14603 matches found
Zephyr Project Manager < 3.2.5 - Multiple Unauthenticated SQLi
The plugin does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated users, leading to SQL injections PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...
Beaver Builder < 2.5.5.3 - Authenticated Stored XSS via Image URL
The plugin does not sanitise and escape the Image URL field of the Media block, which could allow users with access to the plugin's editor to perform Cross-Site Scripting attacks...
Beaver Builder < 2.5.5.3 - Authenticated Stored XSS via Text Editor
The plugin does not sanitise and escape the Text Editor block, which could allow users with access to the plugin's editor to perform Cross-Site Scripting attacks...
Gettext override translations < 2.0.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Create/edit a translation and put the followin...
Visual Composer Website Builder < 45.0.1 - Authenticated Stored XSS via Text Block
The plugin does not sanitise and escape its Text Block fields, which could allow users with access to the plugin's editor to perform Cross-Site Scripting attacks PoC Create a post using the plugin editor, add a Text Block and put the following payload in its content: The XSS will be triggered whe...
WP Forecast < 7.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Better Font Awesome < 2.0.2 - Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
Advanced Order Export For WooCommerce < 3.3.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting...
Event Calendar < 1.4.7 - Unauthenticated Arbitrary Event Deletion
The plugin does not have authorisation check when deleting events, which could allow unauthenticated attackers to delete them...
Accommodation System <= 1.0.1 - Subscriber+ Unauthorised Actions
The plugin does not have authorisation in various actions, which could allow users with a role as low as subscriber to call them and perform unauthorised actions...
Event Calendar < 1.4.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting exploitable against any authenticated user...
SEO Scout <= 0.9.83 - Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
About Me <= 1.0.12 - Subscriber+ Arbitrary Network Creation/Deletion
The plugin does not have authorisation and CRSF when adding and deleting networks via AJAX actions, which could allow any authenticated users, such as subscriber to create and delete arbitrary networks...
Alphabetic Pagination < 3.0.8 - Unauthenticated Arbitrary Option Update
The plugin does not have any proper authorisation in place when updating some settings via a REST endpoint, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary option from the blog and allow registration with a...
About Rentals <= 1.5 - Unauthenticated Actions
The plugin does not have authorisation in various actions, which could allow unauthenticated users to call them and perform unauthorised actions...
Launcher: Coming Soon & Maintenance Mode <= 1.0.11 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Access Code Feeder <= 1.0.3 - CSRF
The plugin does not have CSRF check in some places, which could allow attackers to make logged in users perform unwanted actions...
Poll, Survey, Questionnaire and Voting system <= 1.7.4 - Admin+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
59sec LITE <= 3.4.1 - Unauthenticated Settings Update
Description The plugin does not have any authorisation in place when updating its settings, allowing unauthenticated attackers to do so...
Ajax Load More < 5.5.4.1 - Admin+ Arbitrary File Read
The plugin does not properly validates paths generated with user input in the almrepeatersexport function, which could allow high privilege users to read arbitrary files form the server even when they should not be able to have access to any, for example in multisite setup This is due to an...
Notification Bar for WordPress <= 1.1.8 - Unauthenticated Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some parameters which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks...
All-in-One WP Migration < 7.63 - Unauthenticated Reflected XSS
The plugin uses the wrong content type for, and does not properly escape the response from the ai1wmexport action, allowing an attacker to craft a request that when submitted by any visitor will inject arbitrary html or javascript into the response that will be executed in the victims session. Po...
BadgeOS < 3.7.1.3 - Subscriber+ SQLi
The plugin does not sanitise and escape parameters before using them in SQL statements via AJAX actions available to any authenticated users, leading to SQL Injections PoC Open the following URL as any authenticated user such as subscriber:...
Float to Top Button <= 2.3.6 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in the "Text for the button" or...
Scroll To Top < 1.4.1 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in the "Text" settings of the...
WordPress Ping Optimizer < 2.35.1.3.0 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC http://evil.com aaaa bbbb...
Search Exclude < 1.2.7 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters which could allow users with a role as low as editor to perform Stored Cross-Site Scripting attacks...
Classima < 2.1.11 - Reflected Cross-Site Scripting
The theme and some of its required plugins do not escape a parameter before outputting it back in attributes, leading to Reflected Cross-Site Scripting PoC https://example.com/all-ads/?q="+onmouseover%3Dalert%281%29+id%3Dx+tabindex%3D0+style%3Ddisplay%3Ablock The XSS will be triggered when the us...
Better Messages < 1.9.10.58 - Subscriber+ Denial Of Service
The plugin does not limit the length of messages, which could allow any authenticated users sending messages to cause a denial fo service...
WP Taxonomy Import <= 1.0.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting PoC...
