14602 matches found
FunnelKit Checkout < 3.11.0 - Unauthenticated Arbitrary Content Deletion
Description The FunnelKit Checkout plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on an unknown function in all versions up to, and including, 3.10.3. This makes it possible for unauthenticated attackers, to delete arbitrary content...
WC Marketplace < 4.0.24 - Missing Authorization via mvx_save_dashpages
Description The WC Marketplace plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mvxsavedashpages' function in versions up to, and including, 4.0.23. This makes it possible for unauthenticated attackers to update the plugin's setting...
Essential Blocks for Gutenberg < 4.2.1 - Contributor+ Unauthorised Actions
Description The plugin does not have proper authorisation checks in various functions, allowing contributor and above role to perform unauthorized actions...
Site Notes <= 2.0.0 - Admin Note Deletion via CSRF
Description The plugin does not have CSRF checks in some of its functionalities, which could allow attackers to make logged in users perform unwanted actions, such as deleting administration notes, via CSRF attacks PoC Have an administrator open the following HTML file:...
WP-Members Membership Plugin < 3.4.9 - Contributor+ Sensitive Information Exposure
Description The plugin is vulnerable to Sensitive Information Exposure via the wpmemfield shortcode. This makes it possible for authenticated attackers, with contributor access and above, to extract sensitive data including user emails, password hashes, usernames, and more...
MapPress Maps for WordPress < 2.88.14 - Contributor+ Stored XSS
Description The plugin does not sanitize and escape the Point of Interest Title and Description options in a map, allowing Contributor and above role to perform Stored Cross-Site Scripting attacks PoC As a contributor, add/edit a Map and search any location you want. Add XSS Payload on Location’s...
Custom User CSS <= 0.2 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. PoC Create an HTML form with the following content and make a logged in admin open it...
WP 2FA < 2.6.0 - Arbitrary Email Sending via CSRF
Description The plugin has a flawed CSRF check when sending emails to registered users, which could allow attackers to make logged in admins perform such action via a CSRF attack...
Piotnet Forms Plugin < 1.0.29 - Unauthenticated Arbitrary File Upload
Description The plugin is vulnerable to arbitrary file uploads due to missing file type validation in the 'piotnetformsajaxformbuilder' function, allowing unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible...
Verge3D < 4.5.3 - Subscriber+ Arbitrary File Upload
Description The plugin is vulnerable to arbitrary file uploads due to missing file type validation in the 'v3duploadappfile' function, allowing any authenticated attackers, with subscriber access and above, to upload arbitrary files on the affected site's server which may make remote code executi...
Easy Social Feed < 6.5.3 - Subscriber+ Settings Update
Description The plugin is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized actions, such as modifying the plugin's...
WP 2FA < 2.6.0 - Subscriber+ Arbitrary Email Sending
Description The plugin is vulnerable to Insecure Direct Object Reference via the sendbackupcodesemail due to missing validation on a user controlled key. This makes it possible for subscriber-level attackers to email arbitrary users on the site...
TJ Shortcodes <= 0.1.3 - Contributor+ Stored XSS via Shortcodes
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC junkie-button...
LearnPress < 4.2.5.8 - Subscriber+ Arbitrary Course Progress Disclosure
Description The plugin is vulnerable to Insecure Direct Object Reference in the /wp-json/lp/v1/profile/course-tab REST API due to missing validation on the 'userID' user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve the...
Biteship for WooCommerce < 2.2.25 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape the biteshiperror and biteshipmessage parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open one of the URLs...
JVM rich text icons < 1.2.4 - Subscriber+ Arbitrary File Upload
Description The JVM Gutenberg Rich Text Icons plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajaxuploadicon' function in all versions up to and including 1.2.3. This makes it possible for authenticated attackers, with subscriber access and...
Essential Blocks for Gutenberg < 4.2.1 - Subscriber+ Unauthorised Actions
Description The plugin does not have proper authorisation checks in various functions, allowing any authenticated users, such as subscribers to perform unauthorized actions...
MC4WP < 4.9.10 - Unauthenticated Unpublished Form Preview
Description The plugin is vulnerable to unauthorized access of data due to a missing capability check on the 'listen' function, allowing unauthenticated attackers to preview unpublished forms...
OMGF < 5.7.10 - Unauthenticated Directory Deletion & Stored XSS
Description The plugin is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting due to a missing capability check on the updatesettings function hooked via admininit. This makes it possible for unauthenticated attackers to update the plugin's settings which can be used t...
FooGallery Premium < 2.4.6 - Contributor+ Stored XSS
Description The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom attributes in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping. This makes it possible for contributors an...
EmbedPress < 3.9.6 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its embedoembedhtml shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Product Expiry for WooCommerce < 2.6 - Subscriber+ Settings Update
Description The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them...
Wp-Adv-Quiz <= 1.0.4 - Admin+ Stored XSS in Quiz Overview
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Under "WP Adv Quiz - WP Adv...
Wp-Adv-Quiz < 1.0.3 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. PoC 1. Add a new quiz. 2. Under the created quiz, click on "Questions". 3. Add a question...
