14603 matches found
Complianz (Free < 6.3.4, Premium < 6.3.6) - Translator SQLi
The plugins allow a translators to inject arbitrary SQL through an unsanitized translation. SQL can be injected through an infected translation file, or by a user with a translator role through translation plugins such as Loco Translate or WPML. PoC 1. Install Complianz and set the following...
Import and export users and customers < 1.20.5 - Subscriber+ CSV Injection
The plugin does not properly escape data when exporting it via CSV files. PoC 1 Edit your subscriber account's nickname to: ;=1+3 2 As an administrator, export your users data via http://vulnerable-site.tld/wp-admin/tools.php?page=acui=export, and open the resulting CSV file in Excel or equivalen...
Role Based Pricing for WooCommerce < 1.6.2 - Subscriber+ Arbitrary File Upload
The plugin does not have authorisation and proper CSRF checks, and does not validate files to be uploaded, allowing any authenticated users like subscriber to upload arbitrary files, such as PHP PoC As a subscriber, open the HTML code below while being logged in as a subscriber, then choose a fil...
eCommerce Product Catalog Plugin for WordPress < 3.0.72 - Reflected XSS via AJAX
The plugin does not sanitise and escape a parameter before outputting it back in the response of an AJAX action available to any authenticated users, such as subscriber, leading to a Reflected Cross-Site Scripting PoC Make a logged in user open a page containing the HTML code below...
Easy Digital Downloads < 3.0 - Arbitrary Post Deletion via CSRF
The plugin does not have CSRF check in place when deleting payment history, and does not ensure that the post to be deleted is actually a payment history. As a result, attackers could make a logged in admin delete arbitrary post via a CSRF attack PoC...
Product Stock Manager < 1.0.5 - Subscriber+ Unauthorised AJAX Calls
The plugin does not have authorisation and proper CSRF checks in multiple AJAX actions, allowing users with a role as low as subscriber to call them. One action in particular could allow to update arbitrary options PoC To set the default role for new users to administrator, run the below command ...
FluentForm < 4.3.13 - CSV Injection
The plugin does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection PoC - As unauthenticated, submit a form using =5+5 as value in any field - As admin, export the data as CSV /wp-admin/admin.php?page=fluentformsid=1=entries - open the CSV with a...
WooCommerce Dropshipping < 4.4 - Unauthenticated SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via a REST endpoint available to unauthenticated users, leading to a SQL injection PoC curl -isk -X 'POST' -H "Content-Type: application/json" --data '"sku":"a" AND SELECT 42 FROM SELECTSLEEP5wlHd--...
Role Based Pricing for WooCommerce < 1.6.3 - Subscriber+ PHAR Deserialization
The plugin does not have authorisation and proper CSRF checks, as well as does not validate path given via user input, allowing any authenticated users like subscriber to perform PHAR deserialization attacks when they can upload a file, and a suitable gadget chain is present on the blog PoC As a...
WP < 6.0.3 - Stored XSS via wp-mail.php
WordPress does not properly sanitize some parameters when receiving a post by email, which could lead to Stored Cross-Site Scripting issue...
WP All Import < 3.6.9 - Admin+ Directory traversal via file upload
The plugin is not validating the paths of files contained in uploaded zip archives, allowing highly privileged users, such as admins, to write arbitrary files to any part of the file system accessible by the web server via a path traversal vector. PoC 1 Download 'poc.zip' via...
WP All Import < 3.6.9 - Admin+ Arbitrary File Upload to RCE
The plugin is not properly filtering which file extensions are allowed to be imported on the server, which could allow administrators in multi-site WordPress installations to upload arbitrary files PoC 1 Create 'poc.zip' with 2 files like below 1-1 'exploit.php.txt' is as follows...
Rock Convert < 3.0.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Highlight Focus <= 1.1 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in any of the plugin...
Page View Count < 2.5.6 - Settings Reset via CSRF
The plugin does not have CSRF check in place when resetting its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack...
AliExpress Dropshipping and Fulfilment for WooCommerce < 1.1.1 - Unauthenticated Sensitive Data Exposure
The plugin disclose sensitive information to unauthenticated users via a crafted request...
