14604 matches found
Calendar Event Multi View < 1.4.07 - Unauthenticated Arbitrary Event Creation to Stored XSS
The plugin does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it. PoC As a...
Broken Link Checker < 1.11.17 - Admin+ PHAR Deserialization
The plugin does not validate a parameter, which could allow high privilege users such as admin to perform PHAR deserialisation when a suitable gadget chain is also present...
Affiliates Manager < 2.9.14 - Affiliate CSV Injection
The plugin does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data PoC Register as an affiliate and put the following payload in the Firstname, Lastname or Company fields: =10+2+30 As...
Visual Portfolio < 2.19.0 - Contributor+ CSS Injection
The plugin does not have proper authorisation checks in some of its REST endpoints, allowing users with a role as low as contributor to call them and inject arbitrary CSS in arbitrary saved layouts PoC The postid is the ID of a saved layout As a contributor, get a REST nonce via...
WP Database Backup < 5.9 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in any of the Destination FTP Settings...
Visual Portfolio < 2.18.0 - Unauthenticated CSS Injection
The plugin does not have proper authorisation checks in some of its REST endpoints, allowing unauthenticated users to call them and inject arbitrary CSS in arbitrary saved layouts PoC The postid is the ID of a saved layout...
Fast Flow < 1.2.12 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=fast-flow="...
Multivendor Marketplace Solution for WooCommerce < 3.8.12 - Multiple Reflected Cross-Site Scripting
The plugin does not sanitise and escape numerous parameters before outputting them back in admin pages via various AJAX actions, leading to Reflected Cross-Site Scripting PoC With SitePress active, and with more than 1 active language: 6458 being a valid Product ID 16 being valid vendor id...
Multivendor Marketplace Solution for WooCommerce < 3.8.12 - Unauthenticated LFI
The plugin does not validate and sanitise a parameter before using it to include a file via an AJAX action available to both unauthenticated and authenticated users, which could lead to Local File Inclusion PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...
Multivendor Marketplace Solution for WooCommerce < 3.8.12 - Unauthorised AJAX Calls
The plugin is lacking authorisation and CSRF in multiple AJAX actions, which could allow any authenticated users, such as subscriber to call them and suspend vendors reporter by the submitter or update arbitrary order status identified by WPScan when verifying the issue for example. Other...
Alpine PhotoTile for Pinterest <= 1.3.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Rank Math SEO < 1.0.95.1 - Unauthenticated SSRF
The plugin does not properly restrict access to some .htaccess blocked REST endpoints when the headless settings is enabled, which could allow unauthenticated attackers to perform SSRF attacks...
Uploading SVG, WEBP and ICO files <= 1.0.1 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters which could allow users with a role as low as author to perform Stored Cross-Site Scripting attacks...
Uploading SVG, WEBP and ICO files <= 1.0.1 - Admin+ Arbitrary File Upload
The plugin does not validate the files to be uploaded, which could allow high privilege users such as admin to upload arbitrary files, even when they are not supposed to...
Best Payments Plugin for WP < 4.2.1 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape user input given in its forms, which could allow unauthenticated attackers to perform Cross-Site Scripting attacks against admins PoC As unauthenticated, on a page/post where there is a contact form created via the plugin, put the following payload in the...
Easy Digital Downloads < 3.0.2 - Admin+ PHP Object Injection
The plugin does not validate user input before unserialising it, which could allow high privilege users to perform PHP Objection injection attacks...
Gallery PhotoBlocks <= 1.2.6 - Authenticated Stored XSS
The plugin does not sanitise and escape some parameters, which could allow low privileged users to perform Stored Cross-Site Scripting attacks...
Directorist < 7.3.1 - Unauthenticated Email Address Disclosure
The plugin discloses the email address of all users in an AJAX action available to both unauthenticated and any authenticated users PoC https://example.com/wp-admin/admin-ajax.php?action=directoristauthorpagination...
Best Payments Plugin for WP < 4.2.1 - Reflected Cross-Site Scripting
The plugin does not escape an URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting PoC Append the following payload on a page where the is a form from the plugin: a" e.g: https://example.com/contact-form/?a"...
SP Project & Document Manager < 4.62 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting...
Gallery PhotoBlocks <= 1.2.6 - Cross-Site Request Forgery
The plugin does not have CSRF check in some places, which could allow attackers to make logged in users perform unwanted actions...
Social Slider Feed < 2.0.7 - Admin+ Stored XSS via Feeds
The plugin does not sanitise as well as escape user input in feeds, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in a Instagram...
Simple Single Sign On <= 4.1.0 - Authentication Bypass
The plugin leaks its OAuth clientsecret, which could be used by attackers to gain unauthorized access to the site. PoC When we click the "Single Sign On" button, the plugin redirects us to the OAuth server to authenticate ourselves if we are not logged in. The button invokes the following URL:...
Photo Gallery < 1.7.1 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting PoC When the plugin displays a notice: https://example.com/wp-admin/plugins.php?"...
amCharts: Charts and Maps < 1.4.1 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks...
