14603 matches found
FavIcon Switcher <= 1.2.11 - Arbitrary Settings Change via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
WP Custom Cursors < 3.0.1 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check in place when creating and editing cursors, which could allow attackers to made a logged in admin perform such actions via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping in some of the cursor options, it could also lead to Stored...
Import all XML, CSV & TXT into WordPress < 6.5.8 - Admin+ SQLi
The plugin does not properly sanitise and escape imported data before using them back SQL statements, leading to SQL injection exploitable by high privilege users such as admin PoC With the additional https://wordpress.org/plugins/polylang/ plugin installed, import a CSV with the following payloa...
We’re Open! < 1.42 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in the Settings We'r...
Search Logger <= 0.9 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users PoC ------------------------------------------------- Go to Search Logger Logs Select Delete...
Import all XML, CSV & TXT into WordPress < 6.5.8 - Missing Authorisation
The plugin does not have authorisation in some places, which could allow any authenticated users to access some of the plugin features if they manage to get the related nonce...
Simple File List < 4.4.12 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC First Stored XSS - HTTP Request POST...
Social Rocket < 1.3.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Logged in the backend of Wordpress as...
Booster for WooCommerce - Subscriber+ Order Status Update
The plugins allow users to update their own order status via a settings defined by admins when the My Account module is enabled, however does not ensure that the status set is allowed. As a result, users could set arbitrary status to their own orders, making them paid without actually paying for...
Download Monitor < 4.5.98 - Admin+ Arbitrary File Download
The plugin does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup. PoC Create a new download on:...
Simple File List < 4.4.13 - Page Creation via CSRF
The plugin does not implement nonce checks, which could allow attackers to make a logged in admin create new page and change it's content via a CSRF attack. PoC...
reSmush.it Image Optimizer < 0.4.6 - Admin+ Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when unfilteredhtml is disallowed. PoC POST /wp-admin/options.php HTTP/1.1 Accept:...
Memberpress Downloads < 1.2.6 - Subscriber+ Arbitrary File Upload
The plugin does not properly check user capabilities in its file uploading AJAX endpoint, relying on WordPress nonces to do so. Unfortunately, the nonce can be leaked by any logged-in users, like subscribers. Since the Uploader library they use does not check file extensions at all, this may lead...
Top Bar < 3.0.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings before outputting them in frontend pages, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put t...
TaskBuilder < 1.0.8 - Subscriber+ Stored XSS via SVG file upload
The plugin does not validate and sanitise task's attachments, which could allow any authenticated user such as subscriber creating a task to perform Stored Cross-Site Scripting by attaching a malicious SVG file PoC Create a SVG with the following content: As any authenticated user, such as...
SearchWP Live Ajax Search < 1.6.3 - Unauthenticated Local File Inclusion
The plugin does not validate the swpengine parameter of the searchwplivesearch AJAX action, which could allow unauthenticated attackers to perform Local File Inclusion attack via a Path Traversal vector on web server running IIS...
Advanced Comment Form < 1.2.1 - Admin+ Authenticated Stored XSS
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC In the settings of the plugin, add the following payload to the text before the form:...
CPO Shortcodes <= 1.5.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Advanced Dynamic Pricing for WooCommerce < 4.1.4 - Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
Rate my Post < 3.3.5 - Subscriber+ Votes Tampering via Race Condition
The plugin is affected by a race condition issues allowing subscriber users to tamper with votes to increment to decrement them...
Multiple Plugins from Viszt Peter - Multiple CSRF
The plugins are lacking CSRF checks in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin's license PoC With the woo-billingo-plus plugin installed, make a logged in user with the editshoporders...
Rate my Post < 3.3.5 - Cross-Site Request Forgery
The plugin does not have CSRF check in some places, which could allow attackers to make logged in users perform unwanted actions...
Enable Media Replace < 4.0.0 - Admin+ Path Traversal
The plugin does not ensure that renamed files are moved to the Upload folder, which could allow high privilege users such as admin to move them outside to the web root directory via a path traversal attack for example PoC When replacing the file, select "Replace the file, use new file name and...
Notice Board <= 1.1 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks...
Slider, Gallery, and Carousel by MetaSlider < 3.27.9 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape some of its Gallery Image parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Add an image to a Gallery via...
WP 2FA < 2.3.0 - Time-Based Side-Channel Attack
The plugin uses comparison operators that don't mitigate time-based attacks, which could be abused to leak information about the authentication codes being compared...
