14604 matches found
Featured Image from URL < 4.0.0 - Arbitrary Settings Update to Stored XSS via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of validation, sanitisation and escaping in some of them, it could also lead to Stored XSS issues PoC All...
GiveWP < 2.21.3 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitise and escape the currency settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC Get a REST nonce logged in as admin:...
YaySMTP < 2.2.1 - Subscriber+ Logs Disclosure
The plugin does not have capability check in an AJAX action, allowing any logged in users, such as subscriber to view the Logs of the plugin PoC @author : 0xshdax Rafshanzani Suhada @usage : python3 script.py http://localhost import requests, sys, re, json Setup here url = sys.argv1 headers =...
Event Timeline <= 1.1.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape Timeline Text, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed PoC Create/edit a Timeline, put the following payload in the "Text" field at the bottom: Click save below the...
GiveWP < 2.21.3 - DoS via CSRF
The plugin does not have CSRF in place when exporting data, and does not validate the exporting parameters such as dates, which could allow attackers to make a logged in admin DoS the web server via a CSRF attack as the plugin will try to retrieve data from the database many times which leads to...
Counter Box < 1.2.1 - Arbitrary Counter Activation/Deactivation via CSRF
The plugin is lacking CSRF check when activating and deactivating counters, which could allow attackers to make a logged in admin perform such actions via CSRF attacks PoC https://example.com/wp-admin/admin.php?page=counter-box=1=activate...
Team <= 1.2.6 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks...
Shortcode For Current Date < 2.1.7 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape the some of its shortcode's attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks PoC currentdate format='d/m/Y' size="10px;position:absolute;top:0;left:0;max-width:9999px;width:9999px;height:9999px'...
Copyright Proof <= 4.16 - Reflected Cross-Site-Scripting
The plugin does not sanitise and escape a parameter before outputting it back via an AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting when a specific setting is enabled. PoC To make it easier to verify the vulnerability without the...
Microsoft Advertising Universal Event Tracking < 1.0.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Due to the nature of this plugin, well crafted XSS can also leak into the frontpage. PoC Put the followi...
Simple Membership < 4.1.3 - Unauthenticated Membership Privilege Escalation
The plugin allows user to change their membership at the registration stage due to insufficient checking of a user supplied parameter. Note: This only affects membership from the plugin, not the WordPress role PoC The request contains the levelidentifier parameter with the md52 value, where 2 is...
Flexi Quote Rotator <= 0.9.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Add the following payload to a new quote:...
Simple Membership < 4.1.3 - Membership Privilege Escalation
The plugin does not properly validate the membershiplevel parameter when editing a profile, allowing members to escalate to a higher membership level by using a crafted POST request. Note: This only affects membership from the plugin, not the WordPress role PoC To increase the level, the attacker...
Invitation Based Registrations <= 2.2.84 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in the "After Register...
FreeMind WP Browser <= 1.2 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check in place when updating its setting, and does not have sanitisation as well as escaping in some of them, which could allow attackers to make a logged in admin put a Cross-Site Scripting payload in them via CSRF attack...
AnyMind Widget <= 1.1 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check in place when updating the setWidgetId setting, and does not have sanitisation as well as escaping applied to it, which could allow attackers to make a logged in admin put a Cross-Site Scripting payload in it via CSRF attack...
WP Visitor Statistics (Real Time Traffic) < 5.8 - Unauthenticated SQLi
The plugin does not properly sanitise and escape some parameters before using them in SQL statements available to unauthenticated users, leading to SQL injection...
Advanced WordPress Reset < 1.6 - Reflected Cross-Site Scripting
The plugin does not escape some generated URLs before outputting them back in href attributes of admin dashboard pages, leading to Reflected Cross-Site Scripting PoC - Completely reset the site using the plugin - Visit https://example.com/wp-admin/tools.php?page=advancedwpreset&"...
Visualizer: Tables and Charts Manager for WordPress < 3.7.10 - Contributor+ PHAR Deserialization
The plugin does not validate the ‘remotedata’ parameter allowing contributor and above roles to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP objects when a POP chain is present...
WordPress Popup <= 1.9.3.8 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC On...
Login with phone number < 1.3.8 - Multiple Admin+ Stored XSS
The plugin does not sanitise and escape plugin settings which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Plugin settings Style Settings button border radius or other field put to input field:...
Unyson < 2.7.27 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=fw-extensions&sub-page;=extension=feedback...
NextScripts: Social Networks Auto-Poster < 4.3.26 - Reflected Cross-Site Scripting
The plugin does not escape a generated URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=nxssnap"...
Header Footer Code Manager < 1.1.24 - Reflected Cross-Site Scripting
The plugin does not escape generated URLs before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting. PoC https://example.com/wp-admin/admin.php?page=hfcm-list&'...
Name Directory < 1.25.3 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. Furthermore, as the payload is also saved into the database after the request, it leads to a Stored XSS as well PoC...
