14603 matches found
Contact Form 7 Database Addon < 1.2.6.5 - CSV Injection
The plugin does not validate data when output it back in a CSV file, which could lead to CSV injection PoC Use a Contact Form 7 form and submit an Excel formula in the message field, such as "=5+5" without quotes. Export the entry as CSV using the plugin and import it into Excel...
Web Stories < 1.25.0 - Subscriber+ Server Side Request Forgery
The plugin does not validate the url parameter passed to the v1/hotlink/proxy REST endpoint, allowing any authenticated users to perform SSRF attacks...
Grid Kit Premium <= 1.8.53 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in various pages, leading to Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=grid-kit=edit=...
SEO Redirection Plugin < 9.1 - Multiple CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Image Hover Effects Ultimate < 9.7.2 - Authenticated Arbitrary Options Change
The plugin does not ensure that the options to be updated belong to the plugin, which could allow high privilege users to update arbitrary options even when they should not be allowed to...
SearchWP < 4.2.6 - Subscriber+ Settings Update
The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them...
IP Blacklist Cloud Plugin <= 5.00 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
IP Blacklist Cloud Plugin <= 5.00 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin...
tagDiv Composer < 3.5 - Unauthenticated Account Takeover
Description The plugin, required by the themes, does not properly implement the Facebook login feature, allowing unauthenticated attackers to login as any user by just knowing their email address PoC Run the below command in the developer console of the web browser while being on the blog as an...
Traffic Manager <= 1.4.5 - Subscriber+ Stored Cross-Site Scripting
The plugin does not authorisation and does not sanitise as well as escape some parameters, which could allow users with a role as low as subscriber to perform Stored Cross-Site Scripting attacks...
Phone Orders for WooCommerce < 3.7.2 - Subscriber+ Sensitive Data Exposure
The plugin disclose unspecified sensitive information to low privilege users such as subscriber...
Contact Form Entries < 1.3.0 - CSV Injection
The plugin does not validate data when its output in a CSV file, which could lead to CSV injection. PoC - Submit a form using Contact Form 7, Ninja Forms, Elementor Forms or WP Forms using =5+5 as the value - Export the data as CSV /wp-admin/admin.php?page=vxcfleads - Open the CSV with a...
Quiz And Survey Master < 7.3.5 - Admin+ SQL Injection
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privileged users...
OAuth Client by DigitialPixies <= 1.1.0 - CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged-in users perform unwanted actions. PoC Make a logged in user visit a page with the following code fetch'https://example.com/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type'...
WP Page Builder < 1.2.7 - Author+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Author to perform Cross-Site Scripting attacks...
Quiz And Survey Master < 7.3.5 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting against users with a role as low as editor...
Quiz And Survey Master < 7.3.11 - Subscriber+ XSS
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks...
Quiz And Survey Master < 7.3.11 - Bypass
The plugin is affected by an unspecified bypass issue...
Quiz And Survey Master < 7.3.11 - Sensitive Information Disclosure
The plugin discloses unspecified sensitive information...
Quiz And Survey Master < 7.3.7 - Multiple Author+ IDOR
The plugin does not properly check for authorisation, which could allow users with a role as low as author to perform unauthorised actions, such as delete and duplicate quiz they should not be able to...
Quiz And Survey Master < 7.3.5 - Contributor+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks...
OAuth Client by DigitialPixies <= 1.1.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escapes some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. PoC Put the following payload in any of the...
Quiz And Survey Master < 7.3.5 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks...
Better Messages < 1.9.10.69 - Subscriber+ SSRF
The plugin does not validate a parameter before making a request to it, which could allow users with a role as low as subscriber to perform SSRF attacks...
Simple SEO < 1.8.13 - Sitemap Creation/Deletion via CSRF
The plugin does not have CSRF checks when creating and deleting sitemaps, which could allow attackers to make logged admins create and delete arbitrary sitemaps via CSRF attacks...
Welcart eCommerce < 2.7.8 - Unauthenticated Arbitrary File Access
The plugin does not validate user input used in a path, which could allow unauthenticated users to read arbitrary files via a traversal attack...
Advanced Order Export For WooCommerce < 3.3.3 - Export Files via CSRF
The plugin does not have CSRF check when exporting files, which could allow attackers to make a logged in admin perform such action via a CSRF attack...
Simple SEO < 1.8.13 - Subscriber+ Sitemap Creation/Deletion
The plugin does not have authorisation check when creating and deleting sitemaps, which could allow any authenticated users, such as subscriber to create and delete them...
reSmush.it Image Optimizer < 0.4.7 - Multiple CSRF
The plugin does not perform CSRF checks for any of its AJAX actions, allowing an attackers to trick logged in users to perform various actions on their behalf on the site. PoC...
