14604 matches found
WP Fundraising Donation and Crowdfunding Platform < 1.5.0 - Unauthenticated SQLi
The plugin does not sanitise and escape a parameter before using it in a SQL statement via one of it's REST route, leading to an SQL injection exploitable by unauthenticated users PoC curl 'https://example.com/index.php?restroute=/xs-donate-form/payment-redirect/3' \ --data '"id": "SELECT 1 FROM...
WooCommerce Green Wallet Gateway < 1.0.2 - Reflected Cross Site Scripting in checkout page
The plugin does not escape the errorenvision query parameter before outputting it to the page, leading to a Reflected Cross-Site Scripting vulnerability. PoC 1. Enable greenwallet-gateway as a woocommerce payment gateway 2. add something in your cart and visit the checkout page 3. visit...
Easy FAQ with Expanding Text <= 3.2.8.3.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed PoC Put the following payload in any of the plugin's settings such as Font size, Font Color and save: "...
WP Statistics < 13.2.2 - Reflected Cross-Site Scripting
The plugin does not sanitise the REQUESTURI parameter before outputting it back in the rendered page, leading to Cross-Site Scripting XSS in web browsers which do not encode characters PoC GET /wp-admin/admin.php?page=wpssettingspage= HTTP/1.1 Accept:...
Quotes llama < 1.0.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape Quotes, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. The attack could also be performed by tricking an admin to import a malicious CSV file PoC Create/edit a quote and p...
Simple Real Estate Pack <= 1.4.8 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed PoC Put the following payload in the plugin's settings such as "Consumer Key": "...
Amazon Link <= 3.2.10 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. PoC Put the following payload in settings such as the "AWS Public Key": "...
StaffList < 3.1.7 - Reflected Cross-Site Scripting
The plugin does to sanitise and escape a parameter before outputting it back in various places in an admin page, leading to a Reflected cross-Site Scripting PoC v v 3.1.7 - https://example.com/wp-admin/admin.php?page=stafflist=aa' style=animation-name:rotation onanimationstart=alert/XSS///...
Change wp-admin Login < 1.1.0 - Unauthenticated Arbitrary Settings Update
The plugin does not properly check for authorisation and is also missing CSRF check when updating its settings, which could allow unauthenticated users to change the settings. The attacked could also be performed via a CSRF vector PoC curl --url...
No Future Posts <= 1.4 - Admin+ Stored Cross-Site Scripting
The plugin does not escape its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed PoC Put the following payload in any of the plugin's settings such as Exclude posts IDs and save: " autofocus onfocus=alert/XSS//...
User Meta < 2.4.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Form Name, as well as Shared Field Labels before outputting them in the admin dashboard when editing a form, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed PoC An an admin -...
HPB Dashboard <= 1.3.1 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. PoC Put the following payload in the plugin's settings: "...
Form Maker By 10Web < 1.14.12 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed PoC In a form settings, put the following payload in the Actions after submission Action Type Custom...
IMDB info box <= 2.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape some of its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC As administrator, put the following payload in any of the plugin's settings and save: "...
Slideshow <= 2.3.1 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its Slideshow settings, which could allow users with a role as low as Author to perform Cross-Site Scripting attacks PoC As author and above, create/edit a slideshow and put the following payload in the "Number of seconds the slide takes to slide in...
Team Members < 5.1.1 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its Team settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed PoC The teamcolor field ie "Main color" setting of a team is affected POST /wp-admin/post.php HTTP/1.1 Accept:...
Logo Slider <= 1.4.8 - Admin+ SQLi
The plugin does not sanitise and escape the lspsliderid parameter before using it in a SQL statement via the Manage Slider Images admin page, leading to an SQL Injection PoC https://example.com/wp-admin/admin.php?page=manageimagessliderid=1+AND+SELECT+7741+FROM+SELECTSLEEP5hlAf...
Birthdays Widget <= 1.7.18 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape some of its fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed PoC As admin, create/edit a Birthday and add the following payload in the Name field:...
Note Press <= 0.1.10 - Admin+ SQLi via id
The plugin does not sanitise and escape the id parameter before using it in various SQL statement via the admin dashboard, leading to SQL Injections PoC https://example.com/wp-admin/admin.php?page=NotePress-Main-Menu=view=17+AND+SELECT+3630+FROM+SELECTSLEEP5KdTt...
BannerMan <= 0.2.4 - Multiple Admin+ Stored Cross-Site Scripting
The plugin does not sanitize or escape its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks when the unfilteredhtml is disallowed such as in multisite PoC As administrator, put the following payloads in the mentioned settings of the plugin...
Slideshow <= 2.3.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape some of its default slideshow settings, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC As admin, put the following payload in the "Number of seconds the...
Call&Book Mobile Bar <= 1.2.2 - Admin+ Stored Cross Site Scripting
The plugin does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. PoC Put the following payload in any of the plugin's settings: "...
Note Press <= 0.1.10 - Admin+ SQLi via Bulk Actions
The plugin does not sanitise and escape the ids from the bulk actions before using them in a SQL statement in an admin page, leading to an SQL injection PoC...
Five Minute Webshop <= 1.3.2 - Admin+ SQLi via id
The plugin does not sanitise and escape the id parameter before using it in a SQL statement when editing a product via the admin dashboard, leading to an SQL Injection PoC https://example/wp-admin/admin.php?page=fmweseditproduct=1+AND+SELECT+6037+FROM+SELECTSLEEP5Uiuu...
JivoChat < 1.3.5.4 - Stored Cross-Site Scripting via CSRF
The plugin does not properly check CSRF tokens on POST requests to the plugins admin page, and does not sanitise some parameters, leading to a stored Cross-Site Scripting vulnerability where an attacker can trick a logged in administrator to inject arbitrary javascript. PoC XSS will be triggered...
