14603 matches found
Popup More < 2.2.5 - Admin+ Directory Traversal to Limited Local File Inclusion
Description The plugin is vulnerable to Local File Inclusion via the ycfChangeElementData function. This makes it possible for authenticated attackers, with administrator-level access and above, to include and execute arbitrary files ending with "Form.php" on the server , allowing the execution o...
Advanced iFrame < 2024.0 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its advancediframe shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Website Builder by SeedProd < 6.15.22 - Unauthenticated Plugin Page Content Update
Description The plugin does not have authorisation in its seedprodlitenewlpage function, allowing unauthenticated attackers to update the contents of coming-soon, maintenance pages, login and 404 pages set up with the plugin to a blank state PoC As unauthenticated, open the following URL to put t...
Active Products Tables for WooCommerce. Professional products tables for WooCommerce store < 1.0.6.2 - Cross-Site Request Forgery
Description The Active Products Tables for WooCommerce. Professional products tables for WooCommerce store plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6.1. This is due to missing or incorrect nonce validation on several functions...
NEX-Forms – Ultimate Form Builder – Contact forms and much more < 8.5.7 - Missing Authorization via set_starred()
Description The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the setstarred function in all versions up to, and including, 8.5.6. This makes it possible for authenticated attackers,...
Instant Images < 6.1.1 - Author+ Arbitrary Options Update
Description The plugin is vulnerable to unauthorized arbitrary options update due to an insufficient check that neglects to verify whether the updated option belongs to the plugin on the instant-images/license REST API endpoint, allowing authors and higher to update arbitrary options...
SiteOrigin Widgets Bundle < 1.58.2 - Contributor+ Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via the code editor due to insufficient input sanitization and output escaping, allowing authenticated attackers, with contributor access or higher, to perform Stored XSS attacks...
SEO Plugin by Squirrly SEO < 12.3.16 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Quotes for WooCommerce < 2.0.2 - Quote Status Update / Quote Sending via CSRF
Description The plugin does not have CSRF checks when updating quote status and send quotes, which could allow attackers to make logged in admins perform such actions via CSRF attacks...
Abandoned Cart Lite for WooCommerce < 5.16.2 - Multiple CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in admins perform unwanted actions, such as toggle template statuses via CSRF attacks...
Cookie Information < 2.0.23 - Subscriber+ Arbitrary Options Update
Description The plugin is vulnerable to arbitrary option updates due to a missing capability check on its AJAX request handler, allowing any authenticated users, such as subscriber to update arbitrary site options PoC Run the below command in the developer console of the web browser while being o...
Contact Form Entries < 1.3.3 - Admin+ Arbitrary File Upload
Description The plugin is vulnerable to arbitrary file uploads due to insufficient file validation on the 'viewpage' function, allowing authenticated attackers with administrator-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code...
NEX-Forms – Ultimate Form Builder – Contact forms and much more < 8.5.7 - Missing Authorization via set_read()
Description The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the setread function in all versions up to, and including, 8.5.6. This makes it possible for authenticated attackers, with...
Active Products Tables for WooCommerce. Professional products tables for WooCommerce store < 1.0.6.2 - Missing Authorization
Description The Active Products Tables for WooCommerce. Professional products tables for WooCommerce store plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 1.0.6.1. This makes it...
Starbox < 3.4.8 - Subscriber+ Plugin Preferences / User Settings Access via IDOR
Description The plugin is vulnerable to Insecure Direct Object Reference via the action function due to missing validation on a user controlled key. This makes it possible for subscribers to view plugin preferences and potentially other user settings...
Mang Board WP < 1.7.8 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
NEX-Forms – Ultimate Form Builder – Contact forms and much more < 8.5.7 - Missing Authorization via restore_records()
Description The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the restorerecords function in all versions up to, and including, 8.5.6. This makes it possible for authenticated attacker...
MapPress < 2.88.17 - Contributor+ Stored XSS via Map Settings
Description The plugin is vulnerable to Stored Cross-Site Scripting via the width and height parameters, allowing with contributor access and above to perform Stored XSS attacks PoC - Go to Plugin’s page /wp-admin/admin.php?page=mappressmaps - Add New Map and search any location you want. - Add...
Guest Author < 2.4 - Contributor+ Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's guest author parameters due to insufficient input sanitization and output escaping, allowing authenticated attackers, with contributor-level access to inject arbitrary web scripts in pages that will execute...
Avada < 7.11.2 - Author+ Arbitrary File Upload via Zip Extraction
Description The theme is vulnerable to arbitrary file uploads due to missing file type validation when extracting zip files in the 'processupload' and 'regenerateiconfiles' functions. This makes it possible for authenticated attackers with author permissions to upload arbitrary files on the...
WordPress Review & Structure Data Schema Plugin – Review Schema < 2.2.0 - Missing Authorization to Arbitrary Review Update
Description The WordPress Review & Structure Data Schema Plugin – Review Schema plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the rtrsreviewedit function in all versions up to, and including, 2.1.14. This makes it possible for...
WOLF – WordPress Posts Bulk Editor and Manager Professional < 1.0.8.2 - Cross-Site Request Forgery
Description The WOLF – WordPress Posts Bulk Editor and Manager Professional plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8.1. This is due to missing or incorrect nonce validation on the wpbecreatenewterm, wpbeupdatetaxterm, and...
Avada < 7.11.2 - Contributor+ Arbitrary File Upload
Description The theme is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajaximportoptions' function, making it possible for authenticated attackers with contributor permissions to upload arbitrary files on the affected site's server which may make remote code...
Avada < 7.11.2 - Contributor+ SSRF
Description The theme does not validate a parameter before making a request to it, which could allow users with a role as low as Contributor to perform SSRF attacks...
