14602 matches found
Inactive Logout < 3.2.3 - Missing Authorization
Description The Inactive Logout plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the inaresetadvsettings function in versions up to, and including, 3.2.2. This makes it possible for authenticated attackers, with subscriber-level access a...
Taggbox <= 3.1 - Missing Authorization
Description The Taggbox plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on an unknown function in versions up to, and including, 3.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized...
Premmerce User Roles < 1.0.13 - Missing Authorization via role management functions
Description The Premmerce User Roles plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to missing capability and nonce checks on the 'createRole', 'updateRole', and 'deleteRole' functions in versions up to, and including, 1.0.12. This makes it possible f...
Comment Blacklist Updater < 1.2.0 - Cross-Site Request Forgery via update_blacklist_manual
Description The Comment Blacklist Updater plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on the 'updateblacklistmanual' function. This makes it possible for unauthenticated attackers to...
Easy Newsletter Signups <= 1.0.4 - Missing Authorization
Description The Easy Newsletter Signups plugin for WordPress is vulnerable to unauthorized modification and disclosure of data due to a missing capability check on the wpesnltableprocessbulkaction function hooked via admininit in versions up to, and including, 1.0.4. This makes it possible for...
Brands for WooCommerce < 3.8.2.3 - Missing Authorization to Unauthenticated Order Manipulation and Information Retrieval
Description The Brands for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 3.8.2.2. This is due to missing capability checks on the clearcacheajax, saveorder, brgetproducts, brgetbrands, and saveallorders functions hooked via AJAX nopriv...
Easy Social Icons < 3.2.5 - Missing Authorization via cnss_save_ajax_order
Description The Easy Social Icons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cnsssaveajaxorder function in versions up to, and including, 3.2.4. This makes it possible for authenticated attackers, with subscriber-level access a...
VS Contact Form < 14.0 - Missing Authorization
Description The VS Contact Form plugin for WordPress is vulnerable to missing authorization in versions up to, and including, 13.9. Exact implications of this vulnerability are unknown...
wpMandrill <= 1.33 - Missing Authorization via getAjaxStats
Description The wpMandrill plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getAjaxStats function in versions up to, and including, 1.33. This makes it possible for authenticated attackers, with subscriber-level access and above, to view...
Who Hit The Page – Hit Counter <= 1.4.14.3 - Authenticated (Administrator+) SQL Injection
Description The Who Hit The Page – Hit Counter plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.4.14.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...
Funnelforms Free < 3.4.2 - Missing Authorization to Post Modification
Description The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsfaf2savepost function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions a...
Welcome Email Editor < 5.0.7 - Subscriber+ Email Sending
Description The plugin does not have authorisation in its ajaxhandler function, allowing any authenticated users, such as subscriber to call it and send various emails...
Forms for Mailchimp by Optin Cat < 2.5.5 - Authenticated (Editor+) Stored Cross-Site Scripting
Description The Forms for Mailchimp by Optin Cat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the paramsstr function in versions up to, and including, 2.5.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wit...
Lava Directory Manager <= 1.1.34 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Description The Lava Directory Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.1.34 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
Captcha/Honeypot for Contact Form 7 < 1.11.4 - Captcha Bypass
Description The Captcha/Honeypot for Contact Form 7 plugin for WordPress is vulnerable to CAPTCHA Bypass in versions up to, and including, 1.11.3. This makes it possible for unauthenticated attackers to bypass the Captcha Verification...
Elementor Website Builder < 3.16.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via get_inline_svg()
Description The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the getinlinesvg function in versions up to, and including, 3.16.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
WooCommerce Product Table Lite < 3.1.0 - CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
WP All Export (Free < 1.4.1, Pro < 1.8.6) - Author+ PHAR Deserialization via CSRF
Description The plugin does not check nonce tokens early enough in the request lifecycle, allowing attackers with the ability to upload files to make logged in users perform unwanted actions leading to PHAR deserialization, which may lead to remote code execution. PoC 1. Ensure your WordPress...
Code Snippets < 3.6.0 - Arbitrary settings change via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
WP All Export (Free < 1.4.0, Pro < 1.8.6) - Admin+ RCE
Description The plugin does not validate and sanitise the wpquery parameter which allows an attacker to run arbitrary command on the remote server PoC 1. Go to "All Export" "New Export" 2. Select "WP Query Results" as the export type 3. Enter the payload phpinfo for the query. 4. Click...
OneClick Chat to Order < 1.0.5 - Admin+ Stored XSS
Description The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Quttera Web Malware Scanner < 3.4.2.1 - Admin+ Path Traversal
Description IThe plugin does not validate user input used in a path, which could allow users with an admin role to perform path traversal attacks PoC 1 Go to http://yoursite/wordpress/wp-admin/admin.php?page=qutterawmscannerint 2 Click "Scan Now" 3 Click "Detected Threats" 4 Navigate to some...
