14603 matches found
ARMember < 5.6 - Unauthenticated Privilege Escalation
The plugin could allow unauthenticated attackers to escalate themselves as admin...
Google Apps Login < 3.4.5 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Go to the setting page of this plugin. 2...
Afterpay Gateway for WooCommerce < 3.5.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters, allowing an attacker to trick a visitor to send a request with XSS payloads that will trigger when they visit the site...
Paytium < 4.3.7 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Go to Playtium » Settings and in the 'Test...
Easy WP SMTP < 1.5.2 - Admin+ Arbitrary File Access
The plugin does not validate some user input used to generate paths, which could allow high privilege users such as admin to access arbitrary files even when they should not be able to, for example in multisite via a traversal attack...
Easy WP SMTP < 1.5.2 - Admin+ Arbitrary File Deletion
The plugin does not validate some user input used to generate paths, which could allow high privilege users such as admin to delete arbitrary files even when they should not be able to, for example in multisite via a traversal attack...
Custom Product Tabs for WooCommerce < 1.8.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Sliderby10Web < 1.2.53 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Go to "Slider » Sliders" and edit one of...
Advanced Coupons for WooCommerce Coupons < 4.5.0.1 - Notice Dismiss via CSRF
The plugin does not have CSRF check when dismissing notices, which could allow attackers to make logged in users dismiss the Getting Started notice via a CSRF attack...
Eventify <= 2.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Go to Settings » Eventify. 2. Under...
Easy WP SMTP < 1.5.2 - Admin+ RCE
The plugin could allow high privilege users such as admin to perform RCE even when they should not be able to for example in multisite setups...
Quiz and Survey Master < 8.0.5 - Unauthenticated iFrame Injection
The plugin does not sanitise and escape the questionid parameter, which could allow unauthenticated users to perform iFrame injection attack...
Simple:Press < 6.8.1 - Unauthenticated Stored XSS via Forum Replies
The plugin does not sanitise and escape the postitem parameter when posting a forum reply, which could allow unauthenticated users to perform Stored XSS attacks...
Appointment Hour Booking < 1.3.73 - CAPTCHA Bypass
The plugin does not have a strong hashing algorithm on the CAPTCHA secret, and displays it to the user via a cookie, which could allow them to bypass the protection in place...
Simple:Press < 6.8.1 - Subscriber+ Arbitrary File Deletion
The plugin does not validate a file parameter when a user delete its avatar, which could allow any authenticated users, such as subscriber to delete arbitrary files on the server...
Simple:Press < 6.8.1 - Admin+ Arbitrary File Update
The plugin does not validate files to be updated, which could allow high privilege users such as admin to update arbitrary files and not just the one allowed by the plugin...
Quiz and Survey Master < 8.0.5 - Improper Input Validation
The plugin does not properly validate the questionid parameter, which could allow attackers to send values other than the expected type...
WP CSV Exporter < 1.3.7 - CSV Injection
The plugin does not properly escape the fields when exporting data as CSV, leading to a CSV injection vulnerability. PoC - create a post using =5+5 as the title - export the data as CSV - open the CSV with a spreadsheet application Excel, Libre Office - the CSV formula gets executed...
Appointment Hour Booking < 1.3.73 - CSV Injection
The plugin does not validate data when output it back in a CSV file, which could lead to CSV injection...
Menu Item Visibility Control <= 0.5 - Admin+ Arbitrary PHP Code Execution
The plugin doesn't sanitize and validate the "Visibility logic" option for WordPress menu items, which could allow highly privileged users to execute arbitrary PHP code even in a hardened environment. PoC 1. As an admin, go to "Appearance - Menus" and create a menu with some items of your choice...
Appointment Hour Booking < 1.3.73 - Unauthenticated iFrame Injection
The plugin does not sanitise and escape the email and general field parameters, which could allow unauthenticated users to perform iFrame injection attack PoC As an unauthenticated user, submit a booking and put an iFrame payload in the email/general field parameter The iFrame will be executed wh...
Simple:Press < 6.8.1 - Subscriber+ Stored XSS via Profile Signatures
The plugin does not sanitise and escape the postitem parameter when modifying profile signatures, which could allow any authenticated users, such as subscriber to perform Stored XSS attacks...
FlyingPress < 3.9.7 - Arbitrary Settings Update to Stored XSS
The plugin does not have authorisation in various AJAX actions, allowing any authenticated users, such as subscribers to call them. One of those actions could allow them to rewrite static files URL JS, CSS etc to a malicious CDN under their control, which could lead to XSS...
JobBoardWP < 1.2.2 - Unauthenticated Arbitrary File Upload
The plugin does not properly validate file names and types in its file upload functionalities, allowing unauthenticated users to upload arbitrary files such as PHP. PoC Setup: 1. Install the vulnerable plugin jobboardwp version 1.2.1 2. In the toast message that appears on the plugin's...
WP Shamsi < 4.1.1 - Unauthenticated Arbitrary Plugin Deactivation
The plugin does not have authorisation check when activating plugins via an action hooked to init, which could allow unauthenticated attackers to deactivate arbitrary plugins from the blog...
JoomSport < 5.2.8 - Unauthenticated SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users PoC 1. Install the vulnerable plugin joomsport-sports-league-results-management version 5.2.6, skip the demo data import when prompted...