WP Compress < 6.10.34 - Unauthenticated Arbitrary File Read
Description The plugin is vulnerable to Directory Traversal via the css parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information...
Doofinder for WooCommerce < 2.1.1 - Missing Authorization via multiple AJAX actions
Description The Doofinder for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'doofinderresetcredentials' and 'doofinderforceupdateonsave' anonymous AJAX functions in versions up to, and including, 2.0.3...
PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) < 2.7.14 - Settings Reset/Update via CSRF
Description The plugin does not have CSRF checks when resetting and updating its settings, which could allow attackers to make logged in admins perform such actions via CSRF attacks...
FunnelKit Checkout < 3.11.0 - Subscriber+ Arbitrary Plugin Activation
Description The FunnelKit Checkout plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on an unknown function in all versions up to, and including, 3.10.3. This makes it possible for authenticated attackers, with subscriber access and above, t...
PageLayer < 1.7.9 - Contributor+ Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via the 'pagelayerheadercode', 'pagelayerbodyopencode', and 'pagelayerfootercode' meta fields due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
JVM rich text icons < 1.2.7 - Subscriber+ Arbitrary File Deletion
Description The JVM Gutenberg Rich Text Icons plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.2.6 via the 'file' parameter. This makes it possible for authenticated attackers, with subscriber access and above, to delete arbitrary files...
Product Catalog Enquiry for WooCommerce < 5.0.3 - Unauthenticated Inquiry Saving & Sensitive Information Disclosure
Description The plugin is vulnerable to unauthorized access and modification of data due to an improper capability check on the catalogrestroutesreactmodule REST endpoints, allowing unauthenticated attackers to view data from admin tabs and save enquiries...
FunnelKit Checkout < 3.11.0 - Subscriber+ Settings Update
Description The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them...
ARForms < 1.5.9 - Unauthenticated Stored XSS
Description The Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ arfhttpreferrerurl’ parameter in all versions up to, and including, 1.5.8 due to insufficient input sanitization and output...
Ultimate Addons for Beaver Builder < 1.35.15 - Contributor+ Privilege Escalation
Description The Ultimate Addons for Beaver Builder plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.35.14. This makes it possible for authenticated attackers, with contributor access and above, to escalate their privileges to those of a higher lev...
BERTHA AI Plugin < 1.11.10.8 - Unauthenticated Arbitrary File Upload
Description The BERTHA AI. Your AI co-pilot for WordPress and Chrome plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bthaiwatranslateaudiocallback' function in all versions up to and including 1.11.10.7. This makes it possible for...
Store Locator WordPress < 1.4.15 - Admin+ Arbitrary File Deletion
Description The plugin is vulnerable to Directory Traversal, allowing authenticated attackers, with administrator access and above, to delete arbitrary files...
WordPress Users <= 1.4 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. PoC Create an HTML with the following and open it when logged in as an Editor or above:...
Integrate Google Drive < 1.3.4 - Subscriber+ Settings Update
Description The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them...
WordPress Toolbar <= 2.2.6 - Open Redirect
Description The plugin redirects to any URL via the "wptbto" parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action. PoC...
WP Plugin Lister <= 2.1.0 - Settings Update to Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. PoC Make an admin open an HTML page containing the following code:...
Business Directory Plugin < 6.3.10 - Contributor+ Arbitrary Listing Deletion
Description The plugin is vulnerable to unauthorized loss of data due to a missing capability check on the 'dispatch' function, allowing authenticated attackers, with contributor-level access and above, to delete listings...
Ultimate Addons for Beaver Builder < 1.35.14 - Contributor+ Arbitrary File Download
Description The Ultimate Addons for Beaver Builder plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.35.13. This makes it possible for authenticated attackers, with Contributor access and above, to read the contents of a limited subset of arbitrary...
WP Social Bookmark Menu <= 1.2 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. PoC...
Easy SVG Allow <= 1.0 - Author+ Stored XSS via SVG
Description The plugin does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. PoC Upload an SVG with the following code: Access the uploaded file directly to trigger the XSS...
LearnPress < 4.2.5.8 - Unauthenticated SQLi
Description The plugin does not properly sanitise and escape the orderby parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users...
POST SMTP Mailer < 2.8.8 - Unauthenticated Stored Cross-Site Scripting via device
Description The plugin is vulnerable to Stored Cross-Site Scripting via the ‘device’ header due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an...
WP SMS < 6.5.1 - Cross-Site Request Forgery to Subscriber Deletion
Description The WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5. This is due to missing or incorrect nonce validation on the 'delete' action of the...
WP SMS < 6.5.1 - Contributor+ SQLi to Reflected XSS
Description The plugin is vulnerable to SQL Injection via the 'groupid' parameter due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, ...
Piotnet Forms < 1.0.30 - Missing Authorization via multiple AJAX actions
Description The plugin is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple AJAX functions, allowing unauthenticated attackers to save draft posts and download arbitrary JSON files from the server...
Frontend Admin by DynamiApps Plugin < 3.18.4 - Unauthenticated Arbitrary File Upload
Description The plugin is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajaxaddattachment' function, allowing unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible...