14602 matches found
Essential Blocks < 4.4.3 - Unauthenticated Local File Inclusion
Description The plugin does not prevent unauthenticated attackers from overwriting local variables when rendering templates over the REST API, which may lead to Local File Inclusion attacks. PoC curl --url...
Post SMTP < 2.6.1 - Authenticated (Administrator+) SQL Injection
Description The Post SMTP plugin for WordPress is vulnerable to time-based SQL Injection via the logid parameter in versions up to, and including, 2.6.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible...
WP Custom Widget Area <= 1.2.5 - Subscriber+ Menus Creation/Deletion/Update
Description The plugin does not properly apply capability and nonce checks on any of its AJAX action callback functions, which could allow attackers with subscriber+ privilege to create, delete or modify menus on the site. PoC Log in as a subscriber, and paste any of the following fetch call in...
Keap Official Opt-in Forms <= 1.0.11 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. PoC 1. Store the script in...
DeMomentSomTres WordPress Export Posts With Images <= 20220825 - Subscriber+ unauthorized data export
Description The plugin does not check authorization of requests to export the blog data, allowing any logged in user, such as subscribers to export the contents of the blog, including restricted and unpublished posts, as well as passwords of protected posts. PoC...
JSM file_get_contents() Shortcode < 2.7.1 - Contributor+ SSRF
Description The plugin does not validate one of its shortcode's parameters before making a request to it, which could allow users with contributor role and above to perform SSRF attacks. PoC wpfgc url="http://127.0.0.1:8084"...
EazyDocs < 2.3.6 - Subscriber+ Arbitrary Posts Deletion and Document Management
Description The plugin does not have authorization and CSRF checks when handling documents and does not ensure that they are documents from the plugin, allowing any authenticated users, such as subscriber to delete arbitrary posts, as well as add and delete documents/sections. PoC 1. Install the...
Easy Forms for Mailchimp < 6.9.0 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed PoC 1 Create a new opt-in form 2 Edit the form, and add a "First name" field. 3 Update the...
Post SMTP < 2.8.7 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape the msg parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. PoC Make a logged in admin open the following URL:...
Post SMTP < 2.8.7 - Admin+ SQL Injection
Description The plugin does not properly sanitise and escape several parameters before using them in SQL statements, leading to a SQL injection exploitable by high privilege users such as admin. PoC In ps-delete-email-logs action: Visit the Post SMTP Email Log page and run the following code in t...
Post Meta Data Manager < 1.2.1 - Missing Authorization to Post, Term, and User Meta Deletion
Description The Post Meta Data Manager plugin for WordPress is vulnerable to unauthorized modification and loss of data due to missing capability checks on the pmdmwpajaxdeletemeta, pmdmwpdeleteusermeta, and pmdmwpdeleteusermeta functions hooked via nopriv AJAX actions in all versions up to, and...
Simple Calendar < 3.2.5 - Cross-Site Request Forgery via duplicate_feed
Description The Simple Calendar – Google Calendar Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to 3.2.5 exclusive. This is due to missing or incorrect nonce validation on the duplicatefeed function. This makes it possible for unauthenticated attackers...
Limit Login Attempts Reloaded < 2.25.27 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description The Limit Login Attempts Reloaded plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 2.25.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...
GeoDirectory < 2.3.29 - Authenticated (Administrator+) SQL Injection via orderby
Description The GeoDirectory plugin for WordPress is vulnerable to SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 2.3.28 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possibl...
Simple Membership < 4.3.9 - Reflected Cross-Site Scripting Vulnerability via environment_mode
Description The Simple Membership plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘environmentmode’ parameter in all versions up to, and including, 4.3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers t...
AMP for WP – Accelerated Mobile Pages < 1.0.92.1 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode
Description The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.0.92 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
Envo Extra < 1.8.4 - Cross-Site Request Forgery
Description The Envo Extra plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.3. This is due to missing or incorrect nonce validation on the ajaxrequiredpluginsactivate function. This makes it possible for unauthenticated attackers to activate...
SpeedyCache < 1.1.4 - Missing Authorization to Plugin Options Update
Description The SpeedyCache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the speedycachesavevarniship, speedycacheimgupdatesettings, speedycachepreloadingaddsettings, and speedycachepreloadingdeleteresource functions in all versions ...
Slick Social Share Buttons <= 2.4.11 - Authenticated (Subscriber+) Arbitrary Option Update
Description The Slick Social Share Buttons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'dcssbajaxupdate' function in versions up to, and including, 2.4.11. This makes it possible for authenticated attackers, with subscriber-leve...
Enable Media Replace < 4.1.5 - Reflected Cross-Site Scripting
Description The Enable Media Replace plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the SHORTPIXELDEBUG parameter in all versions up to, and including, 4.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers ...
Jquery news ticker < 3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description The Jquery news ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'jquery-news-ticker' shortcode in versions up to, and including, 3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
MW WP Form < 5.0.4 - Improper Limitation of File Name to Unauthenticated Arbitrary File Deletion
Description The MW WP Form plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 5.0.3. This is due to the plugin not properly validating the path of an uploaded file prior to deleting it. This makes it possible for unauthenticated attackers to delete...
Just Custom Fields <= 3.3.2 - Cross-Site Request Forgery on AJAX Actions
Description The Just Custom Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.2. This is due to missing or incorrect nonce validation on multiple AJAX actions. This makes it possible for unauthenticated attackers to create, modify, a...
Post Grid Combo – 36+ Gutenberg Blocks < 2.2.65 - Authenticated (Contributor+) Cross-Site Scripting
Description The Post Grid Combo – 36+ Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS parameter in all versions up to, and including, 2.2.64 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
404 Solution < 2.33.1 - Sensitive Information Exposure
Description The 404 Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.33.0. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data...
