14604 matches found
Transposh WordPress Translation <= 1.0.8 - Subscriber+ Unauthorised Calls
The plugin exposes a couple of sensitive actions such has “tpreset” under the Utilities tab /wp-admin/admin.php?page=tputils, which can be used/executed as the lowest-privileged user. Basically all Utilities functionalities are vulnerable this way, which involves resetting configurations and...
Simple Banner < 2.12.0 - Admin+ Stored Cross Site Scripting
The plugin does not properly sanitize its "Simple Banner Text" Settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payloads in the "Simple Banner Text" settings of the plugin: Firefox...
Transposh WordPress Translation <= 1.0.8 - Unauthenticated Settings Change
The plugin does not have any authorisation in its tptranslation AJAX action, allowing unauthenticated users to call it...
WP-DBManager < 2.80.8 - Admin+ Remote Command Execution
The plugin does not prevent administrators from running arbitrary commands on the server in multisite installations, where only super-administrators should. PoC Use any WordPress plugin that allows the users to upload files with extension - ".php" is not required - for example: .jpg usually many...
SearchWP Live Ajax Search < 1.6.2 - Unauthenticated Arbitrary Post Title Disclosure
The plugin does not ensure that users making. alive search are limited to published posts only, allowing unauthenticated users to make a crafted query disclosing private/draft/pending post titles along with their permalink PoC...
Flipbox < 2.6.1 - Authenticated Arbitrary Options Update
The plugin does not have proper authorisation, allowing high privilege users such as editor to update arbitrary Blog options even though they should not be able to...
Transposh WordPress Translation <= 1.0.8 - Usernames Disclosure
The plugin does not have any authorisation in its tphistory AJAX action, allowing unauthenticated users to call it and retrieve a list of usernames which translated text...
Translatepress Multilinugal < 2.3.3 - Admin+ SQLi
The plugin is vulnerable to an authenticated SQL injection. By adding a new language via the settings page containing specific special characters, the backticks in the SQL query can be surpassed and a time-based blind payload can be injected. PoC To exploit the vulnerability, someone must send a...
Homepage Product Organizer for WooCommerce <= 1.1 - Subscriber+ SQLi
The plugin does not properly sanitise and escape some parameters before using them in SQL statements, leading to SQL injection exploitable by any authenticated users such as subscriber...
VR Calendar < 2.3.2 - Unauthenticated Arbitrary Function Call
The plugin lets any user execute arbitrary PHP functions on the site. PoC https://example.com/wp-admin/admin-post.php?vrccmd=phpinfo...
Simple Banner < 2.12.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings proversionactivationcode settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WP Libre Form 2-2.0.8 - Unauthenticated Arbitrary Submissions Listing & Deletion
The plugin does not have proper authorisation in some of its REST endpoints, which could allow unauthenticated attackers to list and delete arbitrary submissions...
Stockists Manager for Woocommerce <= 1.0.2.1 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues...
GREYD.SUITE < 1.2.7 - Unauthenticated File Upload to RCE
The plugin does not properly validate uploaded custom font packages, and does not perform any authorization or csrf checks, allowing an unauthenticated attacker to upload arbitrary files including php source files, leading to possible remote code execution RCE. Version 1.2.5 added CSRF checks PoC...
Digital Publications by Supsystic < 1.7.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC 1. Create new publication, name it whatever 2. Click the "Custom Page" tab to add a new page: -...
Duplicate Page and Post Plugin < 2.8 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payload in the "Duplicate Post Suffix" or "Duplicate Link Text" settings: "...
Beaver Builder < 2.5.4.4 - Subscriber+ Arbitrary Post Builder Layout Disabling
The plugin does not have authorisation and CSRF checks in the flbuilderdisable AJAX action, which could allow any authenticated users, such as subscriber to disable the builder layout of arbitrary posts Note: The original advisory mentions the issue has been fixed, however only a CSRF check has...
Easy Student Results <= 2.2.8 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=rpsresultbatch=%3Cscript%3Ealert/XSS/%3C/script%3E...
Easy Student Results <= 2.2.8 - Sensitive Information Disclosure via REST API
The plugin lacks authorisation in its REST API, allowing unauthenticated users to retrieve information related to the courses, exams, departments as well as student's grades and PII such as email address, physical address, phone number etc PoC When the "Enable API for Mobile Apps" settings...
Testimonials <= 3.0.1 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters available to users with a role as low as contributor, allowing them to perform Stored Cross-Site Scripting attacks...
Elementor Contact Form DB < 1.8.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting PoC When there is at least one submission: https://example.com/wp-admin/edit.php?posttype=elementorcfdb=sbelemcfdid="...
E Unlocked - Student Result <= 1.0.4 - Arbitrary File Upload via CSRF
The plugin is lacking CSRF and validation when uploading the School logo, which could allow attackers to make a logged in admin upload arbitrary files, such as PHP via a CSRF attack PoC The file will be uploaded to the /wp-content/uploads/result/rand.php, eg:...
Feed Them Social < 2.9.8.6 - Unauthenticated PHAR Deserialisation
The plugin does not validate the ftsurl parameter, which could lead to PHAR deserialisation when an attacker manage to upload a malicious file and a suitable gadget chain is present...