Theme and plugin translation for Polylang < 3.2.17 - Unauthenticated Translation Settings Update
The theme does not have authorisation in the processpolylangthemetranslationwploaded function, which could allow unauthenticated attack to update translation settings, as well as import arbitrary translations...
Wholesale Market for WooCommerce < 1.0.8 - Admin+ Arbitrary File Download
The plugin does not validate user input used to generate system path, allowing high privilege users such as admin to download arbitrary file from the server even when they should not be able to for example in multisite PoC First call...
Manage Notification E-mails < 1.8.3 - Settings Reset via CSRF
The plugin does not have CSRF check in place when reseting its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack...
Directorist < 7.4.4 - Subscriber+ Sensitive Information Disclosure
The plugin does not prevent users with low privileges like subscribers from accessing sensitive system information. PoC fetch'http://wpscan.local/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type': 'application/x-www-form-urlencoded', , body: 'action=sendsysteminfo',...
InPost Gallery < 2.1.4.1 - Unauthenticated LFI to RCE
The plugin insecurely uses PHP's extract function when rendering HTML views, allowing attackers to force the inclusion of malicious files & URLs, which may enable them to run code on servers. PoC Invoke the following shell commands to disclose the /etc/passwd file: Define the payload "pagepath"...
Photo Gallery < 1.8.3 - Stored XSS via CSRF
The plugin does not validate and escape some parameters before outputting them back in in JS code later on in another page, which could lead to Stored XSS issue when an attacker makes a logged in admin open a malicious URL or page under their control. Note: The XSS will only trigger for the...
Wholesale Market for WooCommerce < 1.0.7 - Unauthenticated Arbitrary File Download
The plugin does not have authorisation check, as well as does not validate user input used to generate system path, allowing unauthenticated attackers to download arbitrary file from the server. Note: v1.0.7 added capability check, making the issue still exploitable by high privilege users such a...
SEO Plugin by Squirrly SEO < 12.1.11 - Contributor+ Arbitrary File Upload
The plugin does not validate files to be uploaded, which could allow users with a role as low as contributor to upload arbitrary files such as PHP...
Popup Manager <= 1.6.6 - Unauthenticated Stored XSS
The plugin does not have authorisation and CSRF check when creating/updating popups, and is missing sanitisation as well as escaping, which could allow unauthenticated attackers to create arbitrary popups and add Stored XSS payloads as well PoC fetch'/wp-admin/admin-ajax.php', method: 'POST',...
Popup Manager <= 1.6.6 - Unauthenticated Arbitrary Popup Deletion
The plugin does not have authorisation and CSRF checks when deleting popups, which could allow unauthenticated users to delete them PoC As an unauthenticated users, or via CSRF: fetch'/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type':...
Better Click to Tweet < 5.10.4 - Settings Update via CSRF
The plugin lacks CSRF protection when updating the bctt-twitter-handle option, allowing an attacker to change the plugin settings by tricking a logged in admin to submit a form. PoC curl -b .cookies -d bctt-twitter=$NEWHANDLE 'https://example.com/wp-admin/?page=bctt-welcome=welcome'...
Pie Register < 3.8.1.3 - Unauthenticated Arbitrary User Deletion
The plugin does not have authorisation and CSRF when deleting users via an init action handler, allowing unauthenticated attackers to delete arbitrary users along with their posts PoC Invoke the following curl command to delete the user user id 2 curl https://example.com/wp-admin/admin-ajax.php...
WP ULike < 4.6.5 - Unauthenticated Rating Tampering via Race Condition
The plugin is affected by a race condition which could allow unauthenticated attackers to increase and decrease ratings...
Contest Gallery < 14.0.0 - Unauthenticated Stored XSS
The plugin does not sanitise and escape some parameters, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks...
Flowplayer Video Player < 1.0.5 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks PoC As a contributor, put, the following shortcode in a page/post flowplayer...
Easy Video Player < 1.2.2.3 - Contributor+ Stored XSS
The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks. PoC 1. Add a new post and add the payload there: evpembedvideo url='" onerror=alert/XSS/ "' 2. Preview the post, and the XSS will trigger...
Checkout for PayPal < 1.0.14 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks PoC As a contributor, put the following shortcode in a page/post...
Videojs HTML5 Player < 1.1.9 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks PoC As a contributor, put the following shortcode in a page/post videojsvideo...
All-In-One Security < 5.1.1 - Bulk Actions via CSRF
The plugin does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as delete arbitrary blocked IPs via CSRF attacks...
SMSA Shipping for WooCommerce < 1.0.5 - Subscriber+ Arbitrary File Download
The plugin does not have authorisation and proper CSRF checks, as well as does not validate the file to be downloaded, allowing any authenticated users, such as subscriber to download arbitrary file from the server PoC Open the following URL when being logged in as any user...
Responsive Lightbox2 < 1.0.4 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks PoC As a contributor, put, the following shortcode in a page/post lightbox2...
BeTheme < 26.6.3 - Subscriber+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Stored Cross-Site Scripting attacks...
WP Stripe Checkout < 1.2.2.21 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks PoC As a contributor, put the following shortcode in a page/post...
Booking Calendar < 3.2.2 - Unauthenticated Arbitrary File Upload
The plugin does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE PoC 1. As an unauthenticated user, navigate to the main WordPress page 2. Extract a valid nonce from the page source CTRL+F for "var wpdevart =", field...