14603 matches found
WP Memory < 2.46 - Subscriber+ Arbitrary Plugin Installation
The plugin does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org PoC Run the below command in the developer console of the web browser while being on the blog as ...
Welcart e-Commerce < 2.8.4 - Subscriber+ Arbitrary Shipping Method Creation/Update/Deletion
The plugin does not have authorisation and CSRF in an AJAX action, allowing any logged-in user to create, update and delete shipping methods. PoC wpajaxshopoptionsajax hook calls shopoptionsajax function without nonce and without access control update shipping method name 0 shipping method id...
Betheme < 26.6 - Contributor+ PHP Object Injection
The plugin unserializes user input provided via the import, mfn-items-import-page, and mfn-items-import parameters passed through the mfnbuilderimport, mfnbuilderimportpage, importdata, importsinglepage, and importfromclipboard functions. This could allow users with a role as low as contributor t...
AntiHacker < 4.20 - Subscriber+ Arbitrary Plugin Installation
The plugin does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org PoC Run the below command in the developer console of the web browser while being on the blog as ...
Cooked Pro < 1.7.5.7 - Unauthenticated PHP Object Injection
The plugin does not properly validate or sanitize the recipeargs parameter before unserializing it in the cookedloadmore action, allowing an unauthenticated attacker to trigger a PHP Object injection vulnerability. PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type:...
Dokan < 3.7.6 - Unauthenticated SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users PoC Setup: - Install WooCommerce dependency, no setup required - Install the plugin, complete the wizard no special configuration was...
StopBadBots < 7.24 - Subscriber+ Arbitrary Plugin Installation
The plugin does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org PoC Run the below command in the developer console of the web browser while being on the blog as ...
Motors - Car Dealer, Classifieds & Listing < 1.4.4 - Arbitrary File Upload
The plugin does not properly validate uploaded files for dangerous file types such as .php in an AJAX action, allowing an attacker to sign up on a victim's WordPress instance, upload a malicious PHP file and attempt to launch a brute-force attack to discover the uploaded payload. PoC This PoC was...
Betheme < 26.6.3 - Subscriber+ Unauthorised Action
The plugin does not have authorisation in some areas, which could allow any authenticated users, such as subscriber to perform unauthorised action...
Booster for WooCommerce - Custom Role Creation/Deletion via CSRF
The plugins does not properly check for CSRF when creating and deleting Customer roles, allowing attackers to make logged admins create and delete arbitrary custom roles via CSRF attacks PoC To delete the custom role dj it's possible to delete roles created by other plugins, make a logged in admi...
Jetpack CRM < 5.4.3 - Admin+ Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC 1. In the settings of the plugin, in the three input boxes are named "Second Address Label", "Login...
Car Dealer < 3.05 - Subscriber+ Arbitrary Plugin Installation
The plugin does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org PoC Run the below command in the developer console of the web browser while being on the blog as ...
WooCommerce Shipping - DPD baltic < 1.2.57 - Subscriber+ Arbitrary Options Deletion
The plugin does not have authorisation and CSRF in an AJAX action, which could allow any authenticated users, such as subscriber to delete arbitrary options from the blog, which could make the blog unavailable. PoC Run the below command in the developer console of the web browser while being on t...
All In One WP Security & Firewall < 5.0.8 - IP Spoofing
The plugin is susceptible to IP Spoofing attacks, which can lead to bypassed security features like IP blocks, rate limiting, brute force protection, and more. PoC Set HTTPXREALIP or HTTPXFORWARDEDFOR used in getuseripaddress to bypass IP-based blocks...
Welcart e-Commerce < 2.8.4 - Multiple Subscriber+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting attacks PoC add new payment method with XSS exploit: fetch'http://localhost/tester-wp/wp-admin/admin-ajax.php', method: 'POST', headers: ne...
Listingo < 3.2.7 - Unauthenticated Arbitrary File Upload
The theme does not validate files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files and lead to RCE PoC Upload a File: The response give the path to the file uploaded:...
Icegram Express < 5.5.1 - Subscriber+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscriber PoC Open the below URL when logged in as a subscriber and notice the 5s delay...
Livemesh Addons for Elementor < 7.2.4 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Enter the setting page of this plugin. 2...
User Registration < 2.2.4.1 - Subscriber+ Arbitrary File Upload
The plugin does not properly restrict the files to be uploaded via an AJAX action available to both unauthenticated and authenticated users, which could allow unauthenticated users to upload PHP files for example. PoC The following Python script automates the exploitation of this plugin by...
Quizlord <= 2.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Go to Quizlord » Add a quiz 2. In the...
