14604 matches found
Member Hero <= 1.0.9 - Unauthenticated RCE
The plugin lacks authorization checks, and does not validate the a request parameter in an AJAX action, allowing unauthenticated users to call arbitrary PHP functions with no arguments. PoC curl https://example.com/wp-admin/admin-ajax.php?action=memberherosendform&memberherohook=phpinfo...
OnePress Social Locker <= 5.6.2 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC...
MailerLite < 1.5.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting PoC The first digit of the ID must be an existing form ID...
Jupiter < 6.10.2 & JupiterX Core < 2.0.8 - Subscriber+ Privilege Escalation and Post Deletion
When the theme is installed, any logged-in user can elevate their privileges to an administrator by sending an AJAX request with the action parameter set to abbuninstalltemplate. This calls the uninstallTemplate function, which calls the resetWordpressDatabase function, where the site is...
Slideshow CK < 1.4.10 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape Slide's descriptions, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed PoC Create/edit a Slideshow, add a Slide and put the following payload in the Description The XSS will be...
Log WP_Mail <= 0.1 - Email Logs Publicly Accessible
The plugin saves sent email in a publicly accessible directory using predictable filenames, allowing any unauthenticated visitor to obtain potentially sensitive information like generated passwords. PoC curl https://example.com/wp-content/plugins/logwpmail/log/LWPMAIL-20220330-success.log...
Jupiter < 6.10.2 - Subscriber+ Arbitrary Plugin Deletion
Any authenticated user, such as subscriber, can delete arbitrary plugins via the abbremoveplugin AJAX action registered in the framework/admin/control-panel/logic/plugin-management.php file...
Jupiter < 6.10.2 & JupiterX < 2.0.7 - Subscriber+ Path Traversal and Local File Inclusion
Any logged-in users, such as subscriber, can perform Path Traversal and Local File inclusion. In the JupiterX theme, the jupiterxcploadpaneaction AJAX action present in the lib/admin/control-panel/control-panel.php file calls the loadcontrolpanelpane function. It is possible to use this action to...
WP-CRM <= 1.2.1 - CSV Injection
The plugin does not validate and sanitise fields when exporting people to a CSV file, leading to a CSV injection vulnerability. PoC 1. Add new person and put the following CSV calculator payload into the Display Name, Phone Number and Description field and save the entry. payload : =cmd|' /C...
HC Custom WP-Admin URL <= 1.4 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, allowing them to change the login URL PoC...
Themify - WooCommerce Product Filter < 1.3.8 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the page parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting PoC...
JupiterX Core < 2.0.7 - Information Disclosure, Modification, and Denial of Service
Any logged in users, such as subscriber could view site configuration and logged-in users, modify post conditions, or perform a denial of service attack via the jupiterxconditionalmanager AJAX action which can be used to call any function in the includes/condition/class-condition-manager.php file...
The School Management < 9.9.7 - Unauthenticated RCE via REST api
The plugin contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site. PoC curl -d 'blowfish=1' -d "blowf=system'id';" 'https://examples.com/wp-json/am-member/license'...
Code Snippets < 2.14.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in a page, leading to a Reflected Cross-Site Scripting...
Webriti SMTP Mail <= 1.0 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC...
Carousel CK <= 1.1.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape Slide's descriptions, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed PoC Create/edit a Carousel, add a Slide and put the following payload in the Description The XSS will be...
JupiterX < 2.0.7 & JupiterX Core < 2.0.7 - Subscriber+ Arbitrary Plugin Deactivation and Settings Update
Any logged-in user, including subscriber-level users, can access any of the functions registered in lib/api/api/ajax.php, which also grant access to the jupiterxapiajax actions registered by the JupiterX Core Plugin. This includes the ability to deactivate arbitrary plugins as well as update the...
Advanced Admin Search < 1.1.6 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape some parameters before outputting them back in an admin page, leading to a Reflected Cross-Site Scripting. PoC Affected parameters: keyword, user, metaKey, and metaValue https://example.com/wp-admin/admin.php?page=advanced-admin-search="...
Bestbooks <= 2.6.3 - Unauthenticated SQLi
The plugin does not sanitise and escape some parameters before using them in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users PoC Affected parameters: credit and debit curl https://example.com/wp-admin/admin-ajax.php \ --data...
Popup Box < 2.2 - Admin+ LFI
The plugin does not properly validate the current tab used before generating a path and using it in an include statement, which could lead to LFI...
Useful Banner Manager <= 1.6.1 - Modify banners via CSRF
The plugin does not perform CSRF checks on POST requests to its admin page, allowing an attacker to trick a logged in admin to add, modify or delete banners from the plugin by submitting a form. PoC...
WP Athletics <= 1.1.7 - Subscriber+ Stored Cross-Site Scripting
The plugin does not sanitize parameters before storing them in the database, nor does it escape the values when outputting them back in the admin dashboard, leading to a Stored Cross-Site Scripting vulnerability. PoC - Log on to the site using a subscriber account. - On the page the shortcode is...
Hot Linked Image Cacher <= 1.16 - Image upload/cache abuse via CSRF
The plugin is vulnerable to CSRF. This can be used to store / cache images from external domains on the server, which could lead to legal risks due to copyright violations or licensing rules. PoC...
iQ Block Country <= 1.2.18 - Protection Bypass due to IP Spoofing
The plugin does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it's block feature by spoofing the headers. PoC curl -i -H 'CF-CONNECTING-IP: 0.0.0.0' https://example.com...
