Jan 22, 2020 | WordPress Vulnerabilities
DescriptionContact Form Clean and Simple is vulnerable to Authenticated stored XSS. When a user has admin capabilities, malicious code can be submitted through the plugin’s options. This code will then be executed on every page with the contact form on the...
Jan 27, 2020 | WordPress Vulnerabilities
DescriptionMultiple vulnerabilities was discovered in the «CarSpot – Dealership WordPress Classified Theme», tested version — v2.2.0: – Authenticated Persistent XSS -> Registration Form/User Profile – Authenticated Persistent XSS -> Ad Post –...
Jan 19, 2020 | WordPress Vulnerabilities
Proof of Concept Vulnerable code is from like 68 to 84. The code gets the value of option `bm_row_amount` from database and matches it with the GET request `row_amount`. If they do not match then it updates the option `bm_row_amount` with the provided GET value. If...
Jan 15, 2020 | WordPress Vulnerabilities
DescriptionMultiple vulnerabilities was discovered in the «Real Estate 7 WordPress», tested version — v2.9.4: – Unauthenticated Reflected XSS – Authenticated Persistent XSS – Authenticated Persistent Self-XSS – IDOR – Information Exposure...
Jan 18, 2020 | WordPress Vulnerabilities
<html> <form action=”https://[WP]/wp-admin/admin.php?page=marketo_fat” method=”POST” id=”csrf”> <input type=”text” name=”marketo_save” value=”true”> <input...
Jan 17, 2020 | WordPress Vulnerabilities
Proof of Concept It is possible to login as any administrator on the site due to logical mistakes in the code. The issue resides in the function iwp_mmb_set_request which is located in the init.php file. This checks if the request_params array of the core class is not...
