14604 matches found
Google XML Sitemaps < 4.1.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape a settings before outputting it in the Debug page, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in the "Try ...
WP-Email < 2.69.0 - Log Deletion via CSRF
The plugin does not protect its log deletion functionality with nonce checks, allowing attacker to make a logged in admin delete logs via a CSRF attack PoC...
Easy Pricing Tables < 3.1.3 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as author to perform Stored Cross-Site Scripting attacks...
Plausible Analytics < 1.2.4 - Subscriber+ Arbitrary Settings Update
The plugin has a flawed logic when checking for authorisation and CSRF before updating its settings, allowing any authenticated users, such as subscriber, to update the plugin's settings. The attack is also possible via CSRF against any authenticated user. PoC POST /wp-admin/admin-ajax.php HTTP/1...
Admin Management Xtended < 2.4.5 - Multiple CSRF
The plugin does not have CSRF in various places and actions, allowing attackers to make a logged in users perform unauthorised actions on their behalf via CSRF attacks...
Image Slider by NextCode <= 1.1.2 - Multiple CSRF
The plugin does not have CSRF in various places and actions, allowing attackers to make a logged in users perform unauthorised actions on their behalf via CSRF attacks...
Post Grid, Slider & Carousel Ultimate < 1.5.0 - Admin+ Stored XSS
The plugin does not sanitise and escape the Header Title, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Create a new Grid/Caroussel, in the General Settings, enable "Display Header Title" and put the...
Seamless Donations < 5.1.9 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC Some link: https://google.com...
underConstruction < 1.20 - Construction Mode Deactivation via CSRF
The plugin does not have CSRF check in place when deactivating the construction mode, which could allow attackers to make a logged in admin perform such action via a CSRF attack PoC...
Hotel Booking <= 3.0 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks...
Image Slider by NextCode <= 1.1.2 - Arbitrary Slide Deletion via CSRF
The plugin does not have CSRF in place when deleting slides, allowing attackers to make a logged in admin perform such action via a CSRF attack...
underConstruction < 1.21 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletredhtml capability is disallowed. PoC In the plugin's settings, active Under Contraction...
Mail Subscribe List < 2.1.4 - Arbitrary Subscribed User Deletion via CSRF
The plugin does not have CSRF check in place when deleting subscribed users, which could allow attackers to make a logged in admin perform such action and delete arbitrary users from the subscribed list PoC...
Image Slider by NextCode <= 1.1.2 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as author to perform Stored Cross-Site Scripting attacks...
Private Messages For WordPress <= 2.1.10 - Subscriber+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as subscriber to perform Stored Cross-Site Scripting attacks...
Private Messages For WordPress <= 2.1.10 - Arbitrary Message Sent via CSRF
The plugin does not have CSRF in place when sending messages, allowing attackers user sent arbitrary message on their behalf via a CSRF attack...
WP Statistic < 13.2.2 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitise and escape some of its settings, which could allow a high privilege users to perform Stored Cross-Site Scripting attacks when unfiltredhtml is disallowed...
Ocean Extra < 1.9.5 - Reflected Cross-Site Scripting
The plugin does not escape generated links which are then used when the OceanWP theme is active, leading to a Reflected Cross-Site Scripting issue PoC https://example.com/wp-admin/?step=demo=owpsetup"...
Rating by BestWebSoft < 1.6 - Rating Denial of Service
The plugin does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service on the post/page when a user submit such rating PoC Under Settings - Discussion, uncheck "Comment must be manually approved" Install and Enable Rating BestWebSoft plugin Change...
Private Files <= 0.40 - Protection Disabling via CSRF
The plugin is missing CSRF check when disabling the protection, which could allow attackers to make a logged in admin perform such action via a CSRF attack and make the blog public PoC That will also delete the .htaccess...
Core Control <= 1.2.1 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC...
Genki Pre-Publish Reminder <= 1.4.1 - Stored XSS & RCE via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored XSS as well as RCE when custom code is added via the plugin settings. PoC...
RB Internal Links <= 2.0.16 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, as well as perform Stored Cross-Site Scripting attacks due to the lack of sanitisation and escaping PoC...
One Click Plugin Updater <= 2.4.14 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and disable / hide the badge of the available updates and the related check. PoC...
Static Page eXtended <= 2.1 - Arbitrary Settings Update via CSRF to Stored XSS
Due to missing checks the plugin is vulnerable to CSRF attacks which allows changing the plugin settings, including required user levels for specific features. This could also lead to Stored Cross-Site Scripting due to the lack of escaping in some of the settings PoC...
Simple Membership < 4.1.1 - Reflected Cross-Site Scripting
The plugin does not properly sanitise and escape parameters before outputting them back in AJAX actions, leading to Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin-ajax.php?action=swpmvalidateemail=%22%3Cscript%3Ealert%22XSS%22;%3C/script%3E...
