14604 matches found
Link Optimizer Lite <= 1.4.5 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check when saving its settings, and is also lacking sanitisation as well as escaping in some of them, which could allow attacker to make a logged in admin change them via a CSRF attack and put Cross-Site Scripting payloads in them...
Banner Cycler <= 1.4 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check when saving its slide settings, and is also lacking sanitisation as well as escaping in some of them, which could allow attacker to make a logged in admin change them via a CSRF attack and put Cross-Site Scripting payloads in them...
Affiliate For WooCommerce < 4.8.0 - Subscriber+ Paypal Email Update via IDOR
The plugin allows users with a role as low as subscriber to change the PayPal Email via an IDOR attack when the WooCommerce PayPal Payments plugin is also installed...
uContext for Clickbank <= 3.9.1 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check when saving its settings, and is also lacking sanitisation as well as escaping in some of them, which could allow attacker to make a logged in admin change them via a CSRF attack and put Cross-Site Scripting payloads in them...
Affiliate For WooCommerce < 4.8.0 - Subscriber+ Unauthorised Actions
The plugin does not have authorisation in various actions, which could allow users with a role as low as subscriber to call them...
Download Manager < 3.2.50 - Bypass IP Address Blocking Restriction
The plugin prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTEADDR, which makes it possible to bypass IP-based download blocking restrictions. PoC When downloading a file, add an X-Forwarded-For header that contains a random IP address to your request...
Student Result or Employee Database < 1.8.0 - Unauthorised REST Calls
The plugin has a flawed permission callback in its REST endpoints, allowing unauthenticated attackers to call them and add/edit/delete arbitrary student for example PoC POST /wp-json/v2/ssradddata HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type:...
Download Manager < 3.2.49 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters which could allow users with a role as low as contruibutor to perform Stored Cross-Site Scripting attacks...
Button Plugin MaxButtons < 9.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Simple Job Board < 2.10.0 - Resume Disclosure via Directory Listing
The plugin is susceptible to Directory Listing which allows the public listing of uploaded resumes in certain configurations. PoC curl https://example.com/wp-content/uploads/jobpost Search for this path / folder in search engines to find uploaded resumes...
Rich Reviews <= 1.9.15 - Arbitrary Reviews Deletion via CSRF
The plugin does not have CSRF in place when deleting reviews, w which could allow attackers to make a logged in admin delete them via a CSRF attack...
Enable SVG, WebP & ICO Upload <= 1.0.1 - Author+ Arbitrary File Upload
The plugin does not validate upload files, which could allow users with a role as low as author to upload arbitrary files...
Ninja Job Board < 1.3.3 - Resume Disclosure via Directory Listing
The plugin does not protect the directory where it stores uploaded resumes, making it vulnerable to unauthenticated Directory Listing which allows the download of uploaded resumes. PoC curl https://example.com/wp-content/uploads/wpjobboard Search for this path / folder in search engines to find...
MailerLite - Signup forms (official) < 1.5.7 - API Key Update via CSRF
The plugin does not have CSRF check in place when updating its API key, which could allow attackers to make a logged in admin change it via a CSRF attack...
WP Edit Menu < 1.5.0 - Unauthenticated Arbitrary Post Deletion
The plugin does not have authorisation and CSRF in an AJAX action, which could allow unauthenticated attackers to delete arbitrary posts/pages from the blog PoC https://example.com/wp-admin/admin-ajax.php?action=filtermenu=post-id...
Download Manager < 3.2.49 - Multiple CSRF
The plugin does not have CSRF check in place in some places, which could allow attackers to make a logged in admin perform unwanted actions...
Social Slider Feed < 2.0.5 - Subscriber+ Arbitrary Feed Deletion
The plugin does not have authorisation and CSRF check in place when deleting feeds, allowing ay authenticated users, such as subscriber to delete arbitrary feeds PoC As any authenticated user, such as subscriber. Or via CSRF against them...
