14604 matches found
Donations <= 1.8 - Unauthenticated SQLi
The plugin does not sanitise and escape the nddonationsid parameter before using it in a SQL statement via the nddonationssinglecauseformvalidatefieldsphpfunction AJAX action available to unauthenticated users, leading to an unauthenticated SQL Injection PoC Create a new "Cause" and fill out the...
Thank Me Later <= 3.3.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Message Subject field before outputting it in the Messages list, which could allow high privileges users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Add/Edit a message and put the...
Easy Digital Downloads < 2.11.6 - Arbitrary Payment Note Insertion via CSRF
The plugin does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack PoC...
SearchIQ < 3.9 - Unauthenticated Stored XSS
The plugin contains a flag to disable the verification of CSRF nonces, granting unauthenticated attackers access to the siqajax AJAX action and allowing them to perform Cross-Site Scripting attacks due to the lack of sanitisation and escaping in the customCss parameter PoC Once the plugin is...
Easy Digital Downloads < 2.11.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed PoC Create/edit a Download and put the following payload in the File Name field: Download...
Shopping Cart & eCommerce Store < 5.2.5 - Arbitrary Design Settings Update via CSRF
The plugin is lacking CSRF checks in various AJAX actions, such as ecadminajaxsavedesignsettings, which could allow attackers to make a logged in admin update arbitrary settings PoC To disable the Live Design Editor To set the custom CSS setting to body background-color: red;...
Good & Bad Comments <= 1.0.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following payload in any of the plugin's settings: "...
Caldera Forms < 1.9.7 - Reflected Cross-Site Scripting
The plugin does not validate and escape the cf-api parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting PoC The issue is only exploitable when there are no forms created yet...
Text Hover < 4.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape the text to hover, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC As admin, put the following in the plugin's settings: test = " Tick the "Enable text hover in...
Modern Events Calendar Lite < 6.4.7 - Reflected Cross-Site Scripting
The plugin does not escape some generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting PoC On a page where the Total Booking widget is displayed, append the following payload: "...
Page Security & Membership <= 1.5.15 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following payload in the "Force Public Pages" settings of the plugin...
Tatsu < 3.3.12 - Unauthenticated RCE
The plugin addcustomfont action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress's upload directory. By adding a PHP shell with a filename starting with a dot ".", this can bypass extension control implemented in the plugin. Moreover,...
Admin Word Count Column <= 2.2 - Unauthenticated Arbitrary File Read
The plugin does not validate the path parameter given to readfile, which could allow unauthenticated attackers to read arbitrary files on server running old version of PHP susceptible to the null byte technique. This could also lead to RCE by using a Phar Deserialization technique PoC...
Safe SVG < 1.9.10 - SVG Sanitisation Bypass
The sanitisation step of the plugin can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent mainly XSS, but depending on further use of uploaded SVG...
Daily Prayer Time < 2022.03.01 - Unauthenticated SQLi
The plugin does not sanitise and escape the month parameter before using it in a SQL statement via the getmonthlytimetable AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection PoC curl 'https://example.com/wp-admin/admin-ajax.php' --data...
Hummingbird < 3.3.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Go to Hummingbird's Settings Configs edit the "Name and Description" and put the followi...
Amministrazione Aperta < 3.8 - Admin+ LFI
The plugin does not validate the open parameter before using it in an include statement, leading to a Local File Inclusion issue. The original advisory mentions that unauthenticated users can exploit this, however the affected file generates a fatal error when accessed directly and the affected...
Simple Event Planner < 1.5.5 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its Event Options, such as eventorganiser, organiseremail and organisercontact which could allow users with a role as low as author to perform Cross-Site Scripting attacks...
WP Downgrade < 1.2.3 - Admin+ Stored Cross-Site Scripting
The plugin only perform client side validation of its "WordPress Target Version" settings, but does not sanitise and escape it server side, allowing high privilege users such as admin to perform Cross-Site attacks even when the unfilteredhtml capability is disallowed PoC Access the settings of th...
Ad Injection <= 1.2.0.19 - Admin+ Stored Cross-Site Scripting & RCE
The plugin does not properly sanitize the body of the adverts injected into the pages, allowing a high privileged user Admin+ to inject arbitrary HTML or javascript even with unfilteredhtml disallowed, leading to a stored cross-site scripting XSS vulnerability. Further it is also possible to inje...
