14602 matches found
Laposta Signup Basic < 1.4.2 - Missing Authorization
Description The Laposta Signup Basic plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxResetCache function in versions up to, and including, 1.4.1. This makes it possible for subscriber-level attackers or higher to delete the...
rtMedia for WordPress, BuddyPress and bbPress < 4.6.16 - Subscriber+ RCE
Description The plugin does not validate files to be uploaded, which could allow attackers with a low-privilege account e.g. subscribers to upload arbitrary files such as PHP on the server PoC If plugin JSON API is enabled, any logged-in user may execute arbitrary code by uploading a PHP file...
Booster for WooCommerce < 7.1.3 - Missing Authorization to Product Creation/Modification
Description The Booster for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcjproductaddnew function in all versions up to, and including, 7.1.2. This makes it possible for authenticated attackers, with subscriber-level...
HUSKY – Products Filter for WooCommerce (formerly WOOF) < 1.3.4.3 - Missing Authorization via woof_meta_get_keys()
Description The HUSKY – Products Filter for WooCommerce formerly WOOF plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the woofmetagetkeys function in versions up to, and including, 1.3.4.2. This makes it possible for authenticated attackers,...
Export WP Page to Static HTML/CSS < 2.2.0 - Missing Authorization via Multiple AJAX Actions
Description The Export WP Page to Static HTML/CSS plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple AJAX actions in all versions up to, and including, 2.1.9. This makes it possible for authenticated attackers,...
Events Manager < 6.4.6 - Reflected Cross-Site Scripting
Description The Events Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in all versions up to, and including, 6.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
Theme Editor < 2.8 - Admin+ Arbitrary File Upload
Description The plugin is vulnerable to arbitrary file uploads which could allow users with administrator privileges or higher to upload arbitrary files on the affected site's server which may make remote code execution possible...
Frontier Post <= 6.1 - Cross-Site Request Forgery
Description The Frontier Post plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.1. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform an unauthorized action...
Bulk Comment Remove <= 2 - Cross-Site Request Forgery via brc_admin()
Description The Bulk Comment Remove plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2. This is due to missing or incorrect nonce validation on the brcadmin function. This makes it possible for unauthenticated attackers to delete comments in bulk...
Awesome Support < 6.1.5 - Missing Authorization via wpas_edit_reply_ajax()
Description The Awesome Support plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpaseditreplyajax function in versions up to, and including, 6.1.4. This makes it possible for authenticated attackers, with subscriber-level access and...
WCMultiShipping < 2.3.6 - Missing Authorization to Log Export
Description The WCMultiShipping plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wmsexportlog function in all versions up to, and including, 2.3.5. This makes it possible for authenticated attackers, with subscriber-level access and above,...
Seraphinite Post .DOCX Source < 2.16.7 - Settings Update/Reset/Import via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin perform such actions CSRF attacks...
Availability Calendar <= 1.2.6 - Cross-Site Request Forgery via add_availability_calendar_create_admin_page()
Description The Availability Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.6. This is due to missing or incorrect nonce validation on the addavailabilitycalendarcreateadminpage function. This makes it possible for unauthenticated...
Preloader for Website < 1.3 - Missing Authorization via plwao_register_settings()
Description The Preloader for Website plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the plwaoregistersettings function in versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to reset the plugin's...
League Table < 1.14 - Tables Cloning/Update/Deletion via CSRF
Description The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation in the view/tables.php file. This makes it possible for unauthenticated attackers to clone, edit, update, and delete tables via a forged request granted they can trick a site...
TextMe SMS < 1.9.1 - Subscriber+ Settings Update
Description The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them...
Porto Theme - Functionality < 2.12.1 - Missing Authorization
Description The Porto Theme - Functionality plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on an unknown function in versions up to, and including, 2.11.1. This makes it possible for unauthenticated attackers to perform an unauthorized...
Decorator - WooCommerce Email Customizer < 1.2.8 - Cross-Site Request Forgery
Description The Decorator – WooCommerce Email Customizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.7. This is due to missing nonce validation on several functions such as ajaxreset, wtdecoratorbuttontext, wtdecoratorsetasdefault, an...
Debug Log Manager < 2.2.2 - Subscriber+ Debug Log Clearing
Description The plugin does not have authorisation when clearing debug logs, allowing any authenticated users, such as subscriber to perform such action...
Consensu.io <= 1.0.2 - Missing Authorization via update_config_db()
Description The Consensu.io plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the updateconfigdb function in versions up to, and including, 1.0.2. This makes it possible for unauthenticated attackers to modify the plugin's setting...
WP Mail Log < 1.1.3 – Contributor+ SQL Injection in wml_logs endpoint
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Contributor. PoC Run the following within a block editor page. Notice that the request is delayed by the SLEEP call in...
WP Mail Log < 1.1.3 – Contributor+ Arbitrary File Upload to RCE
Description The plugin does not properly validate file extensions uploading files to attach to emails, allowing attackers to upload PHP files, leading to remote code execution. PoC Run the following JS code in any page on the server, setting the id variable to a valid ID of a log entry on the...
WP Mail Log < 1.1.3 – Incorrect Authorization in REST API Endpoints
Description The plugin does not correctly authorize its REST API endpoints, allowing users with the Contributor role to view and delete data that should only be accessible to Admin users. PoC The following actions may be taken by a Contributor user: --- /wmllogs - Information leak Execute the...