Contest Gallery < 17.0.5 - Author+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as author...
Leaflet Maps Marker < 3.12.5 - Admin+ SQLi
The plugin does not properly sanitize some parameters before inserting them into SQL queries. As a result, high privilege users could perform SQL injection attacks. PoC PoC for filter-operator1 parameter: POST...
WP Hide & Security Enhancer < 1.8 - Reflected Cross-Site Scripting
The plugin does not escape a parameter before outputting it back in an attribute of a backend page, leading to a Reflected Cross-Site Scripting PoC http://example.com/wp-admin/admin.php?page=wp-hide-cdn=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28/XSS/%29+x...
Stop Spam Comments <= 0.2.1.2 - Access Token Bypass
The plugin does not properly generate the Javascript access token for preventing abuse of comment section, allowing threat authors to easily collect the value and add it to the request. PoC Collect the name and value of ssckey for the target post and use it on the request. curl...
Simply Schedule Appointments < 1.5.7.7 - Unauthenticated Email Address Disclosure
The plugin is missing authorisation in a REST endpoint, allowing unauthenticated users to retrieve WordPress users details such as name and email address PoC https://example.com/wp-json/ssa/v1/users...
Simply Schedule Appointments < 1.5.7.7 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Navigate to style settings:...
JoomSport < 5.2.6 - Admin+ SQLi
The plugin does not properly escape the orderby parameter before using it in multiple SQL statement, which could allow high privilege users to perform SQL injection...
String Locator < 2.6.0 - Authenticated PHAR Deserialization
The plugin does not validate a parameter, which could lead to PHAR deserialisation when an attacker manage to upload a malicious file crafted with a suitable gadget chain and having a logged in admin open a malicious link...
Testimonial Builder < 1.6.2 - Editor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
ActiveDEMAND plugin <= 0.2.27 - Unauthenticated Post Creation/Update/Deletion
The plugin does not have any authorisation in some of its REST route, which could allow unauthenticated users to delete, create and update arbitrary post...
Download Manager < 3.2.53 - Unauthenticated Reflected Cross-Site Scripting
The plugin does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute of the modal login page only available when users are not logged in, which could lead to Reflected Cross-Site Scripting in old web browsers. PoC On the modal login page from the plugin and using...
Ecwid Ecommerce Shopping Cart < 6.10.24 - Settings Update via CSRF
The plugin does not correctly check for CSRF when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
Sensei LMS < 4.5.0 - Unauthenticated Private Messages Disclosure via Rest API
The plugin does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers PoC https://example.com/wp-json/wp/v2/sensei-messages/...
Sensei LMS < 4.5.2 - Arbitrary Private Message Sending via IDOR
The plugin does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see responses/messages between the teacher and studen...
Download Manager < 3.2.51 - Contributor+ Arbitrary File Deletion
The plugin does not properly validate the path of the file saved within the download post to ensure it is a safe file type or is associated with a download post. As a result, authenticated users able to create downloads, could delete arbitrary files from the server...
MailChimp for Woocommerce < 2.7.1 - Subscriber+ SSRF
The plugin has an AJAX action that allows any logged in users such as subscriber to perform a POST request on behalf of the server to the internal network/LAN, the body of the request is also appended to the response so it can be used to scan private network for example PoC As any logged in user:...
MailChimp for Woocommerce < 2.7.2 - Admin+ SSRF
The plugin has an AJAX action that allows high privilege users to perform a POST request on behalf of the server to the internal network/LAN, the body of the request is also appended to the response so it can be used to scan private network for example PoC As an admin:...
Anti-Malware Security and Brute-Force Firewall < 4.21.83 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in an admin dashboard, leading to Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=GOTMLS-settingsdebug=%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%281%29%3B%3E Also possible with the...
WooCommerce PDF Invoices & Packing Slips < 3.0.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in an attributes of an admin page, leading to Reflected Cross-Site Scripting. This is a re-introduction of CVE-2021-24991 in 2.14.0 PoC...
Download Manager < 3.2.49 - Clear Stats & Cache via CSRF
The plugin does not have CSRF check in place in some of its action such as clear cache and stats as well as update template status, which could allow attackers to make a logged in admin call them via CSRF attacks...
Social Slider Feed < 2.0.6 - Admin+ Stored XSS via API Key
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in the YT API Key...
WP Hotel Booking < 1.10.6 - CSRF
The plugin is lacking CSRF which could allow attackers to a logged in admin perform unwanted actions via a CSRF attack...
Fluent Support < 1.5.8 - Admin+ SQLi
The plugin does not properly sanitise, validate and escape various parameters before using them in an SQL statement, leading to an SQL Injection vulnerability exploitable by high privilege users PoC With at least one support ticket in the system:...
MaxButtons < 9.3 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
uContext for Amazon <= 3.9.1 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check when saving its settings, and is also lacking sanitisation as well as escaping in some of them, which could allow attacker to make a logged in admin change them via a CSRF attack and put Cross-Site Scripting payloads in them...