14604 matches found
KingComposer <= 2.9.6 - Subscriber+ Stored Cross-Site Scripting
The plugin does not have authorisation, CSRF and sanitisation/escaping when creating profile, allowing any authenticated users to create arbitrary ones, with Cross-Site Scripting payloads in them PoC Create profile: fetch"https://example.com/wp-admin/admin-ajax.php?action=kccreateprofile",...
Mark Posts < 2.0.1 - Admin+ Stored Cross-Site Scripting
The plugin does not escape new markers, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following payload in the 'Add new markers' settings of the plugin: "autofocus onfocus=alert/XSS/ b=...
Amelia < 1.0.49 - Customer+ Arbitrary Appointments Status Update
The plugin does not have proper authorisation when managing appointments, allowing any customer to update other's booking status, as well as retrieve sensitive information about the bookings, such as the full name and phone number of the person who booked it. PoC 1. Make a booking to become...
Dropdown Menu Widget <= 1.9.7 - Subscriber+ Arbitrary Settings Update to Stored XSS
The plugin does not have authorisation and CSRF checks when saving its settings, allowing low privilege users such as subscriber to update them. Due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues PoC Open the following URL as a subscriber:...
Members List < 4.3.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters in various pages before outputting them back, leading to Reflected Cross-Site Scripting issues PoC https://example.com/wp-content/plugins/members-list/admin/view/user.php?page=%22%3E%3Cimg/src/onerror=alert/XSS/%20x...
WordPress (5.9-5.9.1) / Gutenberg (9.8.0-12.7.1) - Contributor+ Stored Cross-Site Scripting
Description Post authors are able to bypass KSES restrictions in WordPress = 5.9 and or Gutenberg = 9.8.0 due to the order filters are executed, which could allow them to perform to Stored Cross-Site Scripting attacks PoC As a user without the UNFILTEREDHTML capability, create a post containing t...
WordPress < 5.9.2 - Prototype Pollution in jQuery
Description The jQuery library used in WordPress is affected by a Prototype Pollution issue...
Material Design for Contact Form 7 <= 2.6.4 - Subscriber+ Arbitrary Settings Update leading to DoS
The plugin does not check authorization or that the option mentioned in the notice param belongs to the plugin when processing requests to the cf7mddismissnotice action, allowing any logged in user with roles as low as Subscriber to set arbitrary options to true, potentially leading to Denial of...
WordPress < 5.9.2 / Gutenberg < 12.7.2 - Prototype Pollution via Gutenberg’s wordpress/url package
Description The @wordpress/url package used in WordPress and the Gutenberg plugin is affected by a Prototype Pollution issue...
WooCommerce < 6.3.1 - Orders Marked as Paid (via PayPal Standard Gateway)
The PayPal Standard payment gateway deprecated since July 2021 of the plugin could allow attackers to mark an order as paid without actually making a payment, when PDT is enabled...
UpdraftPlus < 1.22.9 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the updraftinterval parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting XSS vulnerability. PoC https://example.com//wp-admin/options-general.php?page=updraftplusinterval"confirm1...
WP HTML Mail < 3.1.3 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting PoC https://example.com/wp-admin/options-general.php?page=wp-html-mail=advanced"...
Booking Package < 1.5.29 - Unauthenticated Sensitive Data Disclosure
The plugin requires a token for exporting the ical representation of it's booking calendar, but this token is returned in the json response to unauthenticated users performing a booking, leading to a sensitive data disclosure vulnerability. PoC When a guest make a booking via sending "action:...
Easy Social Icons < 3.1.4 - Admin+ SQL Injection
The plugin does not sanitize the selectedicons attribute to the cnsswidget before using it in an SQL statement, leading to a SQL injection vulnerability. PoC Author : Qerogram import requests from bs4 import BeautifulSoup BASEURL = "http://localhost:8000" id = "wordpress" pw = "wordpress" def...
FormBuilder <= 1.08 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF checks in place when creating/updating and deleting forms, and does not sanitise as well as escape its form field values. As a result, attackers could make logged in admin update and delete arbitrary forms via a CSRF attack, and put Cross-Site Scripting payloads in...
Ninja Forms File Uploads Extension < 3.3.13 - Unauthenticated Stored Cross-Site Scripting
The plugin is vulnerable to stored cross-site scripting due to missing sanitization of the files filename parameter found in the /includes/ajax/controllers/uploads.php file which can be used by unauthenticated attackers to add malicious web scripts to vulnerable WordPress sites...