Porto Theme - Functionality < 2.12.1 - Unauthenticated SQL Injection
Description The Porto Theme - Functionality plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.11.1 due to insufficient escaping on a user supplied parameter and lack of sufficient preparation on an existing SQL query. This makes it possible for unauthenticate...
Awesome Support < 6.1.5 - Cross-Site Request Forgery via wpas_edit_reply_ajax()
Description The Awesome Support plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.1.4. This is due to missing or incorrect nonce validation on the wpaseditreplyajax function. This makes it possible for unauthenticated attackers to edit replies vi...
Taxonomy filter < 2.2.10 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
Broken Link Checker for YouTube <= 1.3 - Cross-Site Request Forgery via plugin_settings_page()
Description The Broken Link Checker for YouTube plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the pluginsettingspage function. This makes it possible for unauthenticated attackers to...
WP Mail Log < 1.1.3 – Contributor+ LFI in wml_logs/send_mail endpoint
Description The plugin does not properly validate file path parameters when attaching files to emails, leading to local file inclusion, and allowing an attacker to leak the contents of arbitrary files. PoC Run the following within any page on the site, ensuring that the id parameter is set to a...
Accept Stripe Payments < 2.0.80 - Insecure Direct Object Reference
Description The Stripe Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handlecreatepi function in versions up to, and including, 2.0.79. This makes it possible for unauthenticated attackers to purchase products in another...
WP Mail Log < 1.1.3 – Contributor+ SQL Injection in wml_logs/send_mail endpoint
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Contributor. PoC Run the following within any page on the site. Notice that the request is delayed by the SLEEP call i...
WP Child Theme Generator <= 1.0.9 - Admin+ Arbitrary File Upload
Description The plugin is vulnerable to arbitrary file uploads, allowing administrators to upload arbitrary files on the affected site's server which may make remote code execution possible...
Simple Testimonials Showcase <= 1.1.5 - Cross-Site Request Forgery
Description The Simple Testimonials Showcase plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.5. This is due to missing or incorrect nonce validation on the stssavesettings function. This makes it possible for unauthenticated attackers to upda...
WP Crowdfunding < 2.1.8 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Add a campaign and for the...
BookingPress < 1.0.77 - Authenticated (Administrator+) Arbitrary File Upload
Description The BookingPress plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'bookingpressprocessupload' function in versions up to, and including, 1.0.76. This makes it possible for authenticated attackers with administrator-level...
BSK Forms Blacklist < 3.7 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. In the plugin settings ex:...
MyBookTable Bookstore < 3.3.5 - API Key Update via CSRF
Description The plugin does not have CSRF check when updating its API key via the mbtapikeyrefreshajax function, which could allow attackers to make logged in admins update it via a CSRF attack...
so-widgets-bundle < 1.51.0 - Admin+ Local File Inclusion
Description The plugin does not validate user input before using it to generate paths passed to include function/s, allowing users with the administrator role to perform LFI attacks in the context of Multisite WordPress sites. PoC 1. Create a multi-site wordpress setup, i.e. using...
Swift Performance Lite <= 2.3.6.14 - Unauthenticated Configuration Export
Description The plugin does not prevent users from exporting the plugin's settings, which may include sensitive information such as Cloudflare API tokens. PoC curl --url 'http://vulnerable-site.tld/wp-admin/admin-post.php?luv-action=export'...
Video PopUp < 1.1.4 - Contributor+ Stored XSS via Shortcode
Description The plugin does not validate and escape some of its videopopup shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Chatbot for WordPress < 2.4.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Description The Chatbot for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in version 2.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and abov...
WCFM Marketplace < 3.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description The WCFM Marketplace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wcfmstores' shortcode in versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
Drag and Drop Multiple File Upload - Contact Form 7 < 1.3.7.4 - Unauthenticated Arbitrary File Upload
Description The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'dnduploadcf7upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated...
Advanced Custom Fields: Extended < 0.8.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acfeform' shortcode in versions up to, and including, 0.8.9.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...
Metform Elementor Contact Form Builder < 3.3.2 - Authenticated (Subscriber+) Information Disclosure via 'mf_first_name' shortcode
Description The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mffirstname' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information...
GiveWP < 2.33.4 - Cross-Site Request Forgery to plugin deactivation
Description The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.33.3. This is due to missing or incorrect nonce validation on the givesendwpdisconnect function. This makes it possible for unauthenticated attackers to deactivate the SendW...
WooCommerce Canada Post Shipping < 2.8.4 - Cross-Site Request Forgery
Description The WooCommerce Canada Post Shipping plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.8.3. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to invoke...
Stripe Gateway < 7.6.1 - Cross-Site Request Forgery
Description The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to 7.6.1 exclusive. This is due to missing or incorrect nonce validation on the maybehandleredirect function. This makes it possible for unauthenticated attackers...
Simple 301 Redirects < 2.0.8 - Cross-Site Request Forgery via 'clicked'
Description The Simple 301 Redirects plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.7. This is due to missing or incorrect nonce validation on the 'clicked' function. This makes it possible for unauthenticated attackers to enable or disable...
wpDiscuz < 7.6.6 - Unauthenticated SQL Injection
Description The wpDiscuz plugin for WordPress is vulnerable to SQL Injection via the 'visibleCommentIds' parameter in versions up to, and including, 7.6.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possib...
Checkout Field Editor < 1.7.5 - Cross-Site Request Forgery to Checkout Fields Update
Description The Checkout Field Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.4. This is due to missing nonce validation when updating checkout fields. This makes it possible for unauthenticated attackers to update checkout fields via...