14603 matches found
WordPress Filter Gallery Plugin < 0.1.6 - Admin+ Stored XSS
The plugin does not properly escape the filters passed in the ufggalleryfilters ajax action before outputting them on the page, allowing a high privileged user such as an administrator to inject HTML or javascript to the plugin settings page, even when the unfilteredhtml capability is disabled. P...
All-in-One Addons for Elementor - WidgetKit < 2.4.4 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Go to WidgetKit - API Keys, put the following...
WP User <= 7.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WP-Ban < 1.69.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Go to the plugin settings and set these...
WP Smart Import < 1.0.3 - Reflected Cross-Ste Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting...
Build App Online < 1.0.19 - Unauthenticated SQL Injection
The plugin does not properly sanitise and escape some parameters before using them in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection PoC Additional plugins required: https://wordpress.org/plugins/wc-multivendor-marketplace/...
YITH WooCommerce Gift Cards < 3.20.0 - Unauthenticated Arbitrary File Upload
The plugin does not validate files to be uploaded, allowing unauthenticated attackers to upload arbitrary files, such as PHP...
Contest Gallery < 19.1.5 - Admin+ SQL Injection
The plugins do not escape the wpuserid GET parameter before concatenating it to an SQL query in management-show-user.php. This may allow malicious users with administrator privileges i.e. on multisite WordPress configurations to leak sensitive information from the site's database. PoC Exploit 1:...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the addCountS POST parameter before concatenating it to an SQL query in 4activate.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost:8080...
Contest Gallery Pro < 19.1.5 - Admin+ SQL Injection
The plugin does not escape the wpuserid GET parameter before concatenating it to an SQL query in management-show-user.php. This may allow malicious users with at administrator privileges i.e. on multisite WordPress configurations to leak sensitive information from the site's database. PoC POST...
Welcart e-Commerce < 2.8.5 - Subscriber+ Arbitrary File Access
The plugin does not validate user input before using it to output the content of a file via an AJAX action available to any authenticated users, which could allow users with a role as low as subscriber to read arbitrary files on the server. PoC Run the below command in the developer console of th...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the optionid POST parameter before concatenating it to an SQL query in order-custom-fields-with-and-without-search.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. PoC POST...
GD bbPress Attachments < 4.4 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the cgdeactivate and cgactivate POST parameters before concatenating it to an SQL query in 2deactivate.php and 4activate.php, respectively. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. PoC Exploit...
Contest Gallery < 19.1.5.1 - Unauthenticated SQL Injection
The plugins do not escape the userid POST parameter before concatenating it to an SQL query in ajax-functions-backend.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Host:...
Kwayy HTML Sitemap < 4.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Click the 'Settings' button of this plugin...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the cgmultiplefilesforpost POST parameter before concatenating it to an SQL query in 0change-gallery.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Host...
Contest Gallery < 19.1.5 - Admin+ SQL Injection
The plugins do not escape the cgoptionid POST parameter before concatenating it to an SQL query in export-votes-all.php. This may allow malicious users with administrator privileges i.e. on multisite WordPress configurations to leak sensitive information from the site's database. PoC POST...
Booster for WooCommerce - Reflected Cross-Site Scripting
The plugins do not escape some URLs and parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the cgorder POST parameter before concatenating it to an SQL query in order-custom-fields-with-and-without-search.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. PoC POST /wp-admin/admin-ajax.php...
Multiple YITH WooCommerce plugins - Cross-Site Scripting via shortcode ajax
Multiple plugins from YITH does not protect its ajax actions against CSRF attacks, allowing an attacker to trick a logged in user to perform actions on their behalf by submitting a crafted request...
Contest Gallery < 19.1.5.1 - Author+ SQL Injection
The plugins do not escape the upload POST parameter before concatenating it to an SQL query in get-data-create-upload-v10.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. PoC POST...
Welcart e-Commerce < 2.8.6 - Subscriber+ PHAR Deserialisation
The plugin does not validate user input before using it in fileexist functions via various AJAX actions available to any authenticated users, which could allow users with a role as low as subscriber to perform PHAR deserialisation when they can upload a file and a suitable gadget chain is present...
Contest Gallery < 19.1.5 - Unauthenticated SQL Injection
The plugins do not escape the cgFields POST parameter before concatenating it to an SQL query in users-registry-check-registering-and-login.php. This may allow malicious visitors to leak sensitive information from the site's database. PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost:808...