Code Snippets Extended <= 1.4.7 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF in place when creating/editing snippets, as well as is lacking sanitisation and escaping in some fields, which could allow attackers to make a logged in admin create/edit arbitrary snippets and place XSS payloads in them...
WP Athletics <= 1.1.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting back in an admin page, leading to a Reflected Cross-Site Scripting PoC http://example.com/wp-admin/admin.php?page=wp-athletics-print-rankings=true=all=all=all=1=%3C%2Fscript%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E...
Google Places Review < 2.0.0 - Admin+ Stored Cross Site Scripting
The plugin does not properly escape its Google API key setting, which is reflected on the site's administration panel. A malicious administrator could abuse this bug, in a multisite WordPress configuration, to trick super-administrators into viewing the booby-trapped payload and taking over their...
Code Snippets Extended <= 1.4.7 - Arbitrary Snippet Deletion/Disabling via CSRF
The plugin does not have CSRF in place when deleting or disabling snippets, which could allow attackers to make a logged in admin delete them...
Opal Hotel Room Booking <= 1.2.7 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape a parameter which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks...
Enqueue Anything <= 1.0.1 - Subscriber+ Arbitrary Asset/Post Deletion
The plugin does not have authorisation and CSRF checks in the removeasset AJAX action, and does not ensure that the item to be deleted is actually an asset. As a result, low privilege users such as subscriber could delete arbitrary assets, as well as put arbitrary posts in the trash. v1.0.1 added...
WP Born Babies <= 1.0 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its fields, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks PoC As a contributor, create a new Baby item and put the following payload in any of the settings such as Birth Date, Time of Birth etc: "...
FormCraft Basic < 1.2.6 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape Field Labels, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payload into a Field Label and save: The XSS will be triggered when accessing the...
Photo Gallery < 1.6.4 - Admin+ Stored Cross-Site Scripting
The plugin does not properly validate and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed PoC Go to Photo Gallery Global Settings Watermark Using the web browser inspector, change the input...
LiveSync for WordPress <= 1.0 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC...
User Meta < 2.4.4 - Subscriber+ Local File Enumeration via Path Traversal
The plugin does not validate the filepath parameter of its umshowuploadedfile AJAX action, which could allow low privileged users such as subscriber to enumerate the local files on the web server via path traversal payloads PoC As a subscriber, submit a dummy image on a page/post with a File Uplo...
Discy < 5.2 - Restore Default Settings via CSRF
The theme does not check for CSRF tokens in the AJAX action discyresetoptions, allowing an attacker to trick an admin into resetting the site settings back to defaults. PoC...
Herd Effects < 5.2.1 - Admin+ LFI
The plugin does not properly validate the current tab used before generating a path and using it in an include statement, which could lead to LFI...
Hover Effects < 2.1.1 - Admin+ LFI
The plugin does not properly validate the current tab used before generating a path and using it in an include statement, which could lead to LFI...
Counter Box < 1.2 - Admin+ LFI
The plugin does not properly validate the current tab used before generating a path and using it in an include statement, which could lead to LFI...
Throws SPAM Away < 3.3.1 - Comment Deletion via CSRF
The plugin does not have CSRF checks in place when deleting comments either all, spam, or pending, allowing attackers to make a logged in admin delete comments via a CSRF attack PoC To delete all comments...
Video Slider - Slider Carousel < 1.4.8 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize or escape some of its video settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed PoC Create/edit a video from a slider and put the following payload in the Description: , then save/update the...
Discy < 5.2 - Settings Update via CSRF
The theme lacks CSRF checks in some AJAX actions, allowing an attacker to make a logged in admin change arbitrary plugin's settings including payment methods via a CSRF attack PoC...
FiboSearch < 1.18.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed PoC Put the following payload in the Woocommerce FiboSearch Autocomplete Products - "N...
Files Download Delay < 1.0.7 - Subscriber+ Settings Reset
The plugin does not have authorisation and CSRF checks when reseting its settings, which could allow any authenticated users, such as subscriber to perform such action. PoC https://example.com/wp-admin/admin-ajax.php?action=ddlayrestoredefaults...
Donations <= 1.8 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting...
WordPress Forms by Pie Forms < 1.4.9.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its form fields, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed PoC Create/edit a form, go to the Form Settings - General Settings and put the following payload in the...
WP Simple Adsense Insertion < 2.1 - Inject ads and javascript via CSRF
The plugin does not perform CSRF checks on updates to its admin page, allowing an attacker to trick a logged in user to manipulate ads and inject arbitrary javascript via submitting a form. PoC...
Quick Restaurant Reservations < 1.4.2 - Reflected Cross-Site Scripting
The plugin does not escape some parameters before outputting them back in admin pages, leading to Reflected Cross-Site Scripting...
Five Minute Webshop <= 1.3.2 - Admin+ SQLi via orderby
The plugin does not properly validate and sanitise the orderby parameter before using it in a SQL statement via the Manage Products admin page, leading to an SQL Injection PoC https://example.com/wp-admin/admin.php?page=fmwesproducts=id+AND+SELECT+7394+FROM+SELECTSLEEP5UrUZ...
Database Backup for WordPress < 2.5.2 - Arbitrary Schedule Settings Update via CSRF
The plugin does not have CSRF check in place when updating the schedule backup settings, which could allow an attacker to make a logged in admin change them via a CSRF attack. This could lead to cases where attackers can send backup notification emails to themselves, which contain more details. O...