14603 matches found
OAuth client Single Sign On for WordPress < 3.0.4 - Unauthenticated Settings Update to Authentication Bypass
The plugin does not have authorisation and CSRF when updating its settings, which could allow unauthenticated attackers to update them and change the OAuth endpoints to ones they controls, allowing them to then be authenticated as admin if they know the correct email address PoC POST / HTTP/1.1...
Post SMTP < 2.1.7 - Admin+ Blind SSRF
The plugin does not have proper authorisation in some AJAX actions, which could allow high privilege users such as admin to perform blind SSRF on multisite installations for example. PoC Navigate to https://example.com/wp-admin/admin.php?page=postman%2Fporttest Inside "Outgoing Mail Server...
Slider Hero < 8.4.4 - Admin+ Stored Cross-Site Scripting
The plugin does not escape the slider Name, which could allow high-privileged users to perform Cross-Site Scripting attacks. PoC Create or edit a Slide and put the following payload in the Name field: " onfocus=alert/XSS/ autofocus=" The XSS will be triggered when editing the slide again...
Scripts Organizer < 3.0 - Unauthenticated Arbitrary File Upload
The plugin does not have capability and CSRF checks in the saveScript AJAX action, available to both unauthenticated and authenticated users, and does not validate user input in any way, which could allow unauthenticated users to put arbitrary PHP code in a file PoC POST /wp-admin/admin-ajax.php...
NinjaForms < 3.6.13 - Admin+ PHP Objection Injection
The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import intentionally or not a malicious file and a suitable gadget chain is present on the blog. PoC To simulate a gadget chain, put the following code in a plugin class Evil...
Ldap WP Login / Active Directory Integration < 3.0.2 - Reflected Cross-Site Scripting
The plugin does not escape generated URLs before outputing them in attrubutes, leading to Reflected Cross-Site Scripting PoC Make a logged in admin open https://example.com/wp-admin/admin.php?page=LDAP+authentication+intergrating+with+AD"...
WP Popup Builder < 1.2.9 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting PoC The custom-popup parameter needs to be the ID of an existing popup https://example.com/wp-admin/admin.php?page=wppb&pos-name;=xxx"...
Login Block IPs <= 1.0.0 - Arbitrary Setting Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC Make a logged in admin open a page containing the HTML code below...
SEO Smart Links <= 3.0.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in the "Whitelisted...
Ldap WP Login / Active Directory Integration < 3.0.2 - Unauthenticated Settings Update to Auth Bypass
The plugin does not have any authorisation and CSRF checks when updating it's settings which are hooked to the init action, allowing unauthenticated attackers to update them. Attackers could set their own LDAP server to be used to authenticated users, therefore bypassing the current authenticatio...
Download Manager < 3.2.55 - Admin+ Arbitrary File/Folder Access via Path Traversal
The plugin does not validate one of its settings, which could allow high privilege users such as admin to list and read arbitrary files and folders outside of the blog directory PoC 1. Navigate to settings page /wp-admin/edit.php?posttype=wpdmpro=settings 2. In the “File Browser Root:” setting,...
WP Popup Builder < 1.3.0 - Subscriber+ Arbitrary Popup Deletion
The plugin does not have authorisation and CSRF check in an AJAX action, allowing any authenticated users, such as subscribers to delete arbitrary Popup PoC fetch'/wordpress/wp-admin/admin-ajax.php?action=deletepopup', method: 'POST',headers:"content-type":"application/x-www-form-urlencoded", bod...
Meet My Team <= 2.0.5 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks...
Pop-up < 1.1.6 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
WP Cerber Security < 9.1 - Username Enumeration Bypass
The plugin does not properly validate the author was blocking request trying to enumerate usernames, which could allow attackers to bypass the protection offered...
History Timeline <= 1.0.5 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as author to perform Stored Cross-Site Scripting attacks...
Mega Addons For WPBakery Page Builder <= 4.2.7 - Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
Torro Forms <= 1.0.16 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks...
WHA Crossword <= 1.1.10 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks...
Captcha Code < 2.8 - Settings Update via CSRF
The plugin does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin update them via a CSRF attack...
GetResponse < 5.5.21 - API Key Update via CSRF
The plugin does not have CSRF check when updating the API key, which could allow attackers to make logged admins update it via a CSRF attack...
Blossom Recipe Maker < 1.0.8 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks...
MP3 jPlayer <= 2.7.3 - Multiple CSRF
The plugin does not have CSRF check in some places, which could allow attackers to make logged in users perform unwanted actions...
WHA Crossword <= 1.1.10 - Contributor+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks...