Google Pagespeed Insights < 4.0.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape various parameters before outputting them back in attributes in the plugin's settings dashboard, leading to Reflected Cross-Site Scripting PoC...
Ninja Forms File Uploads Extension < 3.3.1 - Unauthenticated Arbitrary File Upload
The plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the /includes/ajax/controllers/uploads.php file which can be bypassed making it possible for unauthenticated attackers to upload malicious files that can be used to obtain remote code...
Slide Anything < 2.3.41 - Contributor+ SQLi
The plugin does not sanitise and escape some parameters before using them in a SQL statement when duplicating Sliders, which could allow users with a role as low as Contributor to perform SQL injections...
WP Block and Stop Bad Bots < 6.88 - Unauthenticated SQLi
The plugin does not properly sanitise and escape the User Agent before using it in a SQL statement to record logs, leading to an SQL Injection issue PoC GET / HTTP/1.1 User-Agent: '+SLEEP5-- g Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8...
Menu Image, Icons made easy < 3.0.8 - Subscriber+ Stored Cross-Site Scripting
The plugin does not have authorisation and CSRF checks when saving menu settings, and does not validate, sanitise and escape them. As a result, any authenticate users, such as subscriber can update the settings or arbitrary menu and put Cross-Site Scripting payloads in them which will be triggere...
Plezi < 1.0.3 - Unauthenticated Stored XSS
The plugin has a REST endpoint allowing unauthenticated users to update the plzconfigurationtrackerenable option, which is then displayed in the admin panel without sanitisation and escaping, leading to a Stored Cross-Site Scripting issue PoC curl -X POST...
Popup Builder < 4.1.1 - SQL Injection to Reflected Cross-Site Scripting
The plugin does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the All Subscribers admin dashboard, leading to a SQL injection, which could also be used to perform Reflected Cross-Site Scripting attack against a logged in admin opening a...
Wow Countdowns <= 3.1.2 - Admin+ SQLi
The plugin does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection. PoC https://example.com/wp-admin/admin.php?page=mwp-countdown=del=1+AND+SELECT+5382+FROM+SELECTSLEEP5PpNt...
Title Experiments Free < 9.0.1 - Unauthenticated SQLi
The plugin does not sanitise and escape the id parameter before using it in a SQL statement via the wpextitles AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection PoC curl 'https://example.com/wp-admin/admin-ajax.php' --data 'action=wpextitles=1 AND SELECT...
Interactive Medical Drawing of Human Body < 2.6 - Admin+ Stored XSS
The plugin does not sanitise and escape the Link field, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payload in the Link settings of a body party and save the change: "alert/XSS-link/...
Akismet Privacy Policies <= 2.0.1- Reflected Cross-Site Scripting
The plugin does not sanitise and escape the translation parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting PoC https://example.com/wp-admin/options-general.php?page=akismetprivacynoticesettingsgroup=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E...
Drag and Drop Multiple File Upload - Contact Form 7 < 1.3.6.3 - Unauthenticated Stored XSS
The plugin allows SVG files to be uploaded by default via the dndcodedropzupload AJAX action, which could lead to Stored Cross-Site Scripting issue PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip...
Church Admin < 3.4.135 - Unauthenticated Plugin's Backup Disclosure
The plugin does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the "refresh-backup" action, and simultaneously keep requesting a publicly accessible temporary file generated by the plugin in order to...
SpeakOut! Email Petitions < 2.14.15.1 - Unauthenticated SQLi
The plugin does not sanitise and escape the id parameter before using it in a SQL statement via the dkspeakoutsendmail AJAX action, leading to an SQL Injection exploitable by unauthenticated users PoC Create a new email petition /wp-admin/admin.php?page=dkspeakoutaddnew, check x Do not send email...
Conference Scheduler < 2.4.3 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the tab parameter before outputting back in an admin page, leading to a Reflected Cross-Site Scripting. PoC https://example.com/wp-admin/edit.php?posttype=confworkshop=confscheduleroptions="...