LaTeX for WordPress <= 3.4.10 - Arbitrary Settings Update via CSRF to Stored XSS
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack which could also lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping PoC...
Filr - Secure Document Library < 1.2.2.1 - Subscriber+ AJAX Calls
The plugin does not have authorisation check in two of its AJAX actions, allowing them to be called by any authenticated users, such as subscriber. They are are protected with a nonce, however the nonce is leaked on the dashboard. This could allow them to upload arbitrary HTML files as well as...
postTabs <= 2.10.6 - Arbitrary Settings Update via CSRF to Stored XSS
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, which also lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping PoC...
Change Uploaded File Permissions <= 4.0.0 - File Permission Update via CSRF
Due to missing checks the plugin is vulnerable to CSRF attacks. This can be used to change the file and folder permissions of any folder. This could be problematic when specific files like ini files are made readable for everyone due to this. PoC...
Quick Subscribe <= 1.7.1 - Arbitrary Settings Update via CSRF to Stored XSS
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and leading to Stored XSS due to the lack of sanitisation and escaping in some of them PoC...
Keep Backup Daily < 2.0.3 - Reflected Cross-Site Scripting
The plugin does not escape and sanitise the t parameter before outputting it back in a page, leading to a Reflected Cross-Site Scripting...
WP Admin Style <= 0.1.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed PoC Put the following payload in the CSS settings of the plugin:...
Sticky Popup <= 1.2 - Admin+ Stored Cross-Site Scripting
The plugin does not escape and sanitise the popuptitle setting, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfilteredhtml is disallowed...
Appointment Hour Booking < 1.3.56 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape a settings of its Calendar fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. PoC Create/edit a calendar, and put the following payload in the "Additional CSS Class" settings of...
Newsletter < 7.4.5 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the $SERVER'REQUESTURI' before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below. PoC...
Sideblog <= 6.0 - Arbitrary Settings Update via CSRF to Stored XSS
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping PoC The XSS will be triggered in the Sideblog widget...
Peter’s Collaboration E-mails <= 2.2.0 - Arbitrary Settings Update via CSRF
The plugin is vulnerable to CSRF due to missing nonce checks. This allows the change of its settings, which can be used to lower the required user level, change texts, the used email address and more. PoC...
Zephyr Project Manager < 3.2.41 - Reflected Cross-Site Scripting
The plugin does not escape and sanitise the project parameter before outputting it back in a page, leading to a Reflected Cross-Site Scripting...
WP-chgFontSize <= 1.8 - Arbitrary Settings Update via CSRF to Stored XSS
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping PoC...
New User Email Set Up <= 0.5.2 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC...
Like Button Rating < 2.6.45 - Arbitrary e-mail Sending
The plugin allows any logged-in user, such as subscriber, to send arbitrary e-mails to any recipient, with any subject and body PoC As a subscriber, run the below command in the web developer console of the browser fetch"/wp-admin/admin-ajax.php?action=likebtntestvotenotification", "headers":...
Minimal Coming Soon – Coming Soon Page < 2.35 - Multiple Authenticated Stored XSS
The plugin does not sanitize or escape some of its settings, allowing high privilege users such as admin to se Cross-Site Scripting payload in them, which will be triggered in the backend. A PoC As admin, put the following in the Custom CSS setting...
KiviCare < 2.3.9 - Unauthenticated SQLi
The plugin does not sanitise and escape some parameters before using them in SQL statements via the ajaxpost AJAX action with the getdoctordetails route, leading to SQL Injections exploitable by unauthenticated users PoC With at least one doctor created via the plugin: v 2.3.4 curl...
Slideshow, Image Slider by 2J <= 1.3.54 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in a page accessible to contributors and above, leading to a Reflected Cross-Site Scripting...
Export any WordPress data to XML/CSV < 1.3.5 - Admin+ SQL Injection
The plugin does not sanitize the cpt POST parameter when exporting post data before using it in a database query, leading to an SQL injection vulnerability. PoC 1. Go to the All Export New Export screen in the WordPress admin. 2. Now click on Specific Post Type Posts. 3. Click now on Migrate...
Google Tag Manager for WordPress < 1.15.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the s parameter before outputting it back in a page when the search data is included in the data layer related settings is Basic data Search data...
Email Users <= 4.8.8 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and change the notification settings of arbitrary users PoC...
Latest Tweets Widget <= 1.1.4 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC...
HC Custom WP-Admin URL <= 1.4 - Unauthenticated Secret URL Disclosure
The plugin leaks the secret login URL when sending a specific crafted request PoC curl -sIXGET -H "Cookie: validloginslug=1" https://example.com/wp-login.php HTTP/2 302 x-redirect-by: WordPress location: secret...