UserPro < 5.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description The UserPro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userpro' shortcode in versions up to, and including, 5.1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...
Affiliates Manager < 2.9.35 - Cross-Site Request Forgery
Description The Affiliates Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.9.34. This is due to missing or incorrect nonce validation on the processbulkaction function in ListAffiliatesTable.php. This makes it possible for...
Persian Fonts <= 1.6 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Navigate to:...
WOLF – WordPress Posts Bulk Editor and Manager Professional < 1.0.8.2 - Missing Authorization
Description The WOLF – WordPress Posts Bulk Editor and Manager Professional plugin for WordPress is vulnerable to unauthorized access, modification or loss of data due to a missing capability check on the wpbecreatenewterm, wpbeupdatetaxterm, and wpbedeletetaxterm functions in all versions up to,...
Avada < 7.11.2 - Subscriber+ Portfolio Permalinks Creation
Description The theme is vulnerable to unauthorized modification of data due to a missing capability check, allowing any authenticated attackers, with such as subscriber and above, to save Portfolio permalinks...
Fatal Error Notify < 1.5.3 - Subscriber+ Test Error Email Sending
Description The plugin does not have authorisation and CSRF checks in its testerror AJAX action, allowing any authenticated users, such as subscriber to call it and spam the admin email address with error messages. The issue is also exploitable via CSRF PoC As a subscriber, open...
WordPress < 6.4.3 - Admin+ PHP File Upload
Description WordPress allows high privileged users Admin / Super Admin on Mulsitite to upload PHP files directly via the plugin/theme upload feature. Note: Such issue is only a concern on hardened blogs where such users are not allowed to install plugins/themes...
WordPress < 6.4.3 - Deserialization of Untrusted Data
Description WordPress does not sanitizes options when installing and upgrading itself before serializing them, which could allow high privileged users such as admin to perform PHP Object Injection attack...
Razorpay for WooCommerce < 4.5.7 - Transfers Manipulation via CSRF
Description The plugin does not have CSRF checks when updating, creating and reversing transfers, which could allow attackers to make logged in admins perform such actions via CSRF attacks...
User Activity Tracking and Log < 4.1.4 - IP Spoofing
Description This plugin retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. PoC 1. Add X-Forwarded-For: 11.11.11.11 to any request which will be in activity log. For example in creation of new post. 2. View the activity log and see that...
Chart Builder < 1.9.7 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Razorpay for WooCommerce < 4.5.7 - Subscriber+ Transfers Manipulation
Description The plugin does not have authorisation checks when updating, creating and reversing transfers, which could allow any authenticated users, such as subscriber to perform such actions...
SchedulePress < 5.0.5 - Contributor+ Arbitrary Post Update/Deletion
Description The plugin does not have proper capability checks on several REST API endpoints, allowing contributors and above roles to edit and delete arbitrary posts...
WCMultiShipping < 2.3.8 - Subscriber+ Arbitrary Account Credentials Test
Description The plugin does not have proper capability check on its wmschronoposttestcredentialsajax function, allowing any authenticate duets, such as with subscriber, to test account credentials...
Order Delivery Date for WP e-Commerce <= 1.2 - Unauthenticated Stored Cross-Site Scripting
Description The Order Delivery Date for WP e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'available-days-tf' parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for...
Allow SVG < 1.2.0 - Author+ Stored XSS via SVG
Description The plugin does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. PoC Upload an SVG with the following code: Access the uploaded file directly to see the XSS...
Formidable Forms < 6.8 - CSRF to Stored Cross-Site Scripting
Description The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the updatesettings function. This makes it possible for unauthenticated attackers to change form settings and add malicious JavaScript via a forged request granted they can trick a...
Form-Maker (twb_form-maker) < 1.15.22 - CSRF to limited RCE
Description The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the 'execute' function. This makes it possible for unauthenticated attackers to execute arbitrary methods in the 'BoosterController' class via a forged request granted they can trick...
Exclusive Addons for Elementor < 2.6.9 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...
Abandoned Cart Lite for WooCommerce < 5.16.1 - Improper Authorization via wcal_delete_expired_used_coupon_code
Description The plugin is vulnerable to unauthorized access of data due to a missing capability check on the wcaldeleteexpiredusedcouponcode function. This makes it possible for unauthenticated attackers to preview emails, granted they are able to obtain a nonce via a separate vulnerability...
InstaWP Connect < 0.1.0.10 - Missing Authorization to Sensitive Information Dislcosure
Description The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in all versions up to, and including, 0.1.0.9. This makes it possible for authenticated attackers, with subscriber-level access and...
WordPress Simple Shopping Cart < 4.7.2 - Authenticated(Administrator+) Stored Cross-Site Scripting
Description The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automatic redirect URL setting in all versions up to and including 4.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
wp-dashboard-notes < 1.0.11 - Contributor+ Arbitrary Private Notes Update via IDOR
Description The plugin does not validate that the user has access to the postid parameter in its wpdnupdatenote AJAX action. This allows users with a role of contributor and above to update notes created by other users. PoC 1. Create a note as an admin. View the source of the page to get the Note...
PDF Poster - PDF Embedder Plugin for WordPress < 2.1.18 - Reflected Cross-Site Scripting
Description The PDF Poster - PDF Embedder Plugin for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.1.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
WPvivid < 0.9.95 - Missing Authorization
Description The plugin vulnerable to unauthorized access of data due to a missing capability check on the restore and getrestoreprogress function, making it possible for unauthenticated attackers to invoke these functions and obtain full file paths if they have access to a back-up ID...
Elementor Addons by Livemesh < 8.3.2 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...