14603 matches found
OWL Carousel <= 1.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The OWL Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...
W3SPEEDSTER < 7.20 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
Biteship < 2.2.25 - Reflected Cross-Site Scripting via biteship_error and biteship_message
Description The Biteship plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'biteshiperror' and 'biteshipmessage' parameters in versions up to, and including, 2.2.24 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...
SP Project & Document Manager < 4.70 - Authenticated (Contributor+) SQL Injection via Shortcode
Description The SP Project & Document Manager plugin for WordPress is vulnerable to SQL Injection via the spcdmdisplayprojectshortcodeshow function in versions up to, and including, 4.69 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing...
Happyforms < 1.25.11 - Missing Authorization
Description The plugin is vulnerable to unauthorized access due to a missing capability check, allowing unauthenticated attackers to perform unauthorized actions...
WP Dummy Content Generator < 3.1.3 - Missing Authorization
Description The WP Dummy Content Generator plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability check son the wpdummycontentgeneratorDeletePosts and wpdummycontentgeneratorAjaxGenPosts functions in versions up to, and including, 3.1.2. This makes it...
Five Star Restaurant Reviews < 2.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Review URL
Description The Five Star Restaurant Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the review url parameter in versions up to, and including, 2.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
Shareaholic < 9.7.12 - Missing Authorization via accept_terms_of_service
Description The Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'accepttermsofservice' function in all versions up to, and including, 9.7.11. This makes it...
Post Thumbnail Editor <= 2.4.8 - Sensitive Information Exposure
Description The Post Thumbnail Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.8. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data...
Accessibility < 1.0.7 - Cross-Site Request Forgery
Description The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to perform unauthorized actions via a forged request granted they can trick a site administrator into performing an action such as...
Scheduling Plugin – Online Booking for WordPress <= 3.5.10 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Scheduling Plugin – Online Booking for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.5.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
Load More Anything < 3.3.4 - Subscriber+ Settings Update
Description The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them...
CC BMI Calculator < 2.1.0 - Contributor+ Stored XSS
Description The plugin does not escape some of its BMI Calculator Widget options before outputting them back in a page/post where the Widget is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Click To Tweet <= 2.0.14 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Click To Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to...
Feed Them Social < 4.2.1 - Cross-Site Request Forgery via review_nag_check
Description The Feed Them Social – Page, Post, Video, and Photo Galleries plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.0. This is due to missing or incorrect nonce validation on the 'reviewnagcheck' function. This makes it possible for...
Don't Muck My Markup <= 1.8 - Cross-Site Request Forgery
Description The Don't Muck My Markup plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform unauthorize...
The Plus Addons for Elementor < 5.3.4 - Contributor+ Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping, allowing authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injecte...
WooCommerce Conversion Tracking < 2.0.12 - Subscriber+ Addon Installation
Description The plugin is vulnerable to unauthorized modification of data due to a missing capability check on the 'wcctinstallhappyaddons' function, allowing any authenticated users, such as subscriber to install the Happy Elementor Addons plugin...
EventON < 4.4.1 - Reflected Cross-Site Scripting
Description The EventON Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in all versions up to, and including, 4.4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrar...
Chartify < 2.0.7 - Authenticated(Administrator+) Stored Cross-Site Scripting
Description The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
ARMember < 4.0.25 - Improper Access Control to Sensitive Information Exposure via REST API
Description The ARMember plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.21 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's "Default Restriction" feature and view restricted post content...
Orbit Fox by ThemeIsle < 2.10.29 - Unauthenticated Connected API Keys Update
Description The plugin is vulnerable to unauthorized modification of data due to a missing capability check on the registerreference function, allowing unauthenticated attackers to update the connected API keys...
SlimStat Analytics < 5.1.4 - Subscriber+ Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via the 'filterarray' parameter due to insufficient input sanitization and output escaping, allowing any authenticated users, such as subscriber, to inject arbitrary web scripts in pages that will execute whenever a user accesses...
PropertyHive < 2.0.6 - Unauthenticated PHP Object Injection via propertyhive_currency
Description The PropertyHive plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.0.5 via deserialization of untrusted input from the 'propertyhivecurrency' cookie value. This makes it possible for unauthenticated attackers to inject a PHP Object. No...
JobSearch WP Job Board < 2.3.4 - Arbitrary File Upload to RCE
Description The plugin does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server PoC Navigate to the site, and paste the following in your browser's console: fetch'/wp-admin/admin-ajax.php', method: 'POST', headers:...
Anonymous Restricted Content < 1.6.3 - Protection Mechanism Bypass
Description The Anonymous Restricted Content plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 1.6.2. This is due to insufficient restrictions through the REST API on the posts/pages that protections are being place on. This makes it possible for...
Easy Digital Downloads < 3.2.7 - Shop Manager+ Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via the variable pricing option title due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manger-level access, to inject arbitrary web scripts in pages that wi...
