14603 matches found
Comic Book Management System < 2.2.0 - Admin+ SQLi
The plugin does not sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin. PoC https://example.com/wp-admin/admin.php?page=cbmsweeklypicksadmin=updatepicks=1+AND+SELECT+7741+FROM+SELECTSLEEP3hlAf POST...
WordPress Countdown Widget < 3.1.9.3 - Admin+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Advanced Import < 1.3.8 - Arbitrary Plugin Installation & Activation via CSRF
The plugin does not have CSRF check when installing and activating plugins, which could allow attackers to make a logged in admin install arbitrary plugins from WordPress.org, and activate arbitrary ones from the blog via CSRF attacks PoC Make a logged in admin open a page containing the HTML cod...
WP Affiliate Platform < 6.4.0 - Reflected Cross-Site Scripting
The plugin does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...
WP Affiliate Platform < 6.4.0 - Affiliate Record Deletion via CSRF
The plugin does not have CSRF checks when deleting affiliate records, which could allow attackers to make logged in admins to delete arbitrary record via a CSRF attack...
Photospace Gallery <= 2.3.5 - Subscriber+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as subscriber to perform Stored Cross-Site Scripting attacks...
Feed Them Social < 3.0.1 - Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
Workreap - Freelance Marketplace and Directory < 2.6.3 - Subscriber+ Private Message Disclosure via IDOR
The theme has a vulnerability with the notifications feature as it's possible to read any user's notification employer or freelancer as the notification ID is brute-forceable. PoC POST /testt/wp-admin/admin-ajax.php HTTP/2 Host: host Cookie: Content-Type: application/x-www-form-urlencoded;...
Broken Link Checker < 1.11.20 - Admin+ Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in the Youtube API K...
AdRotate Banner Manager < 5.9.1 - Password Change via CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make a logged admin change their password via CSRF attacks...
PostmagThemes Demo < 1.0.8 - Admin+ Arbitrary File Upload
The plugin does not validate the imported file, allowing high-privilege users such as admin to upload arbitrary files such as PHP leading to RCE. PoC 1. Go to Appearance » Import Demo Data » Manual demo files upload » Run "Choose a JSON file for customizer import" and import a PHP file. 2. Click...
Add Comments <= 1.0.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC POST...
Clerk < 4.0.0 - Authentication Bypass and API Keys Disclosure
The plugin is affected by time-based attacks in the validation function for all API requests due to the usage of comparison operators to verify API keys against the ones stored in the site options. PoC - Install the plugin and set the API creds to: - Key:...
Advanced WP Columns <= 2.0.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC Put the following payload in the plugin setti...
Uji Countdown <= 2.2 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. In the settings of the plugin add the...
WP Page Builder <= 1.2.8 - Admin+ Stored Cross-Site
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC Navigate to Setting » add the payload: ", int...
S2W - Import Shopify to WooCommerce < 1.1.13 - Admin+ Arbitrary File Access
The plugin does not validate files to be accessed, which could allow high privilege users such as admin to read arbitrary files from the server...
WP OAuth Server < 3.4.2 - Client Secret Regeneration via CSRF
The plugin does not have CSRF check when regenerating secrets, which could allow attackers to make logged in admins regenerate the secret of an arbitrary client given they know the client ID PoC Make a logged in admin open a page containing the HTML code below. This will regenerate the secret for...
WP CSV Exporter < 1.3.7 - Admin+ SQLi
The plugin does not properly sanitise and escape some parameters before using them in a SQL statement, allowing high privilege users such as admin to perform SQL injection attacks PoC As an admin, go to Tools CSV Export, leave everything as default and click on Export POSTS CSV Intercept the...
Simple Video Embedder <= 2.2 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks...
WPML < 4.5.11 - Subscriber+ Translation Job Status Update
The plugin does not have authorisation when updating the status of translation jobs, which could allow any authenticated users, such as subscriber to perform such action...
WPML < 4.5.14 - CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as change the status of a translation job...
WPML < 4.5.11 - Subscriber+ Settings Update
The plugin does not have authorisation check when updating the selected language for legacy widgets and default behaviour for media content settings, which could allow any authenticated users, such as subscriber to update them...
