14602 matches found
WP Staging (Free < 3.1.3, Pro < 5.1.3) - Unauthenticated Backup Download
Description The plugin does not prevent visitors from leaking key information about ongoing backups processes, allowing unauthenticated attackers to download said backups later. PoC The plugin creates temporary cache files when backing up sites, which are publicly accessible to anyone. Said cache...
Antispam Bee < 2.11.4 - IP Address Spoofing via get_client_ip
Description The Antispam Bee plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 2.11.3 due to use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers to bypass country blocking...
Ocean Extra < 2.2.3 - Cross-Site Request Forgery to Arbitrary Plugin Activation
Description The Ocean Extra plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.2. This is due to missing or incorrect nonce validation on the ajaxrequiredpluginsactivate function. This makes it possible for unauthenticated attackers to...
Royal Elementor Addons and Templates < 1.3.81 - Unauthenticated Arbitrary Post Read
Description The plugin does not ensure that users accessing posts via an AJAX action and REST endpoint, currently disabled in the plugin have the right to do so, allowing unauthenticated users to access arbitrary draft, private and password protected posts/pages content PoC WooCommerce needs to b...
Geo Controller < 8.5.3 - Authenticated (Administrator+) Stored Cross-Site Scripting
Description The Geo Controller plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 8.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...
Ecwid Ecommerce Shopping Cart < 6.12.5 - Arbitrary Plugin Settings Change via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. PoC http://vulnerable-site.tld/wp-admin/admin-ajax.php?action=ecwidstorefrontsetpageslug=hehehehe Besides, you can disable the...
WPGetAPI 2.1.0 - 2.2.1 - Authenticated (Subscriber+) Arbitrary Options Update
Description The WPGetAPI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the importendpoints function in versions 2.1.0 - 2.2.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to update...
Marker.io < 1.1.7 - Cross-Site Request Forgery
Description The Marker.io plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.6. This is due to missing nonce validation on the markeriosavedestination and markeriosaveoption functions. This makes it possible for unauthenticated attackers to modi...
MW WP Form < 5.0.2 - Unauthenticated Arbitrary File Upload
Description The plugin does not properly handle unauthorised files from being uploaded, only logging the issue without stopping the process, allowing unauthenticated users to upload arbitrary files to the server when the 'Saving inquiry data in database' settings is enabled in the plugin...
JSON Content Importer < 1.5.4 - Reflected XSS
Description The plugin does not sanitise and escape the tab parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open:...
Duplicator < 1.5.7.1; Duplicator Pro < 4.5.14.2 - Unauthenticated Sensitive Data Exposure
Description The plugin does not disallow listing the backups-dup-lite/tmp directory or the backups-dup-pro/tmp directory in the Pro version, which temporarily stores files containing sensitive data. When directory listing is enabled in the web server, this allows unauthenticated attackers to...
Happyforms < 1.25.10 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in an hidden attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
SoundCloud Shortcode < 4.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Description The SoundCloud Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
Campaign Monitor for WordPress < 2.8.14 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
360 Javascript Viewer < 1.7.12 - Unauthenticated Settings Update
Description The plugin does not have authorisation check when updating its settings, which could allow unauthenticated users to update them...
Download canvasio3D Light <= 2.5.0 - Subscriber+ Entries Update/Deletion
Description The plugin is vulnerable to unauthorized access & modification of data due to a missing capability check on the caARConnect function, allowing authenticated attackers, with subscriber-level access and above, to retrieve data from the plugin and save/delete entries...
Molongui < 4.6.20 - Authenticated (Administrator+) Stored Cross-Site Scripting
Description The Author Box, Guest Author and Co-Authors for Your Posts – Molongui plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.6.19 due to insufficient input sanitization and output escaping. This makes it possible fo...
JetBlocks For Elementor < 1.3.8.1 - Reflected Cross Site Scripting
Description The JetBlocks for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...
Multiple Post Passwords < 1.1.2 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Evergreen Content Poster < 1.4.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
IdeaPush < 8.58 - Subscriber+ Memory Tab/Routine/Taxonomy Creation
Description The plugin does not have authorisation in various AJAX calls, allowing any authenticated users, such as subscriber to create memory tabs, routines and taxonomies...
Delete Post Revisions In WordPress <= 4.6 - Cross-Site Request Forgery
Description The delete-post-revisions-on-single-click theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6. This is due to missing or incorrect nonce validation on the createadminpage function. This makes it possible for unauthenticated attacke...
Simple Long Form <= 2.2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Description The Simple Long Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-leve...
Restricted Site Access <= 7.4.1 - IP Spoofing to Protection Mechanism Bypass
Description The Restricted Site Access plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 6.3.0. This is due to insufficient restrictions on where the IP Address information is being retrieved for user IP Addresses. This makes it possible for attackers to...
Backup Migration < 1.3.7 - Unauthenticated Arbitrary File Download to Sensitive Information Exposure
Description The Backup Migration plugin for WordPress is vulnerable to unauthorized access of data due to insufficient path and file validation on the BMIBACKUP case of the handledownloading function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated attackers...