Coupon Affiliates < 4.16.4.5 - Unauthenticated Stored XSS
The plugin does not have authorization and CSRF checks on a specific action handler, as well as does not sanitize its settings, which enables an unauthenticated attacker to inject malicious XSS payloads into the settings page of the plugin. PoC curl https://example.com/wp-admin/admin-ajax.php...
MC4WP < 4.8.7 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitise from data, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Create a form and put the following payload in the Form Code textarea: The XSS will be triggered...
Amelia < 1.0.47 - Unauthenticated Stored XSS via lastName
The plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the lastName parameter found in the /src/Application/Controller/User/Customer/AddCustomerController.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever...
MC4WP < 4.8.7 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitise form data, which could allow high privilege users to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed...
Limit Login Attempts (Spam Protection) < 5.1 - Unauthenticated SQLi
The plugin does not sanitise and escape some parameters before using them in SQL statements via AJAX actions available to unauthenticated users, leading to SQL Injections PoC order and columns parameters are affected curl 'https://example.com/wp-admin/admin-ajax.php' --data...
Mapping Multiple URLs Redirect Same Page <= 5.8 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the mmurspid parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. PoC https://example.com/wp-admin/admin.php?page=mmursp-list=editid="...
Amelia < 1.0.47 - Customer+ Arbitrary Appointments Update and Sensitive Data Disclosure
The plugin does not have proper authorisation when managing appointments, allowing any customer to update other's booking, as well as retrieve sensitive information about the bookings, such as the full name and phone number of the person who booked it. PoC 1. Create a booking with user01 2...
Sermon Browser <= 0.45.22 - Arbitrary File Upload via CSRF
The plugin does not have CSRF checks in place when uploading Sermon files, and does not validate them in any way, allowing attackers to make a logged in admin upload arbitrary files such as PHP ones. PoC Or, as admin, upload a PHP file via the Sermon Files feature of the plugin. The file will be ...
Database Peek <= 1.2 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the match parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. PoC https://example.com/wp-admin/admin.php?page=ab-database-peek=wpusers="...
Bank Mellat <= 1.3.7 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the orderId parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. PoC https://example.com/wp-admin/admin.php?page=bank-mellat="...
dTabs <= 1.4 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. PoC https://example.com/wp-admin/options-general.php?page=dtabs.php=edit="...
Narnoo Distributor <= 2.5.1 - Unauthenticated LFI to Arbitrary File Read / RCE
The plugin fails to validate and sanitize the libpath parameter before it is passed into a call to require via the narnoodistributorlibrequest AJAX action available to both unauthenticated and authenticated users which results in the disclosure of arbitrary files as the content of the file is the...
Bulk Creator <= 1.0.1 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the posttype parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. PoC https://example.com/wp-admin/admin.php?page=bulk-creatortype="...
WPC Smart Wishlist for WooCommerce < 2.9.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the key parameter before outputting it back in the wishlistquickview AJAX action's response available to any authenticated user, leading to a Reflected Cross-Site Scripting PoC The source and destination should use the https:// protocol for the exploit to...
Folders Disclosure via Outdated jQueryFileTree Library
The plugins are using the admin-page-framework framework which is shipped with the outdated and no longer maintained library jQueryFileTree known to be affected by a path traversal issue, allowing unauthenticated attackers to disclose the folder structure of the web server PoC curl...
Delete Old Orders <= 0.2 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the date parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. PoC https://example.com/wp-admin/admin.php?page=woo-delete-old-orders=3="...
Multilist Subscribe for Sendy <= 1.6.1 - Subscriber+ Arbitrary Options Update
The plugin is using an outdated version of the Freemius library 1.2.2.9, which is known to be affected by a security issue allowing any authenticated users, such as subscriber to set arbitrary blog options PoC As any authenticated user: Enable new user registrations:...
WordPress File Upload < 4.16.3 - Contributor+ Path Traversal to RCE
The plugin allows users with a role as low as Contributor to perform path traversal via a shortcode argument, which can then be used to upload a PHP code disguised as an image inside the auto-loaded directory of the plugin, resulting in arbitrary code execution. PoC As a contributor or above, add...
OSMapper <= 2.1.5 - Unauthenticated Arbitrary Post Deletion
The plugin contains an AJAX action to delete a plugin related post type named 'map' and is registered with the wpajaxnopriv prefix, making it available to unauthenticated users. There is no authorisation, CSRF and checks in place to ensure that the post to delete is a map one. As a result,...