Soledad < 8.2.5 - Reflected Cross-site Scripting
The theme does not sanitise the id,datafiltertype,... parameters in its pencimoreslistpostajax AJAX action, leading to a Reflected Cross-Site Scripting XSS vulnerability. PoC A threat actor can collect the nonce value on the main webpage by searching for it on the ajaxvarmore call: var ajaxvarmor...
PCA Predict <= 1.0.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Add Shortcodes Actions And Filters <= 2.0.9 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
YDS Support Ticket System <= 1.0 - Cross-Site Request Forgery
The plugin does not have CSRF check in some places, which could allow attackers to make logged in users perform unwanted actions...
DSGVO All in one for WP < 4.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Go the DSGVO AIO Settings Cookie Notice settin...
Read more By Adam <= 1.1.8 - Cross-Site Request Forgery
The plugin does not have CSRF check in some places, which could allow attackers to make logged in users perform unwanted actions...
Photospace Gallery <= 2.3.5 - Subscriber+ Arbitrary Settings Update
The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them...
RD Station < 5.2.1 - Multiple CSRF
The plugin does not have CSRF check in some places, which could allow attackers to make logged in users perform unwanted actions...
Corner Ad < 1.0.57 - Ads Deletion via CSRF
The plugin does not have CSRF check when deleting ads, which could allow attackers to make logged in admins delete arbitrary ads via a CSRF attack...
Contact Form By Mega Forms < 1.2.5 - Subscriber+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as subscriber to perform Stored Cross-Site Scripting attacks...
Zephyr Project Manager < 3.2.55 - Unauthorised AJAX Calls To Stored XSS
The plugin does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks...
Wordfence < 7.6.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape a settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Frontend File Manager < 21.3 - Unauthenticated File Renaming
The plugin allows any unauthenticated user to rename uploaded files from users. Furthermore, due to the lack of validation in the destination filename, this could allow allow them to change the content of arbitrary files on the web server PoC curl -i -s -k -X 'POST' --data-binary...
Donation Thermometer < 2.1.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in the Settings...
Frontend File Manager < 21.3 - Subscriber+ Arbitrary File Upload
The plugin allows any authenticated users, such as subscriber, to rename a file to an arbitrary extension, like PHP, which could allow them to basically be able to upload arbitrary files on the server and achieve RCE PoC 1. Navigate to the page where ffmwp shortcode is included as Subscriber 2...
Goolytics - Simple Google Analytics < 1.1.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC As admin, put the following payloads in Settings Goolytics Google Analytics ID field and save: "...
BackupBuddy < 8.7.5 - Unauthenticated Arbitrary File Access
The plugin is affected by a Directory Traversal attack, allowing unauthenticated attackers to access arbitrary files on the web server, starting in version 8.5.8.0. PoC Install BackupBuddy v8.5.8.0 through v8.7.4.1. curl...
Booking Calendar < 9.2.2 - Arbitrary Translation Update via CSRF
The plugin does not have CSRF check when updating translations, which could allow attackers to make logged in users update arbitrary translations via a CSRF attack...
Ketchup Restaurant Reservations <= 1.0.0 - Unauthenticated Blind SQLi
The plugin does not validate and escape some reservation parameters before using them in SQL statements, which could allow unauthenticated attackers to perform SQL Injection attacks PoC As unauthenticated, fill the reservation form it's on a page where the reservationform is embed, intercept the...
WP Socializer < 7.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its Icons settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Activate the Share Icons feature of the...
Ketchup Restaurant Reservations <= 1.0.0 - Unauthenticated Stored XSS
The plugin does not sanitise and escape some of the reservation user inputs, allowing unauthenticated attackers to perform Cross-Site Scripting attacks logged in admin viewing the malicious reservation made PoC As unauthenticated, make a reservation ie on a page where the reservationform is embed...
CM Download Manager < 2.8.6 - Admin+ Arbitrary File Upload
The plugin allows high privilege users such as admin to upload arbitrary files by setting the any extension via the plugin's setting, which could be used by admins of multisite blog to upload PHP files for example. PoC Activate PHP extension: - Log in and go to "CM Downloads" "Settings" "General"...
WP Shamsi < 4.2.0 - Subscriber+ Settings Update
The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them...
All in One SEO < 4.2.4 - Multiple CSRF
The plugin does not have CSRF check in some places, which could allow attackers to make logged in users perform unwanted actions...