14603 matches found
wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin < 3.4.2.5 - Reflected Cross-Site Scripting.
Description The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'A' parameter in all versions up to, and including, 3.4.2.2 due to insufficient input sanitization and output escaping. This makes...
WooCommerce Easy Checkout Field Editor, Fees & Discounts < 3.5.13 - Unauthenticated Arbitrary File Upload
Description The SysBasics Easy Checkout Field Editor, Fees & Discounts plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 3.5.12. This makes it possible for unauthenticated attackers to upload arbitrary files on t...
ProfilePress < 4.15.0 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its edit-profile-text-box shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Buttons Shortcode and Widget <= 1.16 - Stored XSS via shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC otwshortcodebutton...
Schema & Structured Data for WP & AMP < 1.27 - Authenticated Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via the custom schema due to insufficient input sanitization and output escaping, allowing authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default t...
Peach Payments Gateway < 3.2.0 - Missing Authorization via peach_core_version_rollback()
Description The Peach Payments Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the peachcoreversionrollback function in versions up to, and including, 3.1.9. This makes it possible for authenticated attackers, with...
Plugin Groups < 2.0.7 - Missing Authorization to Unauthenticated Denial of Service
Description The Plugin Groups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the admininit function in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to change the settings of the plugin,...
Shortcodes Ultimate < 7.0.3 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its sutooltip shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Fancy Product Designer < 6.1.5 - Admin+ SQL Injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by adminstrators. PoC - Log in as an administrator, and visit /wp-admin/. - Add a Catalog Product in /wp-admin/admin.php?page=fancyproductdesigner -...
WP SMS < 6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description The WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 6.3.4 due to insufficient input sanitization and output escaping ...
Tutor LMS < 2.6.1 - Missing Authorization
Description The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of restricted Q content due to a missing capability check when interacting with questions in all versions up to, and including, 2.6.0. This makes it possible for authenticate...
Password Protected < 2.6.7 - Admin+ Stored XSS
Description The plugin does not sanitise and escape its Google Captcha Site Key settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Database Reset < 3.23 - Cross-Site Request Forgery to WP Reset Plugin Installation
Description The Database Reset plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.22. This is due to missing or incorrect nonce validation on the installwpr function. This makes it possible for unauthenticated attackers to install the WP Reset...
ProfilePress < 4.15.0 - Unauthenticated Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via the 'name' parameter due to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This...
postMash – custom post order <= 1.2.0 - Unauthenticated SQL Injection
Description The postMash – custom post order plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...
WP Testimonials < 1.4.4 - Authenticated (Contributor+) SQL Injection
Description The WP Testimonials plugin for WordPress is vulnerable to SQL Injection via the 'widgetid' parameter in all versions up to, and including, 1.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...
Schema & Structured Data for WP & AMP < 1.27 - Contributor+ reCaptcha Key Update
Description The plugin is vulnerable to unauthorized modification of data due to a missing capability check on the 'saswpreviewsformrender' function, allowing authenticated attackers, with contributor access and above, to modify the plugin's stored reCaptcha site and secret keys, potentially...
Tabs Shortcode and Widget <= 1.17 - Contributor+ Stored Cross-Site Scripting
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC otwshortcodetabslayout...
Innovs HR <= 1.0.3.4 - Employee Creation via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as adding them as employees. PoC...
Simple Job Board < 2.11.0 - Missing Authorization to Unauthenticated Information Disclosure
Description The Simple Job Board plugin for WordPress is vulnerable to unauthorized access of data| due to insufficient authorization checking on the fetchquickjob function in all versions up to, and including, 2.10.8. This makes it possible for unauthenticated attackers to fetch arbitrary posts,...
Sitepact's Contact Form 7 Extension For Klaviyo <= 1.0.5 - Unauthenticated SQL Injection
Description The Sitepact's Contact Form 7 Extension For Klaviyo plugin for WordPress is vulnerable to SQL Injection parameter in versions up to, and including, 1.0.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This make...
InstaWP Connect < 0.1.0.9 - Authenticated (Subscriber+) Remote Code Execution
Description The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 0.1.0.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute code on the server...
Page scroll to id < 1.7.9 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
File Manager Pro < 8.3.5 - Reflected Cross-Site Scripting
Description The File Manager Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tb' parameter in all versions up to, and including, 8.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
Ocean Extra < 2.2.5 - Contributor+ Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via custom fields due to insufficient input sanitization and output escaping, allowing authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesse...
ProfilePress < 4.15.0 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its login-password shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Custom Field Template < 2.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via $search_label
Description The Custom Field Template plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the $searchlabel parameter in versions up to, and including, 2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
WooCommerce Google Sheet Connector < 1.3.12 - Missing Authorization
Description The WooCommerce Google Sheet Connector plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the executepostdata function in all versions up to, and including, 1.3.11. This makes it possible for unauthenticated attackers to update...
Backup Bolt < 1.4.0 - Sensitive Data Exposure
Description The plugin is vulnerable to Information Exposure via the unprotected access of debug logs. This makes it possible for unauthenticated attackers to retrieve the debug log which may contain information like system errors which could contain sensitive information. PoC Access the error lo...
