14602 matches found
Envira Gallery Lite < 1.8.7.3 - Missing Authorization to Gallery Modification via envira_gallery_insert_images
Description The plugin is vulnerable to unauthorized modification of data due to an improper capability check on the 'enviragalleryinsertimages' function in all versions up to, and including, 1.8.7.1. This makes it possible for authenticated attackers, with contributor access and above, to modify...
WordPress Button Plugin MaxButtons < 9.7.6 - Authenticated (Administrator+) Stored Cross-Site Scripting
Description The WordPress Button Plugin MaxButtons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 9.7.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
POST SMTP Mailer < 2.8.8 - Authorization Bypass via type connect-app API
Description The plugin is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to...
Formidable Forms < 6.7.1 - Admin+ Stored Cross-Site Scripting
Description The plugin is vulnerable to Stored Cross-Site Scripting via the name field label and description field label parameter in all versions up to 6.7 inclusive due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
ElementsKit Lite < 3.0.4 - Unauthenticated Sensitive Information Exposure
Description The plugin is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.3 via the ekitwidgetareacontent function. This makes it possible for unauthenticated attackers to obtain contents of posts in draft, private or pending review status that should not be...
EventON (Free < 2.2.7, Premium < 4.5.5) - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Go to the EventON Lite setting...
EventON (Free < 2.2.8, Premium < 4.5.5) - Reflected XSS
Description The plugins do not properly sanitise and escape a parameter before outputting it back in pages, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open a page with the code below...
WP Customer Area < 8.2.1 - Subscriber+ Account Address Leak
Description The plugin does not properly validates user capabilities in some of its AJAX actions, allowing any users to retrieve other user's account address. PoC Run the below command in the developer console of the browser when being logged in the blog as a subscriber and on your own edit accou...
Formidable Forms < 6.7.1 - HTML Injection
Description The plugin is vulnerable to HTML injection in versions up to, and including, 6.7. This vulnerability allows unauthenticated users to inject arbitrary HTML code into form fields. When the form data is viewed by an administrator in the Entries View Page, the injected HTML code is...
WP Customer Area < 8.2.1 - Subscriber+ Account Address Update
Description The plugin does not properly validate users capabilities in some of its AJAX actions, allowing malicious users to edit other users' account address. PoC You may get the nonce from your save address form fetch"https://example.com/wp-admin/admin-ajax.php", "headers": "content-type":...
EventON (Free < 2.2.8, Premium < 4.5.6) - Unauthenticated Arbitrary Post Metadata Update
Description The plugins do not have authorisation in an AJAX action, and does not ensure that the post to be updated belong to the plugin, allowing unauthenticated users to update arbitrary post metadata. Note: Such issue could lead to Unauthenticated Stored XSS due to the lack of sanitisation in...
EventON (Free < 2.2.8, Premium < 4.5.5) - Unauthenticated Email Address Disclosure
Description The plugins do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve email addresses of any users on the blog PoC To get the administrator user emails: curl -X POST --data 'userrole=administrator'...
EventON (Free < 2.2.9, Premium < 4.5.9) - Unauthenticated Virtual Event Settings Update
Description The plugins do not have authorisation and CSRF in some AJAX actions, allowing unauthenticated users to update virtual events settings, such as meeting URL, moderator, access details etc PoC To set the Meeting URL to https://attacker.com/ on the Virtual Event with ID 240: curl -X POST...
Voting Record <= 2.0 - Settings Update to Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack PoC Have an admin open an HTML page containing the following: You will see the pop-up...
EventON (Free < 2.2.8, Premium < 4.5.5) - Unauthenticated Virtual Event Password Disclosure
Description The plugins do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve the settings of arbitrary virtual events, including any meeting password set for example for Zoom PoC curl -X POST --data "eid=240"...
Voting Record <= 2.0 - Subscriber+ Stored XSS
Description The plugin is missing sanitisation as well as escaping, which could allow any authenticated users, such as subscriber to perform Stored XSS attacks PoC Have a subscriber open an HTML file containing the following: See the XSS when logged in as an admin and viewing recorded votes...
Community by PeepSo < 6.3.1.2 - Reflected XSS
Description The plugin does not sanitise and escape various parameters and generated URLs before outputting them back attributes, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open When the register your copy...
Community by PeepSo < 6.3.1.2 - User Post Creation via CSRF
Description The plugin does not have CSRF check when creating a user post visible on their wall in their profile page, which could allow attackers to make logged in users perform such action via a CSRF attack PoC 1. Log in as a normal user. 2. Save the content below as an HTML file. 3. Change...
Contact Form 7 Connector < 1.2.3 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against administrators. PoC http://vulnerable-site.tld/wp-admin/admin.php?page=ari-cf7connector-log=html=...
Product Enquiry for WooCommerce < 3.2 - Reflected XSS
Description The plugin does not sanitise and escape the page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open a page with the code below...
PageLayer < 1.8.0 - Author+ Stored XSS
Description The plugin doesn't prevent attackers with administrator privileges from inserting malicious JavaScript inside a post's header or footer code, even when unfilteredhtml is disallowed, such as in multi-site WordPress configurations. PoC - As a user with Author+ capabilities, create a new...
Quiz And Survey Master < 8.1.19 - Quiz Results Deletion via CSRF
Description The plugin does not have CSRF checks in some functions, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks, such as delete quiz results...
