14604 matches found
WP Subscribe < 1.2.13 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its widgets settings, which could allow high privilege users such as admin to perform Cross-Site Scripting even when unfilteredhtml is disallowed PoC Add the widget of the plugin to a page, and put the following payload in settings such as "Title",...
StaffList < 3.1.5 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement when searching for Staff in the admin dashboard, leading to an SQL Injection PoC https://example.com/wp-admin/admin.php?page=stafflist=test%'+AND+SELECT+42+FROM+SELECTSLEEP5b+AND+'aa%'='aa...
Check & Log email < 1.0.6 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=check-email-settings="...
Nirweb support < 2.8.2 - Unauthenticated SQLi
The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an SQL injection PoC curl https://example.com/wp-admin/admin-ajax.php --data 'action=answerdticketform=1 UNION ALL SELECT NULL,NULL,SELECT...
Tabs Responsive < 2.2.8 - Editor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape Tab descriptions, which could allow high privileged users with a role as low as editor to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Create/edit a Tab via the plugin, and put the following payload in a Tab...
WP Contacts Manager <= 2.2.4 - Unauthenticated SQLi
The plugin fails to properly sanitize user supplied POST data before it is being interpolated in an SQL statement and then executed, leading to an SQL injection vulnerability. PoC curl 'http://127.0.0.1:8080/wp-admin/admin-ajax.php?action=WPContactsManagercall=get-contact' \ --data '"id":"1\u0027...
WP Meta SEO < 4.4.7 - Admin+ Stored Cross-Site Scripting via breadcrumbs
The plugin does not sanitise or escape the breadcrumb separator before outputting it to the page, allowing a high privilege user such as an administrator to inject arbitrary javascript into the page even when unfiltered html is disallowed. PoC As admin, put the following payload in the Breadcrumb...
Ultimate Member < 2.3.2 - Open Redirect
The plugin is vulnerable to open redirects due to insufficient validation on supplied URLs in the social fields of the Profile Page, which makes it possible for attackers to redirect unsuspecting victims...
Countdown & Clock <= 2.3.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed...
All-in-One WP Migration < 7.59 - Admin+ File Deletion on Windows Hosts via Path Traversal
The plugin is vulnerable to arbitrary file deletion via directory traversal due to insufficient file validation via the /lib/model/class-ai1wm-backups.php file which can be exploited by administrative users, and users who have access to the site’s secret key on WordPress instances with Windows...
Hermit <= 3.1.6 - Subscriber+ SQLi
The plugin does not sanitise and escape the ids parameter before using it in a SQL statement, leading to a SQL injection...
Hermit <= 3.1.6 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check in when creating a source, and does not sanitise as well as escape the title, which could allow attackers to make a logged in user create an arbitrary source with an XSS payload in it...
Hermit <= 3.1.6 - Unauthenticated SQLi
The plugin does not sanitise and escape the id parameter before using it in a SQL statement, leading to a SQL injection...
Footer Text <= 2.0.3 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF in place when updating its settings, and is lacking sanitisation as well as escaping in them, which could allow attackers to make a logged in admin change them and perform Cross-Site Scripting attacks...
Countdown & Clock <= 2.3.2 - Pro Features Lock Bypass
The plugin does not properly lock its Pro features which could allow high privilege users such as admin to bypass the restriction and use them...
Hermit <= 3.1.6 - Arbitrary Cache/Source Deletion & Source Creation via CSRF
The plugin does not have CSRF checks in multiple actions, which could allow attackers to make logged in users perform them via CSRF attacks...
Ravpage <= 2.16 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape various base64 encoded parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting...
Countdown & Clock < 2.3.3 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the ycdtype parameter before outputting back in a page, leading to a Reflected Cross-Site Scripting...
WP-Invoice <= 4.3.1 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attacker to make a logged in admin update them and change the minimum role allowed to access the plugin's features to subscriber for example, which would make invoices available to any authenticated users P...
Coru LFMember <= 1.0.2 - Arbitrary Game Deletion/Activation via CSRF
The plugin does not have CSRF in place when deleting and activating games, which could allow attacker to make a logged in admin perform such actions PoC...
Booking Calendar < 9.1.1 - PHP Object Injection
The plugin unserializes user data without being validated first, which could allow attackers to perform PHP object injection attack. If a timeline is published, unauthenticated attackers could perform such attack, otherwise any authenticated could. A suitable POP chain, from another plugin for...
Vertical scroll recent post < 14.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting PoC https://example.com/wp-admin/options-general.php?page=vertical-scroll-recent-post=editid=0%22%3E%3Csvg%2Fonload%3Dalert%28%2Fxss%2F%29%3E...
Coru LFMember <= 1.0.2 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check in place when adding a new game, and is lacking sanitisation as well as escaping in their settings, allowing attacker to make a logged in admin add an arbitrary game with XSS payloads PoC...
Psychological tests & quizzes <= 0.21.19 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings available to users with a role as low as contributor, allowing them to perform Cross-Site Scripting attacks...
Tripetto < 5.2.0 - Unauthenticated Stored Cross-Site Scripting
The plugin does not validate uploaded attachment files, which could allow unauthenticated users to upload malicious SVG and lead to Cross-Site Scripting...