CP Image Store with Slideshow < 1.0.68 - Unauthenticated SQLi
The plugin does not sanitise and escape the orderingby query parameter before using it in a SQL statement in pages where the codepeople-image-store is embed, allowing unauthenticated users to perform an SQL injection attack PoC On a page where the codepeople-image-store is embed, append the...
Note Press <= 0.1.10 - Admin+ SQLi via Update
The plugin does not sanitise and escape the Update parameter before using it in a SQL statement when updating a note via the admin dashboard, leading to an SQL injection PoC POST /wp-admin/admin.php?page=NotePress-Main-Menu=edit=17 HTTP/1.1 Accept:...
External Links in New Window / New Tab < 1.43 - Unauthenticated Stored Cross-Site Scripting
The plugin does not properly escape URLs it concatenates to onclick event handlers, which makes Stored Cross-Site Scripting attacks possible. PoC On any post on the affected site, add the following link to a comment: Click here for XSS-'/ Click on the link, you should be getting an alert box...
Realty Workstation < 1.0.15 - Agent SQLi
The plugin does not sanitise and escape the transedit parameter before using it in a SQL statement when an agent edit a transaction, leading to an SQL injection PoC As a logged in agent: https://example.com/workstation/?transactions=opentransactionsedit=1%20AND%20SELECT%2042%20FROM%20SELECTSLEEP5...
amtyThumb <= 4.2.0 - Subscriber+ SQLi
The plugin does not sanitise and escape a parameter before using it in a SQL statement via its shortcode, leading to an SQL injection and is exploitable by any authenticated user and not just Author+ like the original advisory mention due to the fact that they can execute shortcodes via an AJAX...
External Links in New Window / New Tab < 1.43 - Tabnabbing
The plugin does not ensure window.opener is set to "null" when links to external sites are clicked, which may enable tabnabbing attacks to occur. PoC Create an external link, check window.opener in the newly opened tab after clicking the external link...
WP 2FA < 2.2.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=wp-2fa-settingserror=...
PNG to JPG < 4.1 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check in place when updating its settings, allowing attackers to make a logged in admin do such action via a CSRF attack which could lead to Stored XSS issues due to the lack of sanitisation and escaping in some of them...
Remove CPT Base < 5.9 - CPT Deletion via CSRF
The plugin does not have CSRF check in place when deleting the custom post type CPT, allowing attackers to make a logged in admin do such action via a CSRF attack...
Andrea Pernici News Sitemap for Google <= 1.0.16 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks...
Code Snippets Extended <= 1.4.7 - RCE via CSRF
The plugin could allow attackers to perform RCE by using a CSRF attack against a logged in admin...
Poll Maker < 4.0.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some settings, which could allow high privilege users such as admin to perform Store Cross-Site Scripting attack even when unfilteredhtml is disallowed PoC Put the following payload in any of the Mailchimp integration settings...
WP Slider <= 1.4.5 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed...
Disable Right Click For WP <= 1.1.6 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
Image Hover Effects Ultimate < 9.7.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape parameters before outputting them back in an admin page, leading to a Reflected Cross-Site Scripting...
Checkout Files Upload for WooCommerce < 2.1.3 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape filenames before outputting them back in order confirmation page, leading to a Reflected Cross-Site Scripting...
Helpful < 4.5.15 - Votes Tampering
The plugin allowed users to vote more than once, which could allow attackers to increase votes drastically on some posts...
WP JS <= 2.0.6 - Reflected Cross-Site Scripting
The plugin contains a script called wp-js.php with the function wpjsadmin, that accepts unvalidated user input and echoes it back to the user, leading to a Reflected Cross-Site Scripting...
Smush < 3.9.9 - Admin+ Reflected Cross-Site Scripting
The plugin does not sanitise and escape a configuration parameter before outputting it back in an admin page when uploading a malicious preset configuration, leading to a Reflected Cross-Site Scripting. For the attack to be successful, an attacker would need an admin to upload a malicious...
VikBooking < 1.5.9 - Reflected Cross-Site Scripting
The plugin does not escape the current URL before putting it back in a JavaScript context, leading to a Reflected Cross-Site Scripting PoC https://example.com/wp-admin/?test%22-alert/XSS/-%22 https://example.com/wp-admin/profile.php?test%22-alert/XSS/-%22...
Enable SVG < 1.4.0 - Author+ Stored Cross Site Scripting via SVG
The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads PoC As an author or above, upload the below SVG file via the Media library: The XSS will be triggered when accessing the file directly, e.g...
StaffList < 3.1.6 - Reflected Cross-Site Scripting
The plugin does to sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=stafflist=1=1%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E...
Content Mask < 1.8.4.1 - Subscriber+ Arbitrary Options Update
The plugin does not have authorisation and CSRF checks in various AJAX actions, as well as does not validate the option to be updated to ensure it belongs to the plugin. As a result, any authenticated user, such as subscriber could modify arbitrary blog options PoC POST /wp-admin/admin-ajax.php...
Breeze < 2.0.3 - Subscriber+ Arbitrary Settings Update to Stored XSS
The plugin is lacking authorisation, CSRF and sanitisation in its AJAX actions available to any authenticated users, which could allow any logged in user to change the plugin's settings and perform XSS attacks...
StaffList < 3.1.6 - Arbitrary Staff Deletion via CSRF
The plugin does not have CSRF check in place when deleting staff members, which could allow attacker to make a logged in admin perform such action and delete arbitrary staff via a CSRF attack PoC https://example.com/wp-admin/admin.php?page=stafflist=last=1=1...