Better Messages < 1.9.10.71 - Subscriber+ Messaging Block Bypass
The plugin does not properly block messages, which could allow subscriber and above role to bypass the block system in place...
REST API Authentication < 2.4.1 - Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
Seed Social < 2.0.4 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Put the following payload in any of the...
Blog2Social < 6.9.12 - Subscriber+ Settings Update
The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them...
Salon Booking System < 7.9.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting...
5 Anker Connect < 1.2.7 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting...
3DPrint < 3.5.6.9 - Arbitrary File and Directory Deletion via CSRF
Description The plugin does not protect against CSRF attacks in the modified version of Tiny File Manager included with the plugin, allowing an attacker to craft a malicious request that will delete any number of files or directories on the target server by tricking a logged in admin into...
Theme-Demo-Importer < 1.1.1 - Admin+ Arbitrary File Upload
The plugin does not validate the imported file, allowing high-privilege users such as admin to upload arbitrary files such as PHP even when FILEMODS and FILEEDIT are disallowed. PoC 1. Navigate to: Appearance Import Demo Content Theme Demo Importer Manually upload the demo files 2. Use the XML...
Form Vibes < 1.4.5 - Admin+ SQLi
The "deleteentries" function does not filter parameters from the request. This leads to an SQL Injection vulnerability. PoC - Create a submission using the Contact From 7 plugin. - On the Form Vibes tab in the dashboard, click "submissions" and implement the delete function on an entry. -...
WP OAuth Server < 4.2.2 - Admin+ Stored XSS
The plugin does not sanitize and escape Client IDs, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Edit a client "OAuth Server Clients and put the followin...
HTML Forms < 1.3.25 - Admin+ SQLi
The plugin does not properly properly escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users PoC Access the submission page on https://example.com/wp-admin/admin.php?page=html-forms=editid=formID=submissions Capture the request after...
Checkout Field Editor for WooCommerce < 1.8.0 - Admin+ PHP Object Injection
The plugin unserialize user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present PoC To simulate a gadget chain, put the following code in a plugin class Evil public function wakeup : void...
Testimonial Slider <= 1.3.1 - Stored XSS via CSRF
The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...
WPSmartContracts < 1.3.12 - Author+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as author PoC Logon as an author and open the following URL, which will result in a delayed response...
LoginPress < 1.6.3 - Unauthenticated Settings Update
The plugin does not have authorisation and CSRF checks when updating its Opt-In and Opt-Out tracking settings, which could allow any unauthenticated users to update them...
Jeg Elementor Kit < 2.5.7 - Unauthenticated Settings Update
The plugin does not have authorisation check when updating its settings, which could allow unauthenticated users, such as subscriber to update them such as the change the MailChimp API key, 404 page settings etc...
WP Admin UI Customize < 1.5.13 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Go to "WP Admin UI Customize" » "Login...
Donations via PayPal < 1.9.9 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Click the 'Settings' button of this plugin...
Jeg Elementor Kit < 2.5.7 - Subscriber+ Authorization Bypass
The plugin does not properly authorize requests to various ajax actions, allowing authenticated users with roles as low as subscriber to create header templates and make additional changes to the site using an easily available nonce value...
Beautiful Cookie Consent Banner < 2.9.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC The PoC will be displayed once the issue has...
Find and Replace All < 1.3 - Reflected Cross Site Scripting
The plugin does not sanitize and escape some parameters from its setting page before outputting them back to the user, leading to a Reflected Cross-Site Scripting issue. PoC...
4ECPS Web Forms <= 0.2.17 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Fancier Author Box by ThematoSoup <= 1.4 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Open the setting page of this plugin. 2...
Analytics for WP <= 1.5.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. In the Settings page of this plugin, in th...
VR Calendar < 2.3.4 - Calendar Deletion/Update & Settings Update via CSRF
The plugin does not have CSRF checks when deleting and updating calendars, as well as updating the plugin settings, which could allow attackers to make logged a admin delete and update arbitrary calendars and modify the plugin settings via CSRF attacks...
Image Hover Effects Css3 <= 4.5 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Go to Hover Effects » Hover Effects » Add...
reCAPTCHA <= 1.6 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. On the setting page of this plugin, enter...