Social Slider Feed < 2.0.5 - Subscriber+ Stored XSS via Feeds
The plugin does not have authorisation and CSRF check in place when adding and editing a Feed, and does not sanitise as well as escape user input. As a result, users with a role as low as subscriber could add arbitrary feeds, with Stored Cross-Site Scripting payloads in them. PoC As any...
Lana Downloads Manager < 1.8.0 - Contributor+ Arbitrary File Download
The plugin is affected by an arbitrary file download vulnerability that can be exploited by users with "Contributor" permissions or higher. PoC As contributor, navigate to https://target/blog/wp-admin/post-new.php?posttype=lanadownload Inside "File URL:" input, fill the file you want to download,...
Duplicator < 1.4.7.1 - Unauthenticated System Information Disclosure
The plugin does not authenticate or authorize visitors before displaying information about the system such as server software, php version and full file system path to the site. PoC 1. curl 'http://example.com/wp-content/backups-dup-lite/dup-installer/main.installer.php?view=1' 2. curl -d view...
LinkWorth Plugin < 3.3.4 - Arbitrary Setting Update via CSRF
The plugin does not implement nonce checks, which could allow attackers to make a logged in admin change settings via a CSRF attack. PoC...
WP phpMyAdmin < 5.2.0.4 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in the "phpMyAdmin on hosting" setting...
NEX-Forms < 7.9.7 - Authenticated SQLi
The plugin does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured otherwise via the plugin setting...
Social Slider Feed < 2.0.5 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting...
Multiple Plugins from Puvox.software - Reflected Cross-Site Scripting
The plugins do not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=wp-phpmyadmin-extension=errors-logreset"...
Student Result or Employee Database < 1.7.5 - Stored Cross Site Scripting via CSRF
The plugin does not have CSRF in its AJAX actions, allowing attackers to make logged in user with a role as low as contributor to add/edit and delete students via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site scripting PoC...
Enable SVG, WebP & ICO Upload <= 1.0.1 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameter, which could allow users with a role as low as author to perform stored Cross-Site Scripting attacks...
Duplicator < 1.4.7 - Unauthenticated Backup Download
The plugin discloses the url of the a backup to unauthenticated visitors accessing the main installer endpoint of the plugin, if the installer script has been run once by an administrator, allowing download of the full site backup without authenticating. PoC Find the URL of the actual installer...
Social Slider Feed < 2.0.5 - Subscriber+ Arbitrary API Key Update to Stored XSS
The plugin does not have authorisation and CSRF check in place when saving the YouTube API Key, and does not sanitise as well as escape it. As a result, users with a role as low as subscriber could change it, including setting it with Stored Cross-Site Scripting payloads in it PoC As any...
WP Sticky Button < 1.4.1 - Unauthenticated Arbitrary Settings Update to Stored XSS
The plugin does not have authorisation and CSRF checks when saving its settings, allowing unauthenticated users to update them. Furthermore, due to the lack of escaping in some of them, it could lead to Stored Cross-Site Scripting issues PoC fetch"/wp-admin/admin-ajax.php", "headers":...
WP Edit Menu <= 1.5.0 - Arbitrary Post Deletion via CSRF
The plugin does not have CSRF in an AJAX action, which could allow attackers to make a logged in admin delete arbitrary posts/pages from the blog via a CSRF attack PoC...
Advanced Custom Fields 5.0-5.12.2 - Unauthenticated File Upload
The plugin allows unauthenticated users to upload files allowed in a default WP configuration so PHP is not possible if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release. By default WordPress does not allow uploading o...
Better Search and Replace < 1.4.1 - Admin+ SQLi
The plugin does not properly sanitise and escape table data before inserting it into a SQL query, which could allow high privilege users to perform SQL Injection attacks PoC POST /wp-admin/tools.php?page=better-search-replace&bsr-ajax;=processsearchreplace HTTP/1.1 Accept: application/json,...
Fast Flow < 1.2.13 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its Widget settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Create/edit a dashboard with an HTML...