Shortcodes Ultimate < 5.12.1 - Stored XSS via CSRF
The plugin does not have CSRF check when adding a Preset, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads in a Preset created via a CSRF attack...
AB Press Optimizer <= 1.1.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Accessibility < 1.0.4 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
eCommerce Product Catalog Plugin for WordPress < 3.0.71 - Reflected XSS
The plugin does not sanitise and escape an URL before outputting it back in an attribute of product category pages, leading to a Reflected Cross-Site Scripting PoC https://example.com/products-category/cat/?productcategory=1%2522%253e%253cscript%253ealert%2528/XSS/%2529%253c%252fscript%253e=1...
AWP Classifieds Plugin < 4.3 - Unauthenticated SQLi
The plugin does not properly sanitise and escape some parameters before using them in a SQL statement via an AJAX action available to unauthenticated users and when a specific premium module is active, leading to a SQL injection PoC To read the userlogin and userpass columns from the wpusers tabl...
Rock Convert < 2.6.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape an URL before outputting it back in an attribute when a specific widget is present on a page, leading to a Reflected Cross-Site Scripting PoC On a page where the "Capture box | Rock Convert" widget is present, append ?", e.g: https://example.com/?"...
Smart Slider 3 < 3.5.1.11 - PHP Object Injection
The plugin unserialises the content of an imported file, which could lead to PHP object injection issues when a user import intentionally or not a malicious file, and a suitable gadget chain is present on the site. PoC To simulate a gadget chain, put the following code in a plugin class Evil publ...
Newspaper < 12 - Reflected Cross-Site Scripting
Description The theme does not sanitise a parameter before outputting it back in an HTML attribute via an AJAX action, leading to a Reflected Cross-Site Scripting. PoC...
Envira Gallery Lite < 1.8.4.7 - Reflected Cross-Site Scripting
The plugin does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers PoC https://example.com/wp-admin/edit.php?posttype=envira=envira-gallery-lite-addons&"...
Official Integration for Billingo < 3.4.0 - ShopManager+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users with a role as low as Shop Manager to perform Stored Cross-Site Scripting attacks. PoC Put the following payload in the WooCommerce Settings Billingo E-mail BeállÃtások Gomb szöveg field in the...
WP Contact Slider < 2.4.8 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Create/edit a Contact slider and put the payload below in the "Text to display" option:...
WP Total Hacks <= 4.7.2 - Subscriber+ Arbitrary Options Update to Stored XSS
The plugin does not prevent low privilege users from modifying the plugin's settings. This could allow users such as subscribers to perform Stored Cross-Site Scripting attacks against other users, like administrators, due to the lack of sanitisation and escaping as well. PoC Run the below command...
Ocean Extra < 2.0.5 - Admin+ PHP Objection Injection
The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import intentionally or not a malicious Customizer Styling file and a suitable gadget chain is present on the blog. PoC To simulate a gadget chain, put the followin...
JReviews <= 4.1.5 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting PoC https://example.com/top-user-rated-listings?listview=2%22%3e%3cscript%3ealert1%3c%2fscript%3e=1...
Newspaper < 12 - Reflected Cross-Site Scripting
Description The theme does not sanitise a parameter before outputting it back in an HTML attribute via an AJAX action, leading to a Reflected Cross-Site Scripting PoC Affected parameter: acts.tdatts.imagesize...
Easy WP SMTP < 1.5.0 - Admin+ PHP Objection Injection
The plugin unserialises the content of an imported file, which could lead to PHP object injection issue when an admin import intentionally or not a malicious file and a suitable gadget chain is present on the blog. PoC To simulate a gadget chain, put the following code in a plugin class Evil publ...
PublishPress Capabilities < 2.5.2 - Admin+ PHP Objection Injection
The plugin unserializes the content of imported files, which could lead to PHP object injection attacks by administrators, on multisite WordPress configurations. Successful exploitation in this case requires other plugins with a suitable gadget chain to be present on the site. PoC To simulate a...