Contact Form 7 < 5.8.4 - Authenticated (Editor+) Arbitrary File Upload
Description The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'validate' function and insufficient blocklisting on the 'wpcf7antiscriptfilename' function in versions up to, and including, 5.8.3. This makes it possible f...
Hotel Booking Lite < 4.8.5 - Unauthenticated Arbitrary File Download & Deletion
Description The plugin does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server PoC To download /etc/passwd: curl...
WP Sessions Time Monitoring Full Automatic < 1.0.9 - Unauthenticated SQL injection
Description The plugin does not sanitize the request URL or query parameters before using them in an SQL query, allowing unauthenticated attackers to extract sensitive data from the database via blind time based SQL injection techniques, or in some cases an error/union based technique. PoC Blind...
Qode Essential Addons < 1.5.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation
Description The Qode Essential Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the installplugin function in all versions up to, and including, 1.5.2. This makes it possible for authenticated attackers, with subscriber-level acce...
12 Step Meeting List < 3.14.25 - Authenticated (Contributor+) Server-Side Request Forgery
Description The 12 Step Meeting List plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.14.24 via the tsmladddatasource parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to make web reques...
Quiz Maker < 6.4.9.5 - Reflected Cross-Site Scripting
Description The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting PoC Visit the following URL: https://example.com/wp-admin/admin.php?page=quiz-maker-questions%22%3E%3Cscript%3Ealert/xss/%3C/script%3E=something...
Participants Database < 2.5.6 - Missing Authorization
Description The Participants Database plugin for WordPress is vulnerable to unauthorized manipulation of data due to a missing capability check on several functions hooked via admin-post in all versions up to, and including, 2.5.5. This makes it possible for unauthenticated attackers to add and...
Debug Log Manager < 2.2.2 - Debug Log Clearing via CSRF
Description The plugin does not have CSRF checks when clearing debug logs, which could allow attackers to make logged in admins perform such action via a CSRF attack...
Quiz Maker < 6.4.9.5 - Unauthenticated Email Address Disclosure
Description The plugin does not adequately authorize the aysquizauthorusersearch AJAX action, allowing an unauthenticated attacker to perform a search for users of the system, ultimately leaking user email addresses. PoC import string import requests baseurl =...
eCommerce Product Catalog for WordPress < 3.3.27 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description The eCommerce Product Catalog Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's iccontainer shortcode in all versions up to, and including, 3.3.26 due to insufficient input sanitization and output escaping on user supplied...
Maspik – Spam blacklist < 0.9.3 - Unauthenticated Stored Cross-Site Scripting via efas_add_to_log
Description The Maspik – Spam Blacklist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the efasaddtolog function in all versions up to, and including, 0.9.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...
WordPress Job Board and Recruitment Plugin – JobWP < 2.2 - Sensitive Information Exposure
Description The WordPress Job Board and Recruitment Plugin – JobWP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1. This makes it possible for unauthenticated attackers to extract sensitive user data via resumes...
Enfold < 5.6.5 - Reflected Cross-Site Scripting
Description The Enfold - Responsive Multi-Purpose Theme theme for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in all versions up to, and including, 5.6.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...
Form Maker < 1.15.21 - Captcha Bypass
Description The Form Maker plugin for WordPress is vulnerable to Captcha Bypass in versions up to, and including, 1.15.20 due to insufficient input verification. This makes it possible for unauthenticated attackers to automate form submissions...
Grab & Save <= 1.0.4 - Cross-Site Request Forgery
Description The Grab & Save plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the mediaprocess function. This makes it possible for unauthenticated attackers to upload images via a forg...
Salient Core < 2.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The salient-core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
wpForo Forum < 2.2.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Description The wpForo Forum plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject...
Perfmatters < 2.1.7 - Cross-Site Request Forgery
Description The Perfmatters plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.6. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform an unknown action...
WP Forms Puzzle Captcha <= 4.1 - Cross-Site Request Forgery to Cross-Site Scripting
Description The WP Forms Puzzle Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.1. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to invoke this functio...
Contact Form to Any API < 1.1.7 - Subscriber+ API Entry Record Deletion
Description The plugin does not have authorisation check when deleting CF7 API entry records, which could allow any authenticated users, such as subscriber to delete them...
BlossomThemes Email Newsletter < 2.2.5 - Missing Authorization
Description The BlossomThemes Email Newsletter plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the btengetmailinglist function in versions up to, and including, 2.2.4. This makes it possible for unauthenticated attackers to obtain a mailing...
Super Progressive Web Apps < 2.2.22 - Missing Authorization
Description The Super Progressive Web Apps plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the superpwanewslettersubmit function hooked via a nopriv AJAX action in versions up to, and including, 2.2.21. This makes it possible for...
wpForo Forum < 2.2.6 - Subscriber+ Content Injection
Description The plugin does not properly escape user input, allowing any authenticated users, such as Subscriber to inject content...
WP Shortcodes Plugin — Shortcodes Ultimate < 7.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sumeta shortcode combined with post meta data in all versions up to, and including, 5.13.3 due to insufficient input sanitization and output escaping on us...
Footer Putter <= 6.1.3 - Reflected Cross-Site Scripting
Description The Footer Putter plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in all versions up to, and including, 6.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...