WP Shortcodes Plugin — Shortcodes Ultimate < 7.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'subutton', 'sumembers', and 'sutabs' shortcodes in all versions up to, and including, 7.0.0 due to insufficient input sanitization and output escaping on...
Image horizontal reel scroll slideshow < 13.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description The Image horizontal reel scroll slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'ihrss-gallery' shortcode in versions up to, and including, 13.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
Essential Real Estate < 4.4.0 - Subscriber+ Stored XSS
Description The plugin does not apply proper capability checks on its AJAX actions, which among other things, allow attackers with a subscriber account to conduct Stored XSS attacks. PoC 1. Login with a subscriber account, and visit https://vulnerable-site.tld/wp-admin/profile.php?action=delete...
Clone < 2.4.3 - Unauthenticated Backup Download
Description The plugin uses buffer files to store in-progress backup informations, which is stored at a publicly accessible, statically defined file path. PoC While a backup job is running, visitors can access one of the following files it might take a couple tries, as the timing needs to be righ...
Essential Real Estate < 4.4.0 - Subscriber+ Denial of Service via Arbitrary Option Update
Description The plugin does not apply proper capability checks on its AJAX actions, which among other things, allow attackers with a subscriber account to conduct Denial of Service attacks. PoC 1. login, and visit https://vulnerable-site.tld/wp-admin/profile.php?action=delete 2. run the following...
WP Blogs' Planetarium <= 1.0 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC...
Essential Real Estate < 4.4.0 - Subscriber+ Arbitrary File Upload
Description The plugin does not prevent users with limited privileges on the site, like subscribers, from momentarily uploading malicious PHP files disguised as ZIP archives, which may lead to remote code execution. PoC from io import BytesIO import requests import zipfile import sys import re if...
WP Custom Cursors <= 3.2 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC The PoC will be displayed on...
Getwid < 2.0.3 - Unauthenticated Arbitrary Email Sending to Admin
Description Any unauthenticated user may send e-mail from the site with any title or content to the admin PoC fetch"http://127.0.0.1:8001/wp-admin/admin-ajax.php?action=getwidsendmail", "headers": "content-type": "application/x-www-form-urlencoded", , "body": "datasubject=Urgent WordPress update...
GTG Product Feed for Shopping <= 1.2.4 - Unauthenticated Settings Update
Description The plugin does not have authorisation check when updating its settings, which could allow unauthenticated users to update them...
CommentTweets <= 0.6 - Settings Update via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks PoC...
Essential Real Estate < 4.4.0 - Subscriber+ Arbitrary File Upload
Description The plugin does not properly validate uploaded files via the ajaxUploadFonts function, allowing any authenticated users, such as subscriber to upload arbitrary files...
Duplicator < 1.3.0 - Unauthenticated RCE
Description The plugin does not properly escape values when its installer script replaces values in WordPress configuration files. If this installer script is left on the site after use, it could be use to run arbitrary code on the server. PoC Steps to Reproduce Setup Download WAMP with the...
Featured Image from URL (FIFU) < 4.5.4 - Contributor+ Stored XSS
Description The plugin does not sanitise and escape the featured image alt text, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks...
E2Pdf < 1.20.26 - Admin+ Arbitrary File Upload
Description The plugin does not properly validate upload files via the importaction function, allowing users having access to the plugin by default admin to upload arbitrary files...
Email Subscription Popup < 1.2.20 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open...
Slider Revolution < 6.6.19 - Author+ Insecure Deserialization leading to RCE
Description The plugin does not prevent users with at least the Author role from unserializing arbitrary content when importing sliders, potentially leading to Remote Code Execution. PoC 1. Make sure to configure the plugin so Authors can access its settings 2. Create a new slider. 3. Save and...
WP VR < 8.3.15 - Unauthenticated Plugin Downgrade leading to XSS
Description The plugin does not authorisation and CSRF in a function hooked to admininit, allowing unauthenticated users to downgrade the plugin, thus leading to Reflected or Stored XSS, as previous versions have such vulnerabilities. v3.8.15 partially fixed the issue as the wrong capability chec...
Greenshift – animation and page builder blocks < 7.6.3 - Authenticated (Administrator+) Arbitrary File Upload
Description The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation on the 'gspbsavefiles' function in versions up to, and including, 7.6.2. This makes it possible for authenticated attackers with...
WP Crowdfunding < 2.1.9 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC 1. Add a "Campaign Search" widget to your site via Appearance Customise Widgets for...
Multiple Plugins by KlbTheme - Reflected Cross-Site Scripting
Description The plugins do not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Multiple Themes by KlbTheme - Cross-Site Request Forgery
Description The themes do not have CSRF checks in some places, which could allow attackers to make logged in admins perform unwanted actions via CSRF attacks...
WP Photo Album Plus < 8.6.01.005 - IP Spoofing
Description The plugin does not properly check for IP addresses, allowing attackers to spoof IP addresses via headers and bypass the login protection offered by the plugin...
Debug Log Manager < 2.3.0 - Sensitive Logs Exposure
Description The plugin contains a Directory listing vulnerability was discovered, which allows you to download the debug log without authorization and gain access to sensitive data PoC https://yoursite/wordpress/wp-content/uploads/debug-log-manager/...
Ovic Responsive WPBakery < 1.2.9 - Subscriber+ Option Update
Description The plugin does not limit which options can be updated via some of its AJAX actions, which may allow attackers with a subscriber+ account to update blog options, such as 'userscanregister' and 'defaultrole'. It also unserializes user input in the process, which may lead to Object...