Website File Changes Monitor < 1.8.3 - Admin+ SQLi
The plugin does not sanitise and escape user input before using it in a SQL statement via an action available to users with the manageoptions capability by default admins, leading to an SQL injection PoC A user with manageoptions permission can exploit the vulnerability with the following request...
MultiSafepay < 4.16.0 - Unauthenticated Arbitrary File Access
The plugin does not validate a parameter which could allow unauthenticated users to read arbitrary files on the web server...
Easy Username Updater < 1.0.5 - Arbitrary Username Update via CSRF
The plugin does not implement CSRF checks, which could allow attackers to make a logged in admin change any user's username includes the admin PoC...
Crowdsignal Polls & Ratings < 3.0.8 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting PoC...
WPDating <= 7.1.9 - Multiple SQL Injection Issues
The plugin does not properly escape user input before concatenating it to certain SQL queries, leading to multiple SQL injection vulnerabilities. PoC http://vulnerable-site.tld/wp-content/plugins/dspdating/m1/postone.php?senderid=senderidsleep10id=senderidsleep10...
WP DS Blog Map <= 3.1.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in any of the settings...
Directorist - Business Directory Plugin < 7.2.3 - Admin+ Arbitrary File Upload
The plugin allows administrators to download other plugins from the same vendor directly to the site, but does not check the URL domain it gets the zip files from. This could allow administrators to run code on the server, which is a problem in multisite configurations. PoC 1. Craft a custom zip...
Inspiro Premium < 7.2.3 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitize the portfolio slider description, allowing users with privileges as low as Contributor to inject JavaScript into the description. PoC Steps to reproduce: 1 As a Contributor, go to portfolio on the dashboard and add new item. 2 on the editing page that comes up, scroll...
Better Tag Cloud <= 0.99.5 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in any text field setting...
DW Promobar <= 1.0.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in any of the plugin...
mTouch Quiz <= 3.1.3 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in any of the delimiter...
YaySMTP < 2.2.1 - Subscriber+ Stored Cross-Site Scripting
The plugin does not have proper authorisation when saving its settings, allowing users with a role as low as subscriber to change them, and use that to conduct Stored Cross-Site Scripting attack due to the lack of escaping in them as well. v2.2.1 fixed the authorisation issue but not the escaping...
YaySMTP < 2.2.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in the From Email or From...
Thinkific Uploader <= 1.0.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks against other administrators. PoC Put the following payload in any of the settings: "...
Google Maps Anywhere <= 1.2.6.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape any of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in any of the plugin...
Name Directory < 1.25.5 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check when adding/editing names, and is also lacking sanitisation as well as escaping in some of the fields, which could allow attackers to make a logged in admin edit arbitrary names and put XSS payloads in them. PoC...
WP OAuth2 Server <= 1.0.1 - Authentication Bypass
The plugin does not properly check for authentication, which could allow attackers to bypass it...
Slide Anything < 2.3.47 - Author+ Cross Site Scripting in slide title
The plugin does not properly sanitize or escape the slide title before outputting it in the admin pages, allowing a logged in user with roles as low as Author to inject a javascript payload into the slide title even when the unfilteredhtml capability is disabled. An incomplete fix was introduced ...
WP Comments Fields < 4.1 - Admin+ Stored Cross-Site Scripting
The plugin does not escape Field Error Message, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed PoC Create/edit a Comment Fields Comments Comment Fields and put the following payload in the Error Message setting: "autofocus...
GiveWP < 2.21.0 - Manager+ Arbitrary File Access via Export
The plugin does not validate the file to be exported, which could allow manager to read arbitrary file on the web server...
GiveWP < 2.21.0 - Manager+ Arbitrary File Creation via Export
The plugin does not validate the exported file, which could allow high privilege users such as Managers to create arbitrary files...
Discy < 5.0 - Subscriber+ Broken Access Control to change settings
The theme lacks authorization checks then processing ajax requests to the discyupdateoptions action, allowing any logged in users with privileges as low as Subscriber, to change the theme options by sending a crafted POST request. PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type:...
weForms < 1.6.14 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC On the dashboard navigate to weForms All Forms Add Form Choose Contact Form; Click Create Form...
User Private Files < 1.1.3 - Subscriber+ Arbitrary File Upload
The plugin does not filter file extensions when letting users upload files on the server, which may lead to malicious code being uploaded. PoC 1 Create a file named exploit.php, which contains:...
CAPTCHA 4WP < 7.1.0 - Local File Inclusion via CSRF
The plugin lets user input reach a sensitive requireonce call in one of its admin-side templates. This can be abused by attackers, via a Cross-Site Request Forgery attack to run arbitrary code on the server. PoC 1 Create a malicious PHP script $ echo ' shell.php 2 Add it to a fake .doc file, who...
YaySMTP < 2.2.1 - Subscriber+ SMTP Credentials Leak
The plugin does not have capability check before displaying the Mailer Credentials in JS code for the settings, allowing any authenticated users, such as subscriber to retrieve them PoC Install the plugin and configure any mailer other than Default. Access the wp-admin area with a Subscriber+ use...
Featured Image from URL < 4.0.1 - Admin+ Stored Cross-Site Scripting
The plugin does not validate, sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC POST...