Floating Div <= 3.0 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters which could allow users with a role as low as author to perform Cross-Site Scripting attacks...
Simple SEO < 1.7.92 - Contributor+ Stored Cross-Site Scripting
The plugin does not properly sanitise and escape the SEO social and standard title parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks...
VR Calendar <= 2.3.4 - Admin+ LFI
The plugin does not validate user input before using it in a require statement, which could allow high privilege users to perform LFI attacks. The attack could also be performed via a CSRF vector by making a logged in admin open a malicious link PoC...
VR Calendar < 2.3.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting PoC https://example.com/wp-admin/plugins.php?vrcmsg=msgtype="...
WordPress Team Members Showcase < 4.1.2 - Subscriber+ Arbitrary File Read and Deletion
The plugin contains a file which could allow any authenticated users to download arbitrary files from the server via a path traversal vector. Furthermore, the file will also be deleted after its content is returned to the user PoC...
GS Testimonial Slider <= 1.9.1 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as author to perform Stored Cross-Site Scripting attacks...
Coming Soon - Under Construction <= 1.2.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape some of its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed PoC As admin, put the following payload in the "More text information" settings of the plugin: The XSS will be...
Transposh WordPress Translation <= 1.0.8 - Admin+ SQL Injection
The plugin does not sanitise and escape the order and orderby parameters before using them in a SQL statement, leading to a SQL injection PoC https://example.com/wp-admin/admin.php?page=tpeditor=filter-by=+AND+SELECT+42+FROM+SELECTSLEEP5b...
Rezgo Online Booking < 4.1.8 - Reflected Cross-Site-Scripting
The plugin does not sanitise and escape some parameters before outputting them back in a page, leading to a Reflected Cross-Site Scripting, which can be exploited either via a LFI in an AJAX action, or direct call to the affected file PoC Direct call:...
Product Slider for WooCommerce < 2.5.7 - Subscriber+ Arbitrary Options Deletion
The plugin has flawed CSRF checks and lack authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber to call them. One in particular could allow them to delete arbitrary blog options. PoC fetch"/wp-admin/admin-ajax.php", "headers": "content-type":...
WPGraphQL WooCommerce <= 0.11.0 - Unauthenticated Coupon Codes Disclosure
The plugin does not prevent unauthenticated attackers from enumerating a shop's coupon codes and values via GraphQL. PoC The vulnerability exists due to the plugin only preventing users from leaking coupons using the "coupons" aggregate field, and not the regular "coupon" field. Given a valid...
Feed Them Social < 3.0.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting PoC Against any authenticated user: https://example.com/wp-admin/admin-ajax.php?action=ftsencrypttokenajaxtoken=%3Cimg%20src=x%20onerror=alert/XSS/%3E...
Feed Them Social < 3.0.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting PoC Both can be used against authenticated and unauthenticated users https://example.com/wp-admin/admin-ajax.php?action=ftsrefreshtokenajaxtoken=...
Automations By Autonami < 2.1.2 - Subscriber+ Automation Creation
The plugin does not have authorisation and CSRF checks in one of its AJAX action, allowing any authenticated users, such as subscriber to create automations PoC var data = new FormData data.append'file',new...
Directorist < 7.3.0 - Subscriber+ Arbitrary E-mail Sending
The plugin does not have authorisation and CSRF checks in an AJAX action, allowing any authenticated users to send arbitrary emails on behalf of the blog PoC fetch"/wp-admin/admin-ajax.php", "headers": "content-type": "application/x-www-form-urlencoded", , "method": "POST", "body":...
Transposh WordPress Translation <= 1.0.8 - Subscriber+ Unauthorised Calls
The plugin exposes a couple of sensitive actions such has “tpreset” under the Utilities tab /wp-admin/admin.php?page=tputils, which can be used/executed as the lowest-privileged user. Basically all Utilities functionalities are vulnerable this way, which involves resetting configurations and...