Mantenimiento Web < 0.14 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WP < 6.0.3 - CSRF in wp-trackback.php
Description There is no CSRF check in the wp-trackback.php which could allow attackers to make user perform unwanted actions via a CSRF attack...
WP < 6.0.3 - Stored XSS via the Customizer
Description WordPress does not escape some input in the Customizer, which could lead to Stored Cross-Site Scripting issue...
reSmush.it Image Optimizer < 0.4.4 - Subscriber+ AJAX Calls
The plugin lacks authorization in various AJAX actions, allowing any logged-in users, such as subscribers to call them. PoC Examples of actions where low-privileged users can directly ask - https://example.com/wp-admin/admin-ajax.php?action=resmushitbulkgetimages -...
Webmaster Tools Verification <= 1.2 - Unauthenticated Arbitrary Plugin Deactivation
The plugin does not have authorisation and CSRF checks when disabling plugins, allowing unauthenticated users to disable arbitrary plugins PoC curl -X POST --data "wmtvuninstall=1uninstallconfirm=1=akismet/akismet.php" https://example.com...
WP < 6.0.3 - Reflected XSS via SQLi in Media Library
Description WordPress does not properly escape input in the Media Library, which could lead to a Reflected Cross-Site Scripting issue...
WP < 6.0.3 - Data Exposure via REST Terms/Tags Endpoint
Description The REST Terms/Tags Endpoint does not have proper authorisation in place, which could allow unauthorised users to access sensitive information...
WP < 6.0.3 - Stored XSS via Comment Editing
Description WordPress does not properly escape comments, which could lead to Stored Cross-Site Scripting issues...
WP < 6.0.3 - Content from Multipart Emails Leaked
Description When sending multiple emails within one request thus resuing the PHPMailer instance, the plain text content of the first multipart email leaks to the subsequent non-multipart emails as AltBody/plaintext email...
WP < 6.0.3 - Stored XSS via RSS Widget
Description WP does not escape the error messages in the RSS Widget, which could lead to Stored Cross-Site Scripting issue...
WP < 6.0.3 - Multiple Stored XSS via Gutenberg
Description The packaged Gutenberg does not escape data from some blocks before outputting ti back in pages, which could lead to Stored XSS issues. Affected blocks: Search, Feature Image, RSS and Widget...
WP < 6.0.3 - Email Address Disclosure via wp-mail.php
Description WordPress discloses the sender's email address via wp-mail.php...
WP < 6.0.3 - SQLi in WP_Date_Query
Description WP does not properly sanitize the relation passed to WPDateQuery, which could lead to SQL injection...
WP < 6.0.3 - Open Redirect via wp_nonce_ays
Description WordPress does not validate the URL to redirect the user to when displaying the nonce error via wpnonceays, which could lead to an Open Redirect issue...
ImageMagick-Engine < 1.7.6 - Command Injection via CSRF
The plugin is missing CSRF checks in multiple actions, which could allow attackers to make a logged in admin perform unwanted actions. In this case, it could lead to RCE via Command Injection PoC https://example.com/wp-admin/admin-ajax.php?action=imetestimpathpath=payload...
WP < 6.0.3 - Stored XSS via wp-mail.php
Description WordPress does not properly sanitize some parameters when receiving a post by email, which could lead to Stored Cross-Site Scripting issue...
Chat Bubble < 2.3 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape some contact parameters, which could allow unauthenticated attackers to set Stored Cross-Site Scripting payloads in them, which will trigger when an admin view the related contact message PoC Setup: - In the General Settings of the plugin, check the "Show...
WP Attachments < 5.0.5 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escapes some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. PoC Inject an XSS payload in the title by going...
Grid Kit Premium <= 1.8.53 - Reflected Cross-Site Scripting
The plugin does not escape generated URLs before outputting them back in attributes, leading to a Reflected Cross-Site Scripting. PS: The original advisory mentions the issue being in photo-gallery, however it is not the case. PoC On a page where there is a gallery embed, append a'-alert/XSS///=1...
eCommerce Product Catalog Plugin for WordPress < 3.0.72 - Reflected XSS
The plugin does not sanitise and escape some parameter before outputting them back in attributes and JS code in admin dashboards, leading to Reflected Cross-Site Scripting PoC Make a logged in admin open one of the URLs below...
WP Hide <= 0.0.2 - Unauthenticated Settings Update
The plugin does not have authorisation and CSRF checks in place when updating the customwpadminslug settings, allowing unauthenticated attackers to update it with a crafted request PoC curl -X POST --data "customwpadminslug=attacker-value" https://example.com/wp-admin/admin-post.php Settings is...