Quttera Web Malware Scanner < 3.4.2.1 - Directory Listing to Sensitive Data Exposure
Description The plugin doesn't restrict access to detailed scan logs, which allows a malicious actor to discover local paths and portions of the site's code PoC http://yoursite/wordpress/wp-content/plugins/quttera-web-malware-scanner/runtime.log...
Product Catalog Enquiry for WooCommerce < 5.0.3 - Unauthenticated Stored XSS via Arbitrary Setting Update
Description The plugin does not properly authorize settings updates or escape settings values, leading to stored XSS by unauthenticated users. PoC 1 Make sure the plugin is configured with the "Catalog Mode" activated. 2 Launch the following from your browser's console:...
Autocomplete Location field Contact Form 7 < 3.0 - Admin+ Store Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to "Contact Google Place API...
Simple User Listing < 1.9.3 - Reflected XSS
Description The plugin does not sanitise and escape the as parameter before outputting it back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
WP All Export (Free < 1.4.1, Pro < 1.8.6) - Remote Code Execution via CSRF
Description The plugin does not check nonce tokens early enough in the request lifecycle, allowing attackers to make logged in users perform unwanted actions leading to remote code execution. PoC Submit the following form as a Super Admin notice that it does not contain a nonce. Despite the error...
EazyDocs < 2.3.4 - Subscriber + SQLi
Description The plugin does not properly sanitize and escape "data" parameter before using it in an SQL statement via an AJAX action, which could allow any authenticated users, such as subscribers, to perform SQL Injection attacks. PoC 1. Create a document then create some sections in the documen...
EmbedPress < 3.9.2 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page containing a specific content, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC On a post/page where containing the following output...
EmbedPress < 3.9.2 - Reflected XSS
Description The plugin does not sanitise and escape user input before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open a page containing the HTML code below...
File Manager < 6.3 - Admin+ Arbitrary OS File/Folder Access + Path Traversal
Description The plugin does not restrict the file managers root directory, allowing an administrator to set a root outside of the WordPress root directory, giving access to system files and directories even in a multisite setup, where site administrators should not be allowed to modify the sites...
Paid Memberships Pro < 2.12.4 - Subscriber+ Arbitrary File Upload
Description The plugin does not properly validate file type in its pmpropaypalexpresssessionvarsforuserfields function, which could allow any authenticated users, such as subscriber to upload arbitrary files on the server. Note: Exploitation of the issue requires 2Checkout deprecated since versio...
Star CloudPRNT for WooCommerce < 2.0.4 - Reflected XSS
Description The plugin does not sanitise and escape the printersettings parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
CodeBard's Patron Button and Widgets for Patreon < 2.2.0 - Reflected XSS
Description The plugin does not sanitise and escape the cbp6tab parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Icons Font Loader < 1.1.3 - Admin+ Arbitrary File Upload
Description The plugin does not properly validate files to be uploaded, allowing high privilege users such as admin to upload arbitrary file on the server...
Login Screen Manager <= 3.5.2 - Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...
Arigato Autoresponder and Newsletter < 2.7.2.3 - CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Star CloudPRNT for WooCommerce <= 2.0.3 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Donations Made Easy - Smart Donations <= 4.0.12 - Admin+ SQLi
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin...
WooCommerce Product Enquiry <= 2.3.4 - Unauthenticated Stored XSS
Description The plugin does not validate and escape some parameters, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks...
Raise Mag <= 1.0.7 and Wishful Blog <= 2.0.1 - Reflected XSS
Description The themes do not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Thumbnail Slider With Lightbox < 1.0.1 - Arbitrary File Upload via CSRF
Description The plugin does not have CSRF check in the addedit feature, which could allow attackers to make logged in admins upload arbitrary files via a CSRF attack...
Webmaster Tools <= 2.0 - Settings Update to Stored XSS via CSRF
Description The plugin does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...
LearnPress < 4.2.5.5 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape user input before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. PoC Make a logged in admin open v...
Cleverwise Daily Quotes <= 3.2 - Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...
Edit WooCommerce Templates <= 1.1.1 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
WD WidgetTwitter <= 1.0.9 - Contributor+ SQLi
Description The plugin does not validate and escape some of its shortcode attributes before using them in SQL statements, which could allow users with the contributor role and above to perform SQL injection attacks...
WP Simple HTML Sitemap < 2.3 - Reflected XSS
Description The plugin does not sanitise and escape the id parameter before outputting it back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Accessibility Suite by Online ADA <= 4.11 - Subscriber+ SQLi
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscriber...
Under Construction / Maintenance Mode from Acurax <= 2.6 - Unauthenticated Stored XSS
Description The plugin does not validate and escape some parameters, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks...