14604 matches found
Page Generator Plugin < 1.6.6 - Arbitrary Keywords Deletion/Duplication via CSRF
The plugin does not have CSRF check in place when deleting and duplicating keywords, which could allow attackers to make a logged in admin delete and duplicate arbitrary keywords via CSRF attacks PoC https://example.com/wp-admin/admin.php?page=page-generator-keywords=delete=3...
Simple Page Transition <= 1.4.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in the "Ignored Download...
Download Manager < 3.2.44 - Unauthenticated Reflected Cross-Site Scripting
The plugin does not escape a generated URL before outputting it back in an attribute of the login page made by the plugin, leading to Reflected Cross-Site Scripting, which is only exploitable against unauthenticated users PoC On the login page from the plugin ie where the wpdmloginform is embed,...
OAuth Single Sign On < 6.22.6 - Authentication Bypass
The plugin doesn't validate that OAuth access token requests are legitimate, which allows attackers to log onto the site with the only knowledge of a user's email address. PoC POST / HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type:...
Insights from Google PageSpeed < 4.0.7 - Multiple CSRF
The plugin does not verify for CSRF before doing various actions such as deleting Custom URLs, which could allow attackers to make a logged in admin perform such actions via CSRF attacks PoC...
Simple Post Notes < 1.7.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payload in the "Notes placeholder" settings of the plugin:...
Jquery Validation For Contact Form 7 < 5.3 - Arbitrary Options Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change Blog options like defaultrole, userscanregister via a CSRF attack PoC...
Page Generator Plugin < 1.6.5 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Got to Page Generator - Keywords - Add Keyword and put the following payload in the "Terms" field th...
Advanced Database Cleaner < 3.1.1 - Reflected Cross-Site Scripting
The plugin does not escape numerous generated URLs before outputting them back in href attributes of admin dashboard pages, leading to Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=advanceddbcleanertab=croncat=all&" Other pages are affected...
Loading Page with Loading Screen < 1.0.83 - Admin+ Stored Cross-Site Scripting
The plugin does not escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Go to Settings - Loading Page, in the "Display loading screen in" settings, select either "specific pages" or...
LearnPress < 4.1.6.7 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting PoC Fixed in 4.1.6.6 - https://example.com/wp-admin/admin.php?page=learn-press-settings=emails=new-order-emails" Fixed in 4.1.6.7 - With a lesson attached to the course id 243...
DX Share Selection < 1.5 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check in place when updating its settings and is lacking escaping as well as sanitisation in some of them, which could allow attackers to make a logged in admin change them and put XSS payloads in them via a CSRF attack...
Download Manager < 3.2.48 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the 'Insert URL' field, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks. Note: The attempted fix made in 3.2.46 and 3.2.47 were found to be insufficient PoC As a contributor, create/edit a download an...
Free Live Chat Support <= 1.0.12 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check in place when updating its settings and is lacking escaping as well as sanitisation in some of them, which could allow attackers to make a logged in admin change them and put XSS payloads in them via a CSRF attack...
404s < 3.5.1 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape its fields, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Create/edit a new 404 via the plugin and put the following payload in the "Please enter th...
Data Tables Generator by Supsystic < 1.10.20 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its Table settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC Create/edit a table, go to its settings,...
OAuth 2.0 client for SSO < 1.11.4 - Authenticated Bypass
The plugin allows attackers to login as any user by just knowing their email address PoC POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded [email protected]...
CDI < 5.1.9 - Reflected Cross-Site-Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the response of an AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting PoC...
LinkedIn Company Updates <= 1.5.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payload in the "Client ID" settings: "/...
Brizy Page Builder < 2.4.2 - Contributor+ Stored Cross-Site Scripting via Element URL
The plugin does not sanitise and escape some element URL, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks PoC As a contributor or above, create a post using Brizy editor, add an Icon or Button element and put the following payload in the...
Brizy Page Builder < 2.4.2 - Contributor+ Stored Cross-Site Scripting via Element Content
The plugin does not sanitise and escape some element content, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks PoC As a contributor or above, create a post using Brizy editor and: - Add a Text Element then put the following payload: - Add an...
Best Contact Management Software <= 3.7.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payload in the "No Access Message" settings...
Very Simple Breadcrumb <= 1.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payload in the "Breadcrumb css class name" settings of the plugin: "...
Import CSV Files <= 1.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escaped imported data before outputting them back in a page, and is lacking CSRF check when performing such action as well, resulting in a Reflected Cross-Site Scripting PoC...
WooCommerce PDF Invoices & Packing Slips < 2.16.0 - Reflected Cross-Site Scripting
The plugin doesn't escape a parameter on its setting page, making it possible for attackers to conduct reflected cross-site scripting attacks. PoC https://example.com/wp-admin/admin.php?page=wpowcpdfoptionspage=xxxxx%22+accesskey%3DX+onclick%3Dalert%281%29+test%3D%22...
Admin Management Xtended < 2.4.5 - Post Visibility/Date/Comment Status Update via CSRF
The plugin does not have CSRF checks in some of its AJAX actions, allowing attackers to make a logged users with the right capabilities to call them. This can lead to changes in post status draft, published, slug, post date, comment status enabled, disabled and more. PoC The following PoC codes a...
WP Maintenance Mode & Coming Soon < 2.4.5 - Subscribed Users Deletion via CSRF
The plugin is lacking CSRF when emptying the subscribed users list, which could allow attackers to make a logged in admin perform such action via a CSRF attack PoC...
Analytify < 4.2.1 - Reflected Cross-Site Scripting
The plugin does not escape the current URL before outputting it back in a 404 page when the 404 tracking feature is enabled, leading to Reflected Cross-Site Scripting PoC When 404 tracking is enabled: https://example.com/aa404bb?aalert/XSS/...
WooCommerce < 6.6.0 - Admin+ Stored HTML Injection
The plugin is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles PoC Go to WooCommerce - Settings - Payments tab, enable BAC Bank Account Transfers and edit the title in the setup dialog. HTML can be injected there, and will be rendered both f...
WP Opt-in <= 1.4.1 - Arbitrary Settings Update via CSRF
The plugin is vulnerable to CSRF which allows changed plugin settings and can be used for sending spam emails. PoC...
WP OAuth Server ( Login with WordPress ) < 4.0.1 - Authentication Bypass
The plugin is affected by an Auth Bypass security vulnerability. To bypass authentication, we only need to know the user’s username. Depending on whose username we know, which can be easily queried because it is usually public data, we may even be given an administrative role on the client’s...
Cache Images < 3.2.1 - Image Upload / Import via CSRF
The plugin does not implement nonce checks, which could allow attackers to make any logged user upload images via a CSRF attack. PoC Allows import of any images with any user level...
WP Duplicate Page < 1.3 - Admin+ Stored Cross Site Scripting
The plugin does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. PoC 1. Navigate to Settings -Duplicate Page - Duplicate Page Settings and enter the XSS payload into...
Popup Builder < 4.1.11 - Admin+ Stored Cross-Site Scripting
The plugin does not escape and sanitize some settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfiltredhtml is disallowed PoC Create/edit a subscription, enabled the GDPR options in it and add the following payload in the "confirmation text"...
Bold Page Builder < 4.3.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. PoC 1. Navigate to Settings - Bold Builder - Bold Builder Settings and enter "" into the "Color...
Give < 2.21.0 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting PoC https://example.com/wp-admin/edit.php?posttype=giveforms=give-tools" https://example.com/wp-admin/edit.php?posttype=giveforms=give-tools=import" Other pages are also affec...
WP Event Manager < 3.1.28 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape its search before outputting it back in an attribute on the event dashboard, leading to a Reflected Cross-Site Scripting PoC Against any authenticated user: https://example.com/event-dashboard/?searchkeywords=aaaa"...
Popup Builder < 4.1.1 - Popup Status Change via CSRF
The plugin does not have CSRF check in place when updating Popup status, which could allow attackers to make a logged in admin update them via a CSRF attack...
GiveWP < 2.21.0 - Donor Information Disclosure
The plugin exposes a REST endpoint to unauthenticated users and disclosing donor information...
Comment License < 1.4.0 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC...
Shortcut Macros <= 1.3 - Subscriber+ Arbitrary Settings Update
The plugin does not have authorisation and CSRF checks in place when updating its settings, which could allow any authenticated users, such as subscriber, to update them. PoC Open the following HTML code while being logged in as a subscriber, or make any logged in user open it via a CSRF attack...
WP Paginate < 2.1.9 - Admin+ Stored Cross-Site Scripting
The plugin does not escape one of its settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when unfilteredhtml is disallowed PoC Put the following payload on the Preset settings of the plugin: '+accesskey="X"+onclick="alert1"'...
WP Championship < 9.3 - Multiple CSRF
The plugin is lacking CSRF checks in various places, allowing attackers to make a logged in admin perform unwanted actions, such as create and delete arbitrary teams as well as update the plugin's settings. Due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site...
Pricing Deals for WooCommerce < 2.0.3 - Unauthenticated SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection PoC...
BuddyPress Group Reviews < 2.8.4 - Subscriber+ Arbitrary Settings Update & Review Modification
The plugin is missing capability and CSRF checks in various of its AJAX functions available to any authenticated users, which could allow users with a role as low as subscriber to update arbitrary settings and modify reviews...
Button Widget Smartsoft <= 1.0.1 - Arbitrary Settings Update to Stored XSS via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, as well as put XSS payloads in them due to the lack of sanitisation and escaping...
FoxyShop < 4.8.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting PoC https://example.com/wp-admin/edit.php?posttype=foxyshopproduct=foxyshoptools=error=...
Rename wp-login.php <= 2.6.0 - Secret URL Update via CSRF
The plugin does not have CSRF check in place when updating the secret login URL, which could allow attackers to make a logged in admin change them via a CSRF attack PoC...
WooCommerce - Product Importer <= 1.5.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the imported data before outputting it back in the page, leading to a Reflected Cross-Site Scripting PoC POST /wp-admin/admin.php?page=woopi=import HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8...
MashShare <= 3.8.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...