Loginizer < 1.7.6 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, allowing unauthenticated attackers to send a request with XSS payloads, which will be triggered when a high privilege users such as admin visits a page from the plugin...
Contest Gallery < 19.1.5.1 - Author+ SQL Injection
The plugins do not escape the cgid POST parameter before concatenating it to an SQL query in 0change-gallery.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. PoC POST /wp-admin/admin-ajax.php?page=/index.phpgallery=1=...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the cgrow POST parameter before concatenating it to an SQL query in 3row-order.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost:8080...
Welcart e-Commerce < 2.8.5 - Unauthenticated Arbitrary File Access
The plugin does not validate user input before using it to output the content of a file, which could allow unauthenticated attacker to read arbitrary files on the server This is a different issue than CVE-2022-41840 PoC...
Stop Spammers Security < 2022.6 - Unauthenticated PHP Object Injection
The plugin passes base64 encoded user input to the unserialize PHP function when CAPTCHA are used as second challenge, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain PoC To simulate a gadget chain, put the following code in a plugin class Ev...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the cgcopystart POST parameter before concatenating it to an SQL query in copy-gallery-images.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. PoC POST...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the optionid POST parameter before concatenating it to an SQL query in edit-options.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. PoC POST...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the cgcopyid POST parameter before concatenating it to an SQL query in cg-copy-comments.php and cg-copy-rating.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. PoC POST...
Contest Gallery < 19.1.5 - Admin+ SQL Injection
The plugins do not escape the optionid GET parameter before concatenating it to an SQL query in export-images-data.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. PoC POST...
Return Refund and Exchange For WooCommerce < 4.0.9 - Unauthenticated Arbitrary File Upload
The plugin does not validate attachment files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files such as PHP and lead to RCE PoC 1. Install and activate woocommerce dependency, no setup required 2. Install and activate the...
2kb Amazon Affiliates Store <= 2.1.5 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting...
Advanced Booking Calendar <= 1.7.1 - Unauthenticated SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users...
Chained Quiz < 1.3.2.3 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the dn parameter before outputting it back in the chainedquizlist page, leading to a Reflected Cross-Site Scripting...
Workreap < 2.6.4 - Subscriber+ Arbitrary Posts Deletion via IDOR
The theme does not verify that an addon service belongs to the user issuing the request, or indeed that it is an addon service, when processing the workreapaddonsserviceremove action, allowing any user to delete any post by knowing or guessing the id. PoC POST /testt/wp-admin/admin-ajax.php HTTP/...
Chained Quiz < 1.3.2.5 - Arbitrary Question Deletion via CSRF
The plugin does not have CSRF check when deleting questions, which could allow attackers to make logged in admins perform such action via a CSRF attack...
Plugin Logic < 1.0.8 - Admin+ SQLi
The plugin does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin PoC POST /wp-admin/network/plugins.php?page=plugin-logic=options%20union%20SELECT%20SLEEP16%3b%23 HTTP/1.1 Content-Type:...
Chained Quiz < 1.3.2.3 - Admin+ Stored XSS
The plugin does not sanitise and escape its facebookappid and apikey settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
ImageInject <= 1.17 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC POST...
Chained Quiz < 1.3.2.4 - Multiple Reflected Cross-Site Scripting
The plugin does not sanitise and escape the ip and date parameters before outputting them back in the chainedquizlist page, which could lead to reflected Cross-Site Scripting...
Chained Quiz < 1.3.2.5 - Arbitrary Quiz Deletion & Copying via CSRF
The plugin does not have CSRF checks when deleting and copying quiz, which could allow attackers to make logged in admins perform such actions via CSRF attacks...
Chained Quiz < 1.3.2.1 - Multiple Reflected Cross-Site Scripting
The plugin does not sanitise and escape the ipf, emailf, dnf, pointsf and datef parameters before outputting them back in the chainedquizlist page, leading to a Reflected Cross-Site Scripting...
WP Google Review Slider < 11.6 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC POST /wp-admin/admin-ajax.php?fsblogadmin=tru...
Simple Basic Contact Form < 20221201 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Go to "Settings » Contact Form » Plugin...
Chained Quiz < 1.3.2.5 - Submitted Quiz Response Deletion via CSRF
The plugin does not have CSRF checks when deleting submitted quiz response, which could allow attackers to make logged in admins perform such action via a CSRF attack...
Advanced Booking Calendar <= 1.7.1 - CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Afterpay Gateway for WooCommerce < 3.5.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the orderToken parameter before outputting it back in the page via an error message, leading to a Reflected Cross-Site Scripting...