Woo Product Table < 3.1.2 - Unauthenticated Arbitrary Function Call
The plugin does not have authorisation and CSRF checks in the wptadminupdatenoticeoption AJAX action available to both unauthenticated and authenticated users, as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or o...
Loco Translate < 2.6.1 - Authenticated Stored Cross-Site Scripting
The plugin does not properly remove inline events from elements in the source translation strings before outputting them in the editor in the plugin admin panel, allowing any user with access to the plugin Translator and Administrator by default to add arbitrary javascript payloads to the source...
Ninja Forms < 3.6.8 - Unauthenticated Email Address Disclosure
The plugin does not delete the temporary files created when exporting submissions, which could allow unauthenticated attackers to download them and get sensitive information such as the email address of users who submitted a form given that the file is publicly accessible, and with a guessable na...
Easy Social Icons < 3.2.1 - Unauthenticated Arbitrary Icon Deletion
The plugin does not have authorisation and CSRF checks when deleting icons, allowing unauthenticated user to delete arbitrary icons PoC https://example.com/?cnss-delete==1...
Easy Smooth Scroll Links < 2.23.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following payload in any text field settings of the plugin for example Scroll Speed...
Easy Social Icons < 3.2.1 - Admin+ Stored Cross-Site Scripting in add icon
The plugin does not properly escape the imagefile field when adding a new social icon, allowing high privileged users to inject arbitrary javascript even when the unfilteredhtml capability is disallowed. Version 3.2.0 adressed some of the issues, but was still vulnerable when clicking to edit the...
Advanced Booking Calendar < 1.7.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the room parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue PoC...
Yoo Slider < 2.1.0 - Arbitrary Slider Duplication/Deletion via CSRF
The plugin does not have CSRF in place when duplicating and deleting sliders, which could allow attackers to make logged in users perform such actions...
Salon booking system < 7.6.3 - Customer+ Bookings/Customers Data Disclosure
The plugin does not have proper authorisation in some of its endpoints, which could allow customers to access all bookings and other customer's data PoC Make a booking to get a customer account Login via API and get access token: curl...
Image optimization & Lazy Load < 3.3.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its "Lazyload background images for selectors" settings, which could allow high privilege users such as admin to perform Cross-Site scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payload in the Media Optimole...
Favicon by RealFaviconGenerator < 1.3.23 - Reflected Cross-Site Scripting
The plugin does not properly sanitise and escape the jsonresulturl parameter before outputting it back in the Favicon admin dashboard, leading to a Reflected Cross-Site Scripting issue PoC...
Advanced Booking Calendar < 1.7.1 - Admin+ SQLi
The plugin does not sanitise and escape the id parameter when editing Calendars, which could allow high privilege users such as admin to perform SQL injection attacks PoC Edit an existing Seasons & Calendars /wp-admin/admin.php?page=advanced-booking-calendar-show-seasons-calendars and tamper the ...
Podcast Importer SecondLine < 1.3.8 - Admin+ SQLi
The plugin does not sanitise and properly escape some imported data, which could allow SQL injection attacks to be performed by imported a malicious podcast file PoC Put the XML below on a web server replacing the PAYLOAD with the correct one, then import a podcast...
One Click Demo Import < 3.1.0 - Admin+ Arbitrary File Upload
The plugin does not validate the imported file, allowing high privilege users such as admin to upload arbitrary files such as PHP even when FILEMODS and FILEEDIT are disallowed PoC Access Tools Import One Click Demo Import Run Importer and import dummy XML file can be empty Intercept the request...
Salon booking system < 7.6.3 - Unauthenticated Sensitive Data Disclosure
The plugin does not have proper authorisation when searching bookings, allowing any unauthenticated users to search other's booking, as well as retrieve sensitive information about the bookings, such as the full name, email and phone number of the person who booked it. PoC Although the API only...
WP Block and Stop Bad Bots < 6.930 - Unauthenticated SQLi
The plugin does not properly sanitise and escape the fingerprint parameter before using it in a SQL statement via the stopbadbotsgravafingerprint AJAX action, available to unauthenticated users, leading to a SQL injection PoC curl -i 'https://example.com/wp-admin/admin-ajax.php' --data...