LearnDash LMS < 4.10.3 - Sensitive Information Exposure via API
Description The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.2 via API. This makes it possible for unauthenticated attackers to obtain access to quiz questions...
Essential Addons for Elementor < 5.9.8 - Contributor+ Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting through editing context via the 'data-eael-wrapper-link' wrapper due to insufficient input sanitization and output escaping on user supplied protocols, allowing authenticated attackers with contributor-level and above permissions...
UserPro < 5.1.7 - Disabled Membership Registration Bypass
Description The plugin is vulnerable to Security Feature Bypass, due to the use of client-side restrictions to enforce the 'Disabled registration' Membership feature within the plugin's General settings, allowing unauthenticated attackers to register an account even when account registration has...
JobSearch WP Job Board < 2.3.4 - Authentication Bypass
Description The plugin does not prevent attackers from logging-in as any users with the only knowledge of that user's email address. PoC Browse to the site, paste the following in your browser's console replace the email address with that site's administrator's email address:...
PopupAlly < 2.1.1 - Cross-Site Request Forgery via optin_submit_callback
Description The PopupAlly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.0. This is due to missing or incorrect nonce validation on the 'optinsubmitcallback' function. This makes it possible for unauthenticated attackers to opt in...
Beds24 Online Booking < 2.0.24 - Authenticated(Administrator+) Stored Cross-Site Scripting
Description The Beds24 Online Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.0.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
Calculated Fields Form < 1.2.53 - Contributor+ Stored XSS
Description The plugin does not validate and escape some the location attribute of its CPCALCULATEDFIELDS shortcode before outputting it back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
WPDashboardNotes < 1.0.11 - Unauthorised Deletion of Private Notes
Description The plugin is vulnerable to Insecure Direct Object References IDOR in postid= parameter. Authenticated users are able to delete private notes associated with different user accounts. This poses a significant security risk as it violates the principle of least privilege and compromises...
LearnDash LMS < 4.10.2 - Sensitive Information Exposure via assignments
Description The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via direct file access due to insufficient protection of uploaded assignments. This makes it possible for unauthenticated attackers to obtain those uploa...
Heateor Social Login < 1.1.31 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Description The Heateor Social Login WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in version Ngô Thiên An ancorn from VNPT-VCI due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...
JetBackup < 2.0.9.9 - Directory Listing Exposing Backups
Description The plugin doesn't use index files to prevent public directory listing of sensitive directories in certain configurations, which allows malicious actors to leak backup files. A partial fix was released in 2.0.9.6, removing the ability to list the directory but still allowing direct...
Orbit Fox by ThemeIsle < 2.10.30 - Connected API Keys Update via CSRF
Description The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the registerreference function, allowing attackers to update the connected API keys via a forged request granted they can trick a site administrator into performing an action such as...
Smart Forms < 2.6.87 - Subscriber+ Arbitrary Entry Deletion
Description The plugin does not have authorisation in various AJAX actions, which could allow users with a role as low as subscriber to call them and perform unauthorised actions such as deleting entries. The plugin also lacks CSRF checks in some places which could allow attackers to make logged ...
DearFlip < 2.2.27 - Contributor+ Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via outline settings due to insufficient input sanitization and output escaping on user supplied data, allowing authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that wi...
PageLayer < 1.8.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Enter the following payload in...
Auto Listings < 2.6.6 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Description The Auto Listings – Car Listings & Car Dealership Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 2.6.5 due to insufficient input sanitization and output escaping on user supplied...
Spiffy Calendar < 4.9.9 - Broken Access Control
Description The plugin doesn't check the eventauthor parameter, and allows any user to alter it when creating an event, leading to deceiving users/admins that a page was created by a Contributor+. PoC Using a Contributor+ account and a proxy interceptor such as Burp Suite, create an event. Change...
Icons Font Loader < 1.1.5 - Authenticated(Administrator+) Arbitrary File Upload
Description The Icons Font Loader plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload' function in versions up to, and including, 1.1.4. This makes it possible for authenticated attackers, with administrator access and above, to upload...
LearnDash LMS < 4.10.2 - Sensitive Information Exposure via API
Description The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via API. This makes it possible for unauthenticated attackers to obtain access to quizzes...
Ninja Forms Contact Form < 3.7.2 - Unauthenticated Second Order SQL Injection
Description The plugin is vulnerable to Second Order SQL Injection via the email address value submitted through forms due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to...
ProfilePress < 4.14.4 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its reg-number-field shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
ProductX – WooCommerce Builder & Gutenberg WooCommerce Blocks < 3.1.5 - PHP Object Injection via wopb_wishlist and wopb_compare
Description The ProductX – WooCommerce Builder & Gutenberg WooCommerce Blocks plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.1.4 via deserialization of untrusted input from the 'wopbwishlist' and 'wopbcompare' cookies. This makes it possible for...
Fancy Comments WordPress < 1.2.15 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin PoC...