Sliderby10Web < 1.2.52 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitize and escape some of its settings, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed PoC Create/edit a slider, put the following payload in the CSS settings and save: The XSS wil...
Turn off all comments <= 1.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the rows parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting PoC https://example.com/wp-admin/tools.php?page=toac=success=%3Csvg%2Fonload%3Dalert%28%2Fxss%2F%29%3E...
Domain Replace <= 1.3.8 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=dr-convert=%3Csvg%2Fonload%3Dalert%28%2Fxss%2F%29%3E...
Donate Extra <= 2.02 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the response, leading to a Reflected cross-Site Scripting PoC...
WP-Invoice <= 4.3.1 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check in place when updating its settings, and is lacking sanitisation as well as escaping in some of them, allowing attacker to make a logged in admin change them and add XSS payload in them PoC...
Gmedia Photo Gallery < 1.20.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Album's name before outputting it in pages/posts with a media embed, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered-html capability is disallowed PoC https://youtu.be/kTMg65teTvU...
Call Now Button < 1.1.2 - Reflected Cross-Site Scripting
The plugin does not escape a parameter before outputting it back in an attribute of a hidden input, leading to a Reflected Cross-Site Scripting when the premium is enabled PoC With premium enabled: http://example.com/wp-admin/admin.php?page=call-now-button=xxxxx" accesskey=X onclick=alert/XSS/...
Night Mode < 1.4.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks woven when unfilteredhtml is disallowed...
3xSocializer <= 0.98.22 - Subscriber+ SQLi
Description The plugin does not sanitise and escape some parameter before using them in SQL statements, leading to SQL Injections...
ScrollReveal.js Effects <= 1.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed PoC Put the following payload in any of the plugin's settings such as Opacity: "...
Tracked Tweets <= 0.2.9 - Stored Cross-Site Scripting via CSRF
The plugin does not have SCRF check when updating its settings, as well as does not sanitise and escape them when outputting them back. This could allow attackers to make a logged in admin update them to arbitrary values, including XSS payloads, via a CSRF attack PoC...
ShortPixel Adaptive Images < 3.4.0 - Subscriber+ Arbitrary Settings Update
The plugin does not have any authorisation when updating its settings via an AJAX action, allowing any authenticated users, such as subscriber to change them...
WPC Smart Wishlist for WooCommerce < 2.9.9 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in an attribute via an AJAX action, leading to a Reflected Cross-Site Scripting issue. PoC Against any authenticated user:...
WP Subtitle < 3.4.1 - Contributor+ Stored Cross-Site Scripting
The plugin adds a subtitle field and provides a shortcode to display it via wpsubtitle. The subtitle is stored as a custom post meta with the key: "wpssubtitle", which is sanitized upon post save/update, however is not sanitized when updating it directly from the post meta update button via AJAX ...
Content Egg < 5.3.1 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=content-egg-autoblog-edit"...
Tracked Tweets <= 0.2.9 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in an admin page, leading to a Reflected Cross-Site Scripting issue PoC All parameters from the settings page are affected...
Metform Elementor Contact Form Builder < 2.1.4 - Unauthenticated API keys and Secrets Disclosure
The is vulnerable to sensitive information disclosure due to improper access control in the /core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs such as PayPal, Stripe, Mailchimp, Hubspot, HelpScout,...
VikBooking Hotel Booking Engine & PMS < 1.5.7 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check in place when adding a tracking campaign, and does not escape the campaign fields when outputting them In attributes. As a result, attackers could make a logged in admin add tracking campaign with XSS payloads in them via a CSRF attack PoC XSS will be triggered...
VikBooking Hotel Booking Engine & PMS < 1.5.8 - Admin+ PHP File Upload
The plugin does not properly validate images, allowing high privilege users such as administrators to upload PHP files disguised as images and containing malicious PHP code PoC Edit/add a Characteristics /wp-admin/admin.php?option=comvikbooking=carat and upload a fake GIF with PHP code in it as a...
Advanced Contact form 7 DB <= 1.8.7 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape a parameter from its form, which could lead to an unauthenticated Stored Cross-Site Scripting issue...
VikBooking Hotel Booking Engine & PMS < 1.5.8 - Admin+ Stored Cross-Site Scripting
The plugin does not escape various settings before outputting them in attributes, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed PoC v 1.5.7 Add/edit a custom field /wp-admin/admin.php?option=comvikbooking=custom...
Rara One Click Demo Import < 1.3.0 - Arbitrary File Upload via CSRF
The plugin does not have CSRF check when uploading files, which could allow attackers to make a logged in admin upload arbitrary files via a CSRF attack...
Country Selector < 1.6.6 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the country and lang parameters before outputting them back in the response, leading to a Reflected Cross-Site Scripting PoC...
Social Stickers <= 2.2.9 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF checks in place when updating its Social Network settings, and does not escape some of these fields, which could allow attackers to make a logged-in admin change them and lead to Stored Cross-Site Scripting issues. PoC...
Fusion Builder < 3.6.2 - Unauthenticated SSRF
Description The plugin, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network...