14604 matches found
Advanced Uploader <= 4.2 - Subscriber+ Arbitrary File Upload
The plugin allows any authenticated users like subscriber to upload arbitrary files, such as PHP, which could lead to RCE PoC As any authenticated user, upload a PHP file via /wp-admin/upload.php?page=adv-file-upload The file will be at https://example.com/wp-content/uploads/2022/03/.php...
th23 Social <= 1.2.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following payload in the plugin's settings...
Advanced Image Sitemap <= 1.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the PHPSELF PHP variable before outputting it back in an attribute in an admin page, leading to Reflected Cross-Site Scripting. PoC https://example.com/wp-admin/options-general.php/%22%3E%3Csvg/onload=alert/xss/%3E?page=ais...
BMI BMR Calculator <= 1.3 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape arbitrary POST data before outputting it back in the response, leading to a Reflected Cross-Site Scripting PoC...
Videos sync PDF <= 1.7.4 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check in place when editing a video, and does not escape some of its fields, which could allow attackers to make a logged in admin change them and lead to Stored Cross-Site Scripting issues PoC...
MapSVG < 6.2.20 - Unauthenticated SQLi
The plugin does not validate and escape a parameter via a REST endpoint before using it in a SQL statement, leading to a SQL Injection exploitable by unauthenticated users. PoC https://example.com/wp-json/mapsvg/v1/maps/2?id=1%27%20AND%20SELECT%2042%20FROM%20SELECTSLEEP5b--+...
Popup by Supsystic < 1.10.9 - Unauthenticated Subscriber Email Addresses Disclosure
The plugin does not have any authentication and authorisation in an AJAX action, allowing unauthenticated attackers to call it and get the email addresses of subscribed users PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Length: 104 Accept: application/json, text/javascript, /; q=0.01...
VikBooking Hotel Booking Engine & PMS < 1.5.4 - Booking Data Disclosure
The plugin has guessable booking IDs, which could allow attackers to retrieve booking data via an IDOR in the search request...
VikBooking Hotel Booking Engine & PMS < 1.5.4 - Unauthenticated Arbitrary File Upload
The plugin does not properly validate the signature file uploaded via its booking form, which could allow unauthenticated attacker to upload arbitrary files...
Personal Dictionary < 1.3.4 - Unauthenticated SQLi
The plugin fails to properly sanitize user supplied POST data before it is being interpolated in an SQL statement and then executed, leading to a blind SQL injection vulnerability. PoC 1. Create a new page with the plugin's shortcode shortcode can be copied from...
Ubigeo de Peru < 3.6.4 - Unauthenticated SQLi
The plugin does not properly sanitise and escape some parameters before using them in SQL statements via various AJAX actions, some of which are available to unauthenticated users, leading to SQL Injections PoC curl https://example.com/wp-admin/admin-ajax.php \ --data...
Slide Anything < 2.3.44 - Editor+ Stored Cross-Site Scripting
The plugin does not sanitize and escape sliders' description, which could allow high privilege users such as editor and above to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed PoC Create/edit a Slider with the plugin and put the following payload in a Slide...
WP Maintenance < 6.0.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape multiple of its settings, which could allow high privileged users such as admin to perform Cross-Site Scripting attack when the unfilteredhtml is disallowed...
MicroPayments < 1.9.6 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF in place when updating its settings, which could allow attacker to make a logged in admin perform such action via a CSRF attack...
Simple Ajax Chat < 20220216 - Log Clearing & Arbitrary Chat Message Deletion via CSRF
The plugin does not have CSRF check in place when clearing chat logs and deleting a chat message, which could allow attackers to make a logged in admin perform such actions via a CSRF attack...
Simple Ajax Chat < 20220216 - Sensitive Information Disclosure
The plugin does not properly restrict access to the exported data via the sac-export.csv file, which could allow unauthenticated users to access it...
KB Support <= 1.5.5 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape multiple parameters, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks...