Error Log Viewer < 1.1.3 - Directory Listing to Sensitive Data Exposure
Description The plugin contains a vulnerability that allows you to read and download PHP logs without authorization PoC 1 Admin should click on "Save as TXT file" in http://yoursite/wordpress/wp-admin/admin.php?page=rrrlgvwr-monitor.php 2 Then someone else can go to...
Cost of Goods Sold (COGS): Cost & Profit Calculator for WooCommerce < 3.2.9 - Reflected Cross-Site Scripting
Description The Cost of Goods Sold COGS: Cost & Profit Calculator for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'section' parameter in all versions up to, and including, 3.2.8 due to insufficient input sanitization and output escaping. This makes it...
Widgets Controller <= 1.1 - Unauthenticated Cross-Site Scripting
Description The Widgets Controller plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will...
3D FlipBook – PDF Flipbook WordPress < 1.15.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Bookmarks
Description The 3D FlipBook – PDF Flipbook WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bookmark feature in all versions up to, and including, 1.15.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticate...
Enjoy Social Feed <= 6.2.2 - Unauthenticated Arbitrary Instagram Account Unlinking
Description The plugin does not have authorisation and CSRF in various function hooked to admininit, allowing unauthenticated users to call them and unlink arbitrary users Instagram Account for example PoC As unauthenticated, open the following URL to unlink the Instagram account of the user with...
My Calendar < 3.4.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description The My Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.4.23 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
Enjoy Social Feed <= 6.2.2 - Subscriber+ Plugin Database Reset
Description The plugin does not have authorisation when resetting its database, allowing any authenticated users, such as subscriber to perform such action PoC Log in as a subscriber, access the Diagnostic tab of the plugin /wp-admin/admin.php?page=enjoyinstagrampluginoptions=diagnostic and click...
WP Setup Wizard < 1.0.8.2 - Authenticated (Subscriber+) Full Database Download
Description The WP Setup Wizard plugin for WordPress is vulnerable to unauthorized access of datadue to a missing capability check in all versions up to, and including, 1.0.8.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to download the entire...
Scalable Vector Graphics (SVG) <= 3.4 - Author+ Stored XSS via SVG
Description The plugin does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. PoC Upload an SVG with the following code: Access the uploaded file directly to see the XSS...
Action Network < 1.4.3 - Reflected Cross-Site Scripting via 'search'
Description The Action Network plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search' parameter in versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitra...
Featured Image from URL (FIFU) < 4.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via fifu_input_url
Description The Featured Image from URL FIFU plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the fifuinputurl parameter in all versions up to, and including, 4.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...
Link Library < 7.6.1 - Unauthenticated Stored Cross-Site Scripting
Description The Link Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'llreciprocal' parameter in all versions up to, and including, 7.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
Oliver POS < 2.4.2.1 - Subscriber+ Unauthorized AJAX Calls
Description The plugin is vulnerable to unauthorized access due to missing capability checks on several functions hooked via AJAX in the includes/class-pos-bridge-install.php file, allowing authenticated attackers, with subscriber-level access and above, to perform several unauthorized actions li...
Contact Form builder with drag & drop for WordPress – Kali Forms < 2.3.42 - Missing Authorization
Description The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized access and modification of data via API due to an inconsistent capability check on several REST endpoints in all versions up to, and including, 2.3.41. This makes it...
Formidable Registration < 2.12 - Contributor+ Arbitrary User Password Reset To Account Takeover
Description The plugin does not prevent users with at least the contributor role from rendering sensitive shortcodes, allowing them to generate, and leak, valid password reset URLs, which they can use to take over any accounts. PoC 1. ADMIN: Install Formidable Pro plugin 2. ADMIN: Install...
Contact Form builder with drag & drop for WordPress – Kali Forms < 2.3.42 - Missing Authorization to Arbitrary Plugin Deactivation
Description The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the awaitplugindeactivation function in all versions up to, and including, 2.3.41. This makes it possible fo...
WPify Woo Czech < 4.0.9 - Missing Authorization
Description The WPify Woo Czech plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the maybesendtopacketa function in all versions up to, and including, 4.0.8. This makes it possible for unauthenticated attackers to obtain shipping details for...
Coming Soon Maintenance Mode < 1.0.6 - Information Exposure
Description The Coming Soon Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.5 via the REST API. This makes it possible for unauthenticated attackers to obtain post and page content thus bypassing the protection provid...
404 Solution < 2.35.8 - Admin+ SQL Injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admins. PoC 1. navigate to logs "https://example.com/wp-admin/options-general.php?page=abj404solution=abj404logs"...
Login as User or Customer <= 3.8 - Admin Account Takeover
Description The plugin does not prevent users to log in as any other user on the site. PoC 1. As an admin, log in as some user. Note the user ID. 2. Run the following curl command, filling in the ADMINID and the USERID: curl -v https://example.com/wp-admin/admin-ajax.php -H 'Cookie:...
Seriously Simple Podcasting < 3.0.0 - Unauthenticated Administrator Email Disclosure
Description The plugin discloses the Podcast owner's email address which by default is the admin email address via an unauthenticated crafted request. This was fixed in 3.0.0 for new plugin installation, however when upgrading, users will have to unset the "Owner email address" in the Feed Detail...