Blog


CarSpot < 2.2.1 – Multiple Vulnerabilities
DescriptionMultiple vulnerabilities was discovered in the «CarSpot – Dealership Wordpress Classified Theme», tested version — v2.2.0: - Authenticated Persistent XSS -> Registration Form/User Profile - Authenticated Persistent XSS -> Ad Post - IDOR leading to...

Batch-Move Posts <= 1.5 – Broken Authentication leading to Unauthenticated Stored XSS
Proof of Concept Vulnerable code is from like 68 to 84. The code gets the value of option `bm_row_amount` from database and matches it with the GET request `row_amount`. If they do not match then it updates the option `bm_row_amount` with the provided GET value. If...

Real Estate 7 < 2.9.5 – Multiple Vulnerabilities
DescriptionMultiple vulnerabilities was discovered in the «Real Estate 7 WordPress», tested version — v2.9.4: - Unauthenticated Reflected XSS - Authenticated Persistent XSS - Authenticated Persistent Self-XSS - IDOR - Information Exposure Edit (WPScanTeam): January...

Marketo Forms and Tracking <= 1.0.2 – CSRF to XSS
<html> <form action="https://[WP]/wp-admin/admin.php?page=marketo_fat" method="POST" id="csrf"> <input type="text" name="marketo_save" value="true"> <input type="text" name="marketo[marketo_id]"...

InfiniteWP Client < 1.9.4.5 – Authentication Bypass
Proof of Concept It is possible to login as any administrator on the site due to logical mistakes in the code. The issue resides in the function iwp_mmb_set_request which is located in the init.php file. This checks if the request_params array of the core class is not...

Chained Quiz < 1.1.8.2 – Reflected XSS
DescriptionWordPress Plugin Plugin Chained Quiz before 1.1.8.2 suffers from a Reflected XSS vulnerability in the 'total_questions' POST parameter when a user completes a quiz. The code in question accepts the 'total_questions' parameter without escaping the special...
![LearnDash < 3.1.2 – Reflected Cross Site Scripting (XSS) issue on the [ld_profile] search field.](https://shawndewolfe.com/wp-content/uploads/2020/01/learndash-3-1-2-reflected-cross-site-scripting-xss-issue-on-the-ld_profile-search-field.png)
LearnDash < 3.1.2 – Reflected Cross Site Scripting (XSS) issue on the [ld_profile] search field.
DescriptionReflected Cross Site Scripting (XSS) issue on the [ld_profile] search field. First reported to Learndash on January 14, 2020, and update 3.1.2 to fix it was released same day. This report is based on an email LearnDash sent out to their users on January 14,...

ListingPro < 2.5.4 – Unauthenticated Reflected XSS
DescriptionReflected XSS was discovered in the «ListingPro - WordPress Directory Theme», tested version — v2.5.3 Edit - WPScanTeam: January 13th, 2020 - Report Received & Envato Contacted January 13th, 2020 - Envato Investigating January 15th, 2020 - Theme...

Backup and Staging by WP Time Capsule < 1.21.16 – Authentication Bypass
Proof of Concept It is possible to login as an administrator on the site due to logical mistakes in the code. The issue resides in wptc-cron-functions.php line 12 where it parses the request. This parse_request function calls the function decode_server_request_wptc...

EasyBook < 1.2.2 – Multiple Vulnerabilities
DescriptionMultiple vulnerabilities was discovered in the «EasyBook – Directory & Listing WordPress Theme», tested version — v1.2.1: - Unauthenticated Reflected XSS - Authenticated Persistent XSS - IDOR December 27th, 2019 - Envato Contacted January 6th, 2020 -...