Booster for WooCommerce < 5.6.2 - Reflected Cross-Site Scripting
The plugin does not escape some generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting PoC v v...
Name Directory < 1.25.4 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check when importing names, and is also lacking sanitisation as well as escaping in some of the imported data, which could allow attackers to make a logged in admin import arbitrary names with XSS payloads in them. PoC As admin, Import the following CSV...
Shareaholic < 9.7.6 - Information Disclosure
The plugin does not have proper authorisation check in one of the AJAX action, available to unauthenticated in v 9.7.5 and author+ in v9.7.5 users, allowing them to call it and retrieve various information such as the list of active plugins, various version like PHP, cURL, WP etc. PoC...
Name Directory < 1.25.4 - Arbitrary Directory/Name Deletion via CSRF
The plugin does not have CSRF checks in place when deleting Directories and Names, which could allow attackers to make a logged in admin delete them via a CSRF attack PoC https://example.com/wp-admin/admin.php?page=name-directorydir=2...
Ivory Search < 5.4.7 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting PoC When the plugin displays the usage notice: https://example.com/wp-admin/plugins.php?"...
Popup Anything < 2.1.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in a frontend page, leading to a Reflected Cross-Site Scripting PoC On a post/page where the paocdetails display="keyxxx" shortcode is embed, append the following payload: ?xxx=11111%3Cscript%3Ealert/XSS/%3C/script%3E...
Yellow Yard Searchbar <= 2.7.27 - Reflected Cross-Site Scripting
The plugin does not escape some URL parameters before outputting them back to the user, leading to Reflected Cross-Site Scripting PoC /?searchjob="...
WP All Import < 3.6.8 - Admin+ Arbitrary File Upload
The plugin accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE PoC As an admin upload a php file containing the palyload zipped along with a valid...
Accordions < 2.0.3 - Unauthenticated Arbitrary Options Update
The plugin does not have any authorisation in a REST endpoint, which could allow unauthenticated users to update arbitrary WordPress options...
Gallery for Social Photo < 1.0.0.29 - Arbitrary Post Duplication via CSRF
The plugin does not have CSRF check in place when duplicating a post or page, which could allow attackers to make a logged in a admin duplicate them via a CSRF attack PoC https://example.com/wp-admin/admin-ajax.php?action=gifeedduplicatefeed=12...
Image Slider < 1.1.123 - Arbitrary Post Duplication via CSRF
The plugin does not have CSRF check in place when duplicating a post or page, which could allow attackers to make a logged in a admin duplicate them via a CSRF attack...
Popup Builder < 4.1.12 - Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
WordPress Popular Posts < 6.0.0 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting PoC When the plugin displays a performance notice: https://example.com/wp-admin/plugins.php?"...
Request a Quote <= 2.3.7 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payload in the Misc No Access Message setting of the plugin: The XSS will ...
WP Maintenance < 6.0.8 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Import any XML or CSV File to WordPress < 3.6.8 - Admin+ Arbitrary Code Execution
The plugin allows high privilege users such as admin to import zip archives containing PHP files, which could allow admin of multisite setup to perform RCE attacks...
Custom Product Tabs for WooCommerce < 1.7.8 - Unauthenticated Toggle Content Setting Update
The plugin does not have proper authorisation in one of its REST endpoint, allowing unauthenticated users to update the "Toggle thecontent filter" setting PoC POST /wp-json/yikes/cpt/v1/settings HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type:...
SP Project & Document Manager < 4.58 - Sensitive File Disclosure
The plugin uses an easily guessable path to store user files, bad actors could use that to access other users' sensitive files. PoC 1. Upload a file using the plugin. 2. On another browser, access the newly uploaded file via:...
Request a Quote <= 2.3.7 - CSV Injection
The plugin does not validate uploaded CSV files, allowing unauthenticated users to attach a malicious CSV file to a quote, which could lead to a CSV injection once an admin download and open it PoC On a page with a Quote Request form, upload the following CSV as an attachment: "First Name","Last...
WP Meta SEO < 4.4.9 - Social Settings Update via CSRF
The plugin does not have CSRF check in place when updating its social settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
miniOrange's Google Authenticator < 5.5.75 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=mo2fatwofa"...
W-DALIL <= 2.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC Add/edit a Dali Item and put the following payload in...
Download Manager < 3.2.44 - Reflected Cross-Site Scripting
The plugin does not escape a generated URL before outputting it back in an attribute of the history dashboard, leading to Reflected Cross-Site Scripting PoC https://example.com/wp-admin/edit.php?posttype=wpdmpro=wpdm-stats=historyids=1&"...
Contact Form 7 Captcha < 0.1.2 - Reflected Cross-Site Scripting
The plugin does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers PoC https://example.com/wp-admin/options-general.php?page=cf7sredit&"...
Woo Discount Rules < 2.4.2 - Reflected Cross-Site Scripting
The plugin does not escape a parameter before outputting it back in an attribute of the plugin's discount rule page, leading to Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=woodiscountrules="+style=animation-name:rotation+onanimationstart=alert/XSS///...