LearnPress < 4.1.6 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the lp-dismiss-notice before outputting it back via the lpbackgroundsingleemail AJAX action, leading to a Reflected Cross-Site Scripting PoC...
Responsive Menu < 4.1.8 - Subscriber+ Arbitrary File Upload / Theme Deletion / Plugin Settings Update
The plugin is missing authorisation on multiple of its AJAX actions such as savemenuglobalsettings, and relying on CSRF nonces which are disclosed to any authenticated users. As a result, it could allow them to call the affected actions and lead to arbitrary file upload, theme deletion as well as...
Download Manager < 3.2.39 - Unauthenticated brute force of files master key
The plugin uses the uniqid php function to generate the master key for a download, allowing an attacker to brute force the key with reasonable resources giving direct download access regardless of role based restrictions or password protections set for the download. PoC...
iQ Block Country < 1.2.13 - Admin+ Arbitrary File Deletion via Zip Slip
The settings of the plugin can be exported or imported using its backup functionality. An authorized user can import preconfigured settings of the plugin by uploading a zip file. After the uploading process, files in the uploaded zip file are extracted one by one. During the extraction process,...
GridKit Portfolio < 2.1.0 - Subscriber+ Stored Cross-Site Scripting
The plugin does not have authorisation and CSRF checks in various functions related to AJAX actions, allowing any authenticated users, such as subscriber, to call them. Due to the lack of sanitisation and escaping, it could also allows attackers to perform Cross-Site Scripting attacks on pages...
Easy Social Icons < 3.2.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its saved settings before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed. 3.1.3 added some escaping, but data was output elsewhere PoC Put the...
Post Grid < 2.1.16 - Reflected Cross-Site Scripting via keyword
The plugin does not escape the keyword parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting in pages containing a Post Grid with a search form PoC Append the following payload on a page containing a Post Grid with a search form:...
Post Grid < 2.1.16 - Reflected Cross-Site Scripting via post_types
The plugin does not sanitise and escape the posttypes parameter before outputting it back in the response of the postgridupdatetaxonomiestermsbyposttypes AJAX action, available to any authenticated users, leading to a Reflected Cross-Site Scripting PoC...
Sassy Social Share < 3.3.40 - Reflected Cross-Site Scripting
The plugin does not escape the viewed post URL before outputting it back in onclick attributes when the "Enable 'More' icon" option is enabled which is the default setting, leading to a Reflected Cross-Site Scripting issue. Note: Vendor was notified on September 14th, 2021. PoC...
NS WooCommerce Watermark <= 2.11.3 - Abuse of Functionality
An unprivileged user could use the functionality of the plugin to load images that hide malware for example from passing malicious domains to hide their trace, by making them pass through the vulnerable domain. PoC Search for a vulnerable domain with the dork:...
Library File Manager < 5.2.3 - Subscriber+ Arbitrary File Creation/Upload/Deletion
The plugin is using an outdated version of the elFinder library, which is know to be affected by security issues CVE-2021-32682, and does not have any authorisation as well as CSRF checks in its connector AJAX action, allowing any authenticated users, such as subscriber to call it. Furthermore, a...
MapPress Maps for WordPress < 2.73.13 - Admin+ File Upload to Remote Code Execution
The plugin allows a high privileged user to bypass the DISALLOWFILEEDIT and DISALLOWFILEMODS settings and upload arbitrary files to the site through the "ajaxsave" function. The file is written relative to the current theme's stylesheet directory, and a .php file extension is added. No validation...
Ad Inserter < 2.7.12 - Reflected Cross-Site Scripting
The plugins do not sanitise and escape the REQUESTURI before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting in browsers which do not encode characters PoC In a browser which does not encode characters:...
Amelia < 1.0.48 - Customer+ SMS Service Abuse and Sensitive Data Disclosure
The plugin does not have proper authorisation when handling Amelia SMS service, allowing any customer to send paid test SMS notification as well as retrieve sensitive information about the admin, such as the email, account balance and payment history. A malicious actor can abuse this vulnerabilit...