WBW Currency Switcher for WooCommerce < 1.6.6 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC In the plugin's settings WooCommerce Settings...
Classified Listing Pro < 2.0.20 - Reflected Cross-Site Scripting
The plugin does not escape a generated URL before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting PoC https://example.com/all-ads/?" https://example.com/all-properties/?"...
Login No Captcha reCAPTCHA < 1.7 - IP Check Bypass
The plugin doesn't check the proper IP address allowing attackers to spoof IP addresses on the allow list and bypass the need for captcha on the login screen. PoC Set HTTPCLIENTIP, HTTPXFORWARDEDFOR or any other header in LoginNoCaptcha::getipaddress which is then checked against the whitelist an...
Tutor LMS < 2.0.9 - Reflected Cross-Site Scripting
The plugin does not escape an URL before outputting it back in an attribute, leading to Reflected Cross-Site Scripting The issue was initially fixed in 1.9.13 but re-introduced in 2.0.0 PoC https://example.com/wp-admin/post.php?post=1369=edittab=general'...
Post SMTP < 2.1.4 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings before outputting them in the admins dashboard, allowing high privilege users to perform Cross-Site Scripting attacks against other users even when the unfilteredhtml capability is disallowed. PoC Put the following payload in the Post SMTP Settings...
Ajax Load More < 5.5.4 - Admin+ Arbitrary File Read
The plugin does not validate a path which could allow high privilege users such as admin to read arbitrary files from the server...
WP Hotel Booking < 2.0.1 - Unauthenticated Arbitrary Settings Update
The plugin does not have authorisation and CSRF checks in place when updating its settings, which could allow unauthenticated attackers to change them. PoC All settings are affected, example, to change the Thousands Separator one, run the below command in the developer console of the web browser...
Ajax Load More < 5.5.4 - PHAR Deserialization via CSRF
The plugin does not validate user input before using it to generate a path, allowing attacker to fully control it and use any wrapper, such as PHAR which could lead to deserialisation if they can trick an admin to open a malicious link and a suitable gadget chain is present...
WP Server Health Stats < 1.7.0 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC As admin, put the following payload in the "Provide your IP-API Pro key", "Memcached Server Host", "Set the...
Craw Data <= 1.0.0 - Server Side Request Forgery
The plugin does not implement nonce checks, which could allow attackers to make a logged in admin change the url value performing unwanted crawls on third-party sites SSRF. PoC When configuring the CrawData addon, the request is as follows GET...
Calendar Event Multi View < 1.4.07 - Unauthenticated Arbitrary Event Deletion
The plugin does not have any authorisation and CSRF checks in place when deleting events which could allow unauthenticated attackers to delete arbitrary events PoC As an unauthenticated user, open the code below, this will delete the event with ID 4 from the calendar with ID 1...
Download Manager < 3.2.50 - Contributor+ PHAR Deserialization
The plugin does not validate a parameter, which could allow users with a role as low as contributor to perform PHAR deserialisation when a suitable gadget chain is also present...
Mobile Events Manager < 1.4.8 - Admin+ CSV Injection
The plugin does not properly escape the Enquiry source field when exporting events, or the Paid for field when exporting transactions as CSV, leading to a CSV injection vulnerability. PoC Export events with malicious CSV: 1. Create and save a new Enquiry source and add the following in the name...
Titan Anti-spam & Security < 7.3.1 - Protection Bypass due to IP Spoofing
The plugin does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it's block feature by spoofing the headers. PoC The function wantispampgetip is vulnerable to IP spoofing because of the general usage of $SERVER'HTTPXFORWARDEDFOR' curl -...
All-in-One Video Gallery 2.5.8 - 2.6.0 - Unauthenticated Arbitrary File Download & SSRF
The plugin does not validate the dl parameter which could allow unauthenticated users to download arbitrary files from the server, as well as perform SSRF attacks...
WP STAGING < 2.9.18 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC With the web browser inspector, change the inp...
Affiliates Manager < 2.9.14 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payload in the "Currency Symbol" settings of the plugin and save: " Other...
Affiliates Manager < 2.9.14 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape parameters before outputting them back in pages, which could lead to Reflected Cross-Site Scripting PoC GET /wp-admin/admin.php?page=wpam-settings=" HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8...
Affiliates Manager < 2.9.14 - Arbitrary Affiliates & Creatives Deletion via CSRF
The plugin does not have CSRF checks when deleting affiliates and creatives, which could allow attackers to make a logged in admin perform such actions via CSRF attacks PoC Make a logged in admin open - https://example.com/wp-admin/admin.php?page=wpam-affiliatesaid=2 -...
Calendar Event Multi View < 1.4.07 - Unauthenticated Arbitrary Event Creation to Stored XSS
The plugin does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it. PoC As a...