Rock Convert < 2.11.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Go to the plugin's settings Popup tab, click o...
Log HTTP Requests < 1.3.2 - Stored Cross-Site Scripting
The plugin does not sanitise and escape a parameter, which could lead to Stored Cross-Site Scriptingill execute whenever a user accesses an injected page...
Create Block Theme < 1.2.2 - Unauthenticated Arbitrary File Upload
The plugin does not have authorisation and CSRF checks, as well as does not validate the file to be uploaded, which could allow unauthenticated attackers to upload arbitrary files to the server PoC As unauthenticated user, open The file will be uploaded at...
LearnPress < 4.1.7.2 - Unauthenticated PHP Object Injection via REST API
The plugin unserialises user input in a REST API endpoint available to unauthenticated users, which could lead to PHP Object Injection when a suitable gadget is present, leadint to remote code execution RCE. To successfully exploit this vulnerability attackers must have knowledge of the site...
WP-Polls < 2.77.0 - Subscriber+ Race Condition
The plugin is affect by a race condition which could allow any authenticated users to tamper with the votes on a poll...
Retain Live Chat <= 0.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in the Rtain App ID...
Blog2Social < 6.9.10 - Subscriber+ SSRF
The plugin does not have authorisation in an AJAX action, and does not ensure that the URL to make a request to is an external one. As a result, any authenticated users, such as subscriber could perform SSRF attacks PoC Run this script in the web browser console while being logged in as a...
WP ALL Export Pro < 1.7.9 - Authenticated SQLi
The plugin uses the contents of the ccsql POST parameter directly as a database query, allowing users which has been given permission to run exports to execute arbitrary SQL statements, leading to a SQL Injection vulnerability. By default only users with the Administrator role can perform exports...
WP ALL Export Pro < 1.7.9 - Authenticated Code Injection
The plugin does not limit some functionality during exports only to users with the Administrator role, allowing any logged in user which has been given privileges to perform exports to execute arbitrary code on the site. By default only administrators can run exports, but the privilege can be...
Form Maker by 10Web < 1.15.6 - Admin+ SQLI
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin PoC Create/edit a form, go to the Settings MySQL Mapping i.e /admin.php?page=managefm=editid=1=4id=mapping. Copy the link t...
Kadence WooCommerce Email Designer < 1.5.7 - Admin+ PHP Objection Injection
The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import intentionally or not a malicious file and a suitable gadget chain is present on the blog. PoC To simulate a gadget chain, put the following code in a plugin class Evil...
Post to CSV by BestWebSoft <= 1.4.0 - Author+ CSV Injection
The plugin does not properly escape fields when exporting data as CSV, leading to a CSV injection PoC - create a post using =5+5 as the title - export the data as CSV /wp-admin/admin.php?page=post-to-csv.php - open the CSV with a spreadsheet application Excel, Libre Office - the CSV formula...
Bricks Builder < 1.5.4 - Subscriber+ Remote Code Execution
The theme allows website editors to include executable code blocks in their website, which can contain arbitrary PHP code. By default, code execution is intended to be disabled, with website administrators having to explicitly allow code execution for specific user roles. However, due to improper...
WP Humans.txt <= 1.0.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in the Humans.txt...
Anti-Spam by CleanTalk < 5.185.1 - Admin+ SQLi
The plugin does not validate ids before using them in a SQL statement, which could lead to SQL injection exploitable by high privilege users such as admin PoC When deleting a scan logs /edit-comments.php?page=ctcheckspamlogs, intercept the request and change the spamids parameter to...
Bricks Builder < 1.5.4 - Subscriber+ Arbitrary Post/Page Edition
The theme does not have authorisation in an AJAX action, which could allow any authenticated users such as subscriber to call it and edit any page, post, or template on the blog PoC 1. Start with a clean Wordpress install 2. Install Bricks builder v1.5.3 3. Enable registrations on the website...
WP Super Cache < 1.9 - Unauthenticated Cache Poisoning
The plugin is affected by a cache poisoning issue PoC curl 'https://example.com//?s=12333'...