does not properly block access to the REST API users endpoint when the blog is in a subdirectory, which could allow attackers to bypass the restriction in place and list users PoC When the "Block access to users' data via REST API" settings is enabled...
Launchpad <= 1.0.13 - CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
iubenda < 3.3.3 - Subscriber+ Privileges Escalation to Admin
The plugin does does not have authorisation and CSRF in an AJAX action, and does not ensure that the options to be updated belong to the plugin as long as they are arrays. As a result, any authenticated users, such as subscriber can grant themselves any privileges, such as editplugins etc PoC Run...
Wholesale Market for WooCommerce < 2.0.0 - Admin+ Arbitrary Log Download
The plugin does not validate user input against path traversal attacks, allowing high privilege users such as admin to download arbitrary logs from the server even when they should not be able to for example in multisite PoC First call...
Web Invoice <= 2.1.3 - Authenticated SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL Injection exploitable by high privilege users such as admin by default. However, depending on the plugin configuration, other users, such as subscriber could exploit this as well PoC...
Multimedial Images <= 1.0b - Admin+ SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin. PoC https://example.com/wp-admin/options-general.php?page=mmi=delbg=33+AND+SELECT+5926+FROM+SELECTSLEEP5erUA...
Wholesale Market < 2.2.1 - Unauthenticated Arbitrary File Download
The plugin does not have authorisation check, as well as does not validate user input used to generate system path, allowing unauthenticated attackers to download arbitrary file from the server. PoC 1. Install woocommerce dependency, no setup required 2. Install the vulnerable plugin...
LetsRecover < 1.2.0 - Unauthenticated SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. PoC GET /checkout/order-received/30/?key=wcorderKwss5kjkrhgKG HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 X11;...
Quote-O-Matic <= 1.0.5 - Admin+ SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. PoC https://example.com/wp-admin/edit.php?page=quote-o-matic.php=qomID+AND+SELECT+3477+FROM+SELECTSLEEP5DhVP...
WP User <= 7.0 - Unauthenticated SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users. PoC 1. As an unauthenticated user, visit the "Sign Up" page by default, this is /?pageid=5, or /user/ 2. Extract the...
WP RSS By Publishers <= 0.1 - Admin+ SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin PoC https://example.com/wp-admin/admin.php?page=wsysadminfeeds=delete=0,1+AND+SELECT+5926+FROM+SELECTSLEEP5erUA...
Image Optimizer, Resizer and CDN < 6.8.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC Step 1: Install the plugin and register for a...
Team Members < 5.2.1 - Editor+ Stored XSS
The plugin does not sanitize and escapes some of its settings, which could allow high-privilege users such as editors to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in a multisite setup. PoC 1. Go to the "Teams" section » add a ne...
WP-Lister Lite for Amazon < 2.4.4 - Reflected XSS
The plugin does not sanitize and escapes a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which can be used against high-privilege users such as admin. PoC 1. Install and activate WooCommerce dependency, no setup required 2. Install and activate the...
WP RSS By Publishers <= 0.1 - Admin+ SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin PoC https://example.com/wp-admin/admin.php?page=wsysadminpublishers=delete=0,1+AND+SELECT+5926+FROM+SELECTSLEEP5erUA...
LetsRecover < 1.2.0 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin PoC https://example.com/wp-admin/admin.php?page=letsrecover-manual-notificationid=111+AND+SELECT+5926+FROM+SELECTSLEEP5erUA...
Woocommerce Vietnam Checkout < 2.0.5 - Reflected XSS
The plugin does not sanitise and escape the from and to parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Visual Email Designer for WooCommerce < 1.7.2 - Multiple Author+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as author. PoC action=INSERT HERE NAME OF...
WP RSS By Publishers <= 0.1 - Admin+ SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin PoC https://example.com/wp-admin/admin.php?page=wsysadminrules=delete=0,1+AND+SELECT+5926+FROM+SELECTSLEEP5erUA...
Superio - Job Board < 1.2.33 - Subscriber+ Stored Cross-Site Scripting
The theme does not sanitise and escape some parameters, which could allow users with a role as low as a subscriber to perform Stored Cross-Site Scripting attacks. PoC As a candidate, add the following payload on the Social Network option: javascript:alert1 As a recruiter, access the candidate pag...
LetsRecover < 1.2.0 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin PoC POST /wp-admin/admin.php?page=letsrecover-templatesid=6id=10+AND+SELECT+5926+FROM+SELECTSLEEP5erUA HTTP/1.1 Host:...
Joy Of Text Lite < 2.3.1 - Unauthenticated SQLi
The plugin does not properly sanitise and escape some parameters before using them in SQL statements accessible to unauthenticated users, leading to unauthenticated SQL injection PoC Invoke the following curl command to induce a 5 second sleep: time curl...
Qe SEO Handyman <= 1.0 - Admin+ SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 X11; Linux x8664; rv:91.0 Gecko/20100101...
White Label CMS < 2.5 - Admin+ PHP Object Injection
The plugin unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. PoC To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void...
Product list Widget for Woocommerce <= 1.0 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both unauthenticated and authenticated users such as high privilege one like admin. PoC Make any unauthenticated or authenticated user...
Qe SEO Handyman <= 1.0 - Admin+ SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin PoC POST /wp-admin/admin-post.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 X11; Linux x8664; rv:91.0 Gecko/20100101...
Panda Pods Repeater Field < 1.5.4 - Reflected XSS
The plugin does not sanitize and escapes a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against a user having at least Contributor permission. PoC 1. Install Pods plugin dependency - https://wordpress.org/plugins/pods 2. Install...
WP Social Sharing <= 2.2 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Go to Settings » WP Social Sharing page of...
BookingPress < 1.0.31 - Unauthenticated IDOR in appointment_id
The plugin suffers from an Insecure Direct Object Reference IDOR vulnerability in it's thank you page, allowing any visitor to display information about any booking, including full name, date, time and service booked, by manipulating the appointmentid query parameter. PoC curl -s...
GC Testimonials <= 1.3.2 - Contributor+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks...
WP Calendar <= 1.5.3 - Contributor+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks...
Login with Cognito < 1.4.9 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Go to "Cognito Login » Configure OAuth",...