Plugin for Google Reviews < 2.2.3 - Subscriber+ Widget Creation
The plugin does not have proper authorisation when creating widgets, which could allow users with a role as low as subscriber to create widgets...
WordPress Popular Posts < 6.1.0 - Unauthenticated Views Manipulation
The plugin does not validate some user inputs via a REST endpoint, which could allow unauthenticated users to update the number of views of articles...
Ultimate Tables <= 1.6.5 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting...
Flat PM < 3.0.13 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC v 3.0.13 the blockid needs to start with an existing block ID...
News Announcement Scroll < 9.0.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Chameleon < 1.4.4 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Buddybadges <= 1.0.0 - Admin+ SQLi
The plugin does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users PoC https://example.com/wp-admin/options-general.php?page=buddybadge&wpedit=b2f9b59706=1+AND+SELECT+7741+FROM+SELECTSLEEP10hlAf...
WooSwipe WooCommerce Gallery <= 2.0.1 - Subscriber+ Settings Update
The plugin does not have any authorisation when updating its settings, which could allow any authenticated users, such as subscriber to update them PoC POST /wp-admin/admin.php?page=wooswipe-options HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0...
iFeature Slider <= 1.2 - Contributor+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks...
Export Users With Meta <= 0.6.10 - Subscriber+ CSV Injection
The plugin does not validate data when output it back in a CSV file, which could lead to CSV injection...
GetYourGuide Ticketing < 1.0.4 - Admin+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Navigate toward the GYG Ticketing and GYG...
Crowdsignal Dashboard < 3.0.10 - Contributor+ Rating Settings Update
The plugin does not have proper authorisation, which could allow users with a role as low as contributor to update the rating settings...
Anthologize < 0.8.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its project parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Betheme < 26.6 - Subscriber+ PHP Object Injection
The plugin unserialize user input, which could allow low privilege users such as subscriber to perform PHP Object Injection when a suitable gadget is present...
Essential Real Estate < 3.9.6 - Reflected Cross-Site-Scripting
The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as Admin to perform Cross-Site Scripting attacks. PoC https://example.com/wp-admin/admin-ajax.php?action=erepropertygalleryfillterajaxgap=%22%3E%3Cscript%3Ealert%22xss%22;%3C/script%3E%3C!--...
WooCommerce Shipping - DPD baltic < 1.2.11 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC Put the following payload in the Name field o...
Directorist < 7.4.2.2 - Subscriber+ Arbitrary User Password Update via IDOR
The plugin suffers from an IDOR vulnerability which an attacker can exploit to change the password of arbitrary users instead of his own. PoC The following Python script automates the exploitation of this vulnerability. The script was tested on an installation of WordPress 6.1 with the vulnerable...
Donation Button <= 4.0.0 - Contributor+ Stored XSS
The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks. PoC Put the following shortcode in a blog post: paypaldonationbutton align='center" onmouseover="alert1'...
Easy Form Builder < 3.4.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Navigate to New Form » go to the Settings...
Donation Button <= 4.0.0 - Subscriber+ Broken Access Control leading to SMS Spam
The plugin does not properly check for privileges and nonce tokens in its "donationbuttontwiliosendtestsms" AJAX action, which may allow any users with an account on the affected site, like subscribers, to use the plugin's Twilio integration to send SMSes to arbitrary phone numbers. PoC While...
Image Hover Effects < 5.5 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC Go to the plugin settings Image Hover Effects...
Permalink Manager Lite < 2.2.20.2 - Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
Helloprint < 1.4.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting PoC Make a logged in admin open the following URL: https://example.com/wp-admin/admin.php?page=language-translate.php=added"...
WP Affiliate Platform < 6.4.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Chaty < 3.0.3 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin. PoC...
Transposh WordPress Translation <= 1.0.8 - Settings Update via Authorization Bypass
The plugin does not properly check for its "Who can translate" settings when the auto translate is enabled which is the default, which could allow unauthenticated attackers to update settings...
Becustom < 1.0.5.3 - Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC...
Feed Them Social < 3.0.1 - Subscriber+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Stored Cross-Site Scripting attacks...
Follow Me Plugin <= 3.1.1 - Stored XSS via CSRF
The plugin does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...
TeraWallet - For WooCommerce < 1.4.4 - Subscriber+ Arbitrary Wallet Lock/Unlock via IDOR
The plugin does not ensure that the wallet to lock/unlock belongs to the user making the request, allowing any authenticated users, such as subscriber to lock/unlock arbitrary wallets via an IDOR attack...