Fancy Product Designer < 4.7.6 - Arbitrary File Upload via CSRF
The plugin is vulnerable to Cross-Site Request Forgery via the FPDAdminImport class that makes it possible for attackers to upload malicious files that could be used to gain webshell access to a server via a CSRF attack...
WP 2FA < 2.2.0 - Arbitrary 2FA Disabling via IDOR
The plugin does not properly check for authorisation when disabling 2FA, allowing users to disable the protection of other users via an IDOR attack...
Modern Events Calendar Lite < 6.5.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed...
SEMA API < 4.02 - Unauthenticated SQLi
The plugin does not properly sanitise and escape some parameters before using them in SQL statements via an AJAX action, leading to SQL Injections exploitable by unauthenticated users PoC v 3.64: curl http://example.com/wp-admin/admin-ajax.php --data 'action=getsemadata=attributes=-3 UNION ALL...
BadgeOS <= 3.7.0 - Unauthenticated SQLi
The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users PoC curl 'https://example.com/wp-admin/admin-ajax.php' --data 'action=get-achievementsonly=trueid=11 AND SELECT 9628 FROM...
IgniteUp <= 3.4.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some fields when high privilege users don't have the unfilteredhtml capability, which could lead to Stored Cross-Site Scripting issues PoC Customise a template from the plugin /wp-admin/admin.php?page=cscstemplates and put the following payload in the...
Admin Menu Editor <= 1.0.4 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. PoC https://example.com/wp-admin/options-general.php?page=admin-menu-restriction="...
Elementor 3.6.0-3.6.2 - Subscriber+ Arbitrary File Upload
The plugin is lacking capability check in a function hooked to admininit introduced in v3.6.0, and only relying on a CSRF check. As the nonce is available to any authenticated users, they could call it and upload a malicious zip archive containing arbitrary files via a subsequent call, leading to...
WP Social Buttons <= 2.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payload in the Delay Time General Settings or Top Margin Advanced Settings of the...
Easily Generate Rest API Url <= 1.0.0 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following payload in the "Post Per Page" or "Enter Search Text": settings of the plugin: "autofocu...
CalderaWP License Manager <= 1.2.11 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back, leading to a Reflected Cross-Site Scripting...
Popup Maker < 1.16.5 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its Popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Popup Maker Create Popup Popup Settings Triggers Add New Cookie Add...
Multiple Plugins from Cool Plugins - Subscriber+ Arbitrary Plugin Installation & Activation
Multiple plugins from the Cool Plugins vendor are missing capability and proper CSRF check in the coolpluginsinstall and coolpluginsactivate AJAX actions, available to any authenticated users, allowing them to install and activate arbitrary plugins via an archive hosted on a remote server they...
Themify - Post Type Builder Search Addon < 1.4.0 - Reflected Cross-Site Scripting
The plugin does not properly escape the current page URL before reusing it in a HTML attribute, leading to a reflected cross site scripting vulnerability. PoC On a page or post with a search form, add the following url query parameter: ?%22%3E%3Cscript%3Ealert1%3C/script%3E...
Order Listener for WooCommerce < 3.2.2 - Unauthenticated SQLi
The plugin does not sanitise and escape the id parameter before using it in a SQL statement via a REST route available to unauthenticated users, leading to an SQL injection PoC curl 'http://example.com/?restroute=/olistener/new' --data '"id":" SELECT SLEEP3"' -H 'content-type: application/json'...
SiteSuperCharger < 5.2.0 - Unauthenticated SQLi
The plugin does not validate, sanitise and escape various user inputs before using them in SQL statements via AJAX actions available to both unauthenticated and authenticated users, leading to Unauthenticated SQL Injections PoC curl https://example.com/wp-admin/admin-ajax.php --data...
Adrotate < 5.8.23 - Admin+ XSS via Advert Name
The plugin does not sanitise and escape Advert Names which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Create/edit an Advert and put the following payload in the Name field: " The XSS will be triggered when...