Easy Org Chart <= 3.1 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks...
Word Search Puzzles game <= 2.0.1 - Contributor+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks...
CallRail Phone Call Tracking < 0.4.10 - Stored XSS via CSRF
The plugin does not have CSRF check in place and it also lacking sanitisation as well as escaping in some parameters, which could allow attackers to make a logged in admin put Stored Cross-Site Scripting payloads in them...
Word Search Puzzles Game <= 2.0.1 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as author to perform Cross-Site Scripting attacks...
WP-PostRatings < 1.90 - Ratings Tempering via Race Condition
The plugin is affected by a race condition allowing any authenticated user to tamper with ratings and decrease/increase their value...
WP Shop Original <= 3.9.6 - Unauthenticated Settings Update
The plugin does not have authorisation check when updating its settings, which could allow unauthenticated attackers to update them...
Generate PDF using Contact Form 7 < 3.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC 1 - Install and activate "Generate PDF using Contact Form 7 Version 3.5" 2 - Click on "Contact - Add...
add2fav <= 1.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Image Hover Effects Ultimate < 9.8.0 - Authenticated Stored XSS
The plugin does not sanitise and escape the Media Image URL, Video Link, Title and Description field of an Image Hover, which could lead to Stored XSS when low privileged users are allowed to access the plugin's feature which can be set via the plugin settings...
Wordlift < 3.37.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC - Go to publisher and select Create a New Publisher - Add publisher name " - Click on Save Changes...
Bitcoin / Altcoin Faucet <= 1.6.0 - Settings Update to Stored XSS via CSRF
The plugin does not have any CSRF check when saving its settings, allowing attacker to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues PoC Make a logged in admin open a page...
Simple Bitcoin Faucets <= 1.7.0 - Unauthorised AJAX Call to Stored XSS
The plugin does not have any authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscribers to call it and add/delete/edit Bonds. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues PoC Open a page...
Restricted Site Access < 7.3.2 - Access Bypass via IP Spoofing
The plugin prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTEADDR, which makes it possible to bypass IP-based limitations in certain situations. PoC Set HTTPCFCONNECTINGIP or any of the other headers in getclientipaddress to spoof the IP address...
Add User Role <= 0.0.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Beaver Builder < 2.5.5.3 - Authenticated Stored XSS via Caption On Hover
The plugin does not sanitise and escape the Caption On Hover field of images, which could allow users with access to the plugin's editor to perform Cross-Site Scripting attacks...
WP < 6.0.2 - Reflected Cross-Site Scripting
Description Plugin's deactivation and deletion error messages are not escaped when output in the plugins screen, which could lead to Reflected Cross-Site Scripting...
WP < 6.0.2 - Authenticated Stored Cross-Site Scripting
Description There is a lack of escaping of the meta keys and values in themeta function, which could lead to Cross-Site Scripting issue...
WP < 6.0.2 - SQLi via Link API
Description The getbookmarks function does not validate and escape a parameter before using it in a SQL statement, which could lead to SQL injection when user input is passed to it directly or via wplistbookmarks for example...
Beaver Builder < 2.5.5.3 - Authenticated Stored XSS via Caption
The plugin does not sanitise and escape the caption parameter added to images via the media uploader, which could allow users with access to the plugin's editor to perform Cross-Site Scripting attacks...
Simple File List < 4.4.12 - Reflected Cross-Site Scripting
The plugin does not escape parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=ee-simple-file-list="style=animation-name:rotation+onanimationstart=alert/XSS///...
Visual Composer Website Builder < 45.0.1 - Authenticated Stored XSS via Title
The plugin does not sanitise and escape post/page Title, which could allow users with access to the plugin's editor to perform Cross-Site Scripting attacks PoC Create a post using the plugin editor and add the following payload in the Title: " The XSS will be triggered when editing the post again...
Zephyr Project Manager < 3.2.5 - Unauthorised REST Calls to Stored XSS
The plugin does not have proper authorisation even when the Require Authorisation for REST API Requests is enabled in all its REST endpoints, allowing unauthenticated users to call them either directly. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform...
Site Offline < 1.5.3 - Access Bypass
The plugin prevents users from accessing a website but does not do so if the URL contained certain keywords. Adding those keywords to the URL's query string would bypass the plugin's main feature. PoC https://example.com/?admin...
Zephyr Project Manager < 3.2.5 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=zephyrprojectmanagerprojectspage=--...
Slickr Flickr <= 2.8.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Open the plugin and intercept the request using burpsuite. Give the below payload in the parameter...
Form Builder CP < 1.2.32 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Create/edit a form and put the following...