WooCommerce PDF Invoice Builder < 1.2.102 - Cross-Site Request Forgery
Description The WooCommerce PDF Invoice Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.101. This is due to missing or incorrect nonce validation in the /pages/invoicelist.php file. This makes it possible for unauthenticated attackers...
CRM Perks Forms < 1.1.3 - Authenticated (Administrator+) Stored Cross-Site Scripting
Description The CRM Perks Forms – WordPress Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping on the label field. This makes it possible for...
Pay with Vipps for WooCommerce < 1.14.14 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Pay with Vipps for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the buy now button in versions up to, and including, 1.14.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
WebinarIgnition < 3.05.1 - Missing Authorization to Unauthenticated Privilege Escalation
Description The Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.05.0. This makes it possible...
Defender Security < 4.2.0 - Sensitive Information Exposure via Log File
Description The Defender Security – Malware Scanner, Login Security & Firewall plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.1.0 via the plugin's log file. This makes it possible for unauthenticated attackers to extract sensitive data...
WP Simple Booking Calendar < 2.0.8.5 - Cross-Site Request Forgery
Description The WP Simple Booking Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.8.4. This is due to missing or incorrect nonce validation on the wpsbcrefreshcalendareditor function. This makes it possible for unauthenticated...
Uncode Core < 2.8.9 - Authenticated (Subscriber+) Arbitrary File Deletion
Description The uncode-core plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 2.8.8. This makes it possible for authenticated attackers with subscriber level access or higher to delete arbitrary files on the site...
GeoDirectory < 2.3.29 - Authenticated(Administrator+) SQL Injection
Description The GeoDirectory – WordPress Business Directory Plugin, or Classified Directory plugin for WordPress is vulnerable to SQL Injection via an unknown parameter in all versions up to 2.3.29 exclusive due to insufficient escaping on the user supplied parameter and lack of sufficient...
Automation By Autonami < 2.7.0 - Authenticated(Administrator+) SQL Injection
Description The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to SQL Injection via an unknown parameter in all versions up to 2.7.0 exclusive due to insufficient escaping on the user supplied parameter and...
WP Stripe Checkout < 1.2.2.38 - Sensitive Information Exposure via Debug Log
Description The WP Stripe Checkout plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.2.37 via the debug log file. This makes it possible for unauthenticated attackers to extract sensitive data including stripe checkout debug information...
Uncode Core < 2.8.9 - Privilege Escalation
Description The Uncode Core plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.8.8. This makes it possible for subscribers to escalate their privileges to those of a higher level account...
Product Feed Manager < 7.3.16 - Authenticated (Admin+) Directory Traversal
Description The Product Feed Manager – WooCommerce to Google Shopping, Social Catalogs, and 170+ Popular Marketplaces plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 7.3.15 via the vulnerable parameter 'logKey'. This makes it possible for authenticated...
Depicter Slider < 2.0.7 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
Easy Video Player < 1.2.2.11 - Contributor+ Stored XSS
Description The plugin does not validate and escape the ratiocode attribute of its evpembedvideo shortcode before outputting it back in a page where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Republish Old Posts < 1.27 - Cross-Site Request Forgery via rop_options_page
Description The Republish Old Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.21. This is due to missing or incorrect nonce validation on the ropoptionspage function. This makes it possible for unauthenticated attackers to modify the...
Easy Digital Downloads < 3.2.0 - Missing Authorization
Description The plugin is vulnerable to unauthorized access due to a missing capability check on a function, allowing unauthenticated attackers to perform an unauthorized action...
Pre* Party Resource Hints < 1.8.20 - Admin+ SQLi
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin...
Webba Booking < 5.0 - Cross-Site Request Forgery
Description The Appointment & Event Booking Calendar Plugin – Webba Booking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.33. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for...
MF Gig Calendar <=1.2.1 - Authenticated(Contributor+) SQL Injection
Description The MF Gig Calendar plugin for WordPress is vulnerable to SQL Injection via an unknown parameter in all versions up to, and including, 1.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible...
Restrict Usernames Emails Characters Plugin < 3.1.4 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed PoC 1. Access the "Restrict Usernames Emails Characters" settings 2. For the field "The...
HTML Forms < 1.3.30 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WooPayments < 6.7.0 - Unauthenticated Order Deletion via IDOR
Description The plugin does not validate orders ownership which could allow unauthenticated attacker to delete orders by knowing the order ID and cart hash i.e. they would have to create a cart that matches the items in the order they are trying to delete. Furthermore, only stores running on lega...
Rencontre – Dating Site < 3.11 - Unauthenticated Arbitrary File Upload
Description The Rencontre – Dating Site plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 3.10.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution...
Booking for Appointments and Events Calendar – Amelia < 1.0.86 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Booking Manager < 2.1.6 - Authenticated(Contributor+) SQL Injection via Shortcode
Description The Booking Manager plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode attributes in all versions up to 2.1.6 exclusive due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...
Eazy Plugin Manager < 4.1.3 - Missing Authorization via update_options
Description The Eazy Plugin Manager – Powerful Plugin Management Solution for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'updateoptions' function in all versions up to, and including, 4.1.2. This makes it possible for...
NEX-Forms – Ultimate Form Builder – Contact forms and much more < 8.5.6 - Authenticated (Admin+) SQL Injection
Description The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to SQL Injection via an unknown parameter in all versions up to 8.5.6 exclusive due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...
Oxygen Builder < 4.8.1 - Contributor+ Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via a custom field due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execut...