Wbcom Designs Plugins - Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation
Multiple Plugins from Wbcom Designs have an AJAX action without authorisation and CSRF checks, allowing any logged in user to install, activate or deactivate a plugin on the site. PoC fetch"/wp-admin/admin-ajax.php", "headers": "content-type": "application/x-www-form-urlencoded", , "body":...
Fast Flow < 1.2.11 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the page parameter before outputting back in an attribute in an admin dashboard, leading to a Reflected Cross-Site Scripting PoC...
Import WP < 2.4.6 - Admin+ Arbitrary File Upload to RCE
The plugin does not validate the imported file in some cases, allowing high privilege users such as admin to upload arbitrary files such as PHP, leading to RCE PoC Import a PHP file via an URL Tools Import WP Add Importer put any name, and post template Create Importer Remote File select any file...
Photo Gallery < 1.6.3 - Unauthenticated SQL Injection
The plugin does not properly escape the $POST'filtertag' parameter, which is appended to an SQL query, making SQL Injection attacks possible. PoC POST /wp-admin/admin-ajax.php?imageid=123 HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: zh,en;q=0.5 Accept-Encoding:...
Visual Form Builder < 3.0.8 - Entries Deletion/Restoration via CSRF
The plugin does not enforce nonce checks which could allow attackers to make a logged in admin or editor delete and restore arbitrary form entries via CSRF attacks PoC Single entry trash: https://example.com/wp-admin/admin.php?page=vfb-entries=trash=2 Since entry permanent deletion:...
All In One WP Security < 4.4.11 - Authenticated Arbitrary Redirect / Reflected XSS
The plugin does not validate, sanitise and escape the redirectto parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to an Arbitrary Redirect as well as Cross-Site Scripting issue. Exploitation of...
Multiple Shipping Address Woocommerce < 2.0 - Unauthenticated SQLi
The plugin does not properly sanitise and escape numerous parameters before using them in SQL statements via some AJAX actions available to unauthenticated users, leading to unauthenticated SQL injections PoC curl 'https://example.com/wp-admin/admin-ajax.php' --data...
Yoo Slider < 2.1.0 - Arbitrary Slider Creation/Edition via CSRF
The plugin does not have CSRF check in place when creating and editing sliders, which could allow attackers to make a logged in admin create and edit arbitrary slider via a CSRF attack...
Responsive Tabs < 4.0.6 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as author to perform Cross-Site Scripting attacks PoC As author or above, create/edit a new Tab and put the following payload as its content:...
Import and export users and customers < 1.19.2.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escaped imported CSV data, which could allow high privilege users to import malicious javascript code and lead to Stored Cross-Site Scripting issues PoC As admin, import the below CSV file via Tools Import and export users and customers /wp-admin/tools.php?page=ac...
eRoom < 1.3.9 - Cache Deletion via CSRF
The plugin does not have CSRF check in place when deleting cache, which could allow attackers to make logged in users delete cache via a CSRF attack...
HubSpot < 8.8.15 - Contributor+ Blind SSRF
The plugin does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the editposts capability by default contributor and above to perform SSRF attacks PoC As an authenticated user with the editposts capability, get REST nonce via...
eRoom < 1.3.8 - Sync Meetings via CSRF
The plugin does not have CSRF check in place when syncing meetings, which could allow attackers to make logged in users perform such action via a CSRF attack...
Sitemap by click5 < 1.0.36 - Unauthenticated Arbitrary Options Update
The plugin does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as the userscanregister and defaultrole,...
Adrotate < 5.8.23 - Admin+ XSS via Group Name
The plugin does not escape Group Names, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Create/edit a group and put the following payload in the Name field: " style=animation-name:rotation...
Photo Gallery < 1.6.3 - Reflected Cross-Site Scripting
The plugin does not properly sanitize the $GET'imageurl' variable, which is reflected back to the users when executing the editimagebwg AJAX action. PoC...