Author Archives: wpscanteam

(We are not closing any of our other products or services, just the online WPScan.io SaaS!)

WPScan.io started life in 2015 when we contracted a Rails development company to create a SaaS web front end on top of our WPScan CLI tool. Unfortunately, at that time, we only had the budget to complete around 50% of the work, as we were still a community project making hardly any money.

The project sat in this half finished state for three years, until 2018, when we had a little bit more money to hire a freelance Rails developer.

More

WordPress Plugin Vulnerabilities

• Recall Products <= 0.8 – Authenticated Cross-Site Scripting
• Recall Products <= 0.8 – Authenticated SQL Injection
• WP Smart CRM & Invoices FREE <= 1.8.7 – Authenticated Stored Cross-Site Scripting
• Ceceppa Multilingua <= 1.5.17 – Authenticated Reflected Cross-Site Scripting
• Bulk Change <= 1.0 – Authenticated Reflected Cross-Site Scripting
• WP Floating Menu < 1.4.1 – Authenticated Reflected Cross-Site Scripting
• Subscribe Sidebar <= 1.3.1 – Authenticated Reflected Cross-Site Scripting
• Quiz and Survey Master < 7.0.2 – Unauthenticated Arbitrary File Upload
• FooGallery < 1.9.25 – Authenticated Cross-Site Scripting (XSS)
• Autoptimize < 2.7.7 – Authenticated Arbitrary File Upload
• RSVPMaker < 7.8.2 – Unauthenticated SQL Injection
• WooCommerce – NAB Transact < 2.1.2 – Payment Bypass
• Contact Form – Form builder by Kali Forms < 2.1.2 – Multiple CSRF Bypass Issues
• Contact Form – Form builder by Kali Forms < 2.1.2 – Authenticated Plugin’s Settings Change
• Contact Form – Form builder by Kali Forms < 2.1.2 – Unauthenticated Arbitrary Post Deletion
• Advanced Access Manager < 6.6.2 – Authenticated Information Disclosure
• Advanced Access Manager < 6.6.2 – Authenticated Authorization Bypass and Privilege Escalation
• Discount Rules for WooCommerce < 2.1.0 – Multiple Vulnerabilities
• WP Customer Reviews < 3.4.3 – Multiple Unauthenticated and Low Priv Authenticated Stored XSS
• Elegant Testimonial <= 1.1.6 – Multiple Authenticated Stored Cross-Site Scripting
• Click to Top <= 1.2.7 – Authenticated Stored Cross-Site Scripting
• Change WordPress Login Logo <= 1.1.4 – Authenticated Stored Cross-Site Scripting
• Internal Links Manager <= 2.0.2 – Multiple Authenticated Stored Cross-Site Scripting
• Fancy Lightbox < 1.0.2 – Authenticated Stored Cross-Site Scripting
• Easy Media Download < 1.1.5 – Authenticated Stored Cross-Site Scripting
• NextGEN Gallery Sell Photo <= 1.0.4 – Authenticated Stored Cross-Site Scripting
• Responsive Lightbox2 < 1.0.3 – Authenticated Stored Cross-Site Scripting
• Colorbox Lightbox <= 1.1.2 – Authenticated Stored Cross-Site Scripting
• Sell Photo <= 1.0.5 – Authenticated Stored Cross-Site Scripting
• Sell Media < 2.4.2 – Unauthenticated Reflected Cross-Site Scripting (XSS)
• Quiz and Survey Master < 7.0.1 – Arbitrary File Upload
• Quiz and Survey Master < 7.0.1 – Unauthenticated Arbitrary File Deletion
• Ultimate Member < 2.1.7 – Unauthenticated Open Redirect
• Very Simple Quiz – Multiple Authenticated Stored Cross-Site Scripting (XSS)
• Admin Menu <= 1.1 – Authenticated Cross-Site Scripting (XSS)
• Cardoza WordPress Poll <= 36 – Authenticated SQL Injection
• Ultimate Appointment Booking & Scheduling < 1.1.10 – Authenticated Cross-Site Scripting (XSS)
• RSS Feed Widget < 2.8.1 – Authenticated Cross-Site Scripting (XSS)
• File Manager < 6.5 – Backup File Directory Listing
• The Official WordPress Facebook Chat Plugin < 1.6 – Authenticated Options Change to Chat Takeover
• CMP – Coming Soon & Maintenance < 3.8.2 – Improper Access Controls on AJAX Calls
• Elegant Themes (Divi 3.0 – 4.5.2, Extra 2.0 – 4.5.2, Divi Builder 2.0 – 4.5.2) – Authenticated Arbitrary File Upload
• Newsletter < 6.8.2 – Authenticated PHP Object Injection
• Newsletter < 6.8.2 – Authenticated Cross-Site Scripting (XSS)
• Product Input Fields for WooCommerce < 1.2.7 – Unauthenticated File Download

WordPress Theme Vulnerabilities

More

WordPress Plugin Vulnerabilities

• Quiz And Survey Master < 7.0.0 – Authenticated Stored Cross-Site Scripting (XSS)
• Gallery PhotoBlocks < 1.2.0 – Authenticated Cross-Site Scripting (XSS)
• Comments – wpDiscuz 7.0.0 – 7.0.4 – Unauthenticated Arbitrary File Upload
• WooCommerce Subscriptions < 2.6.3 – Unauthenticated Stored Cross-Site Scripting (XSS)
• JobSearch < 1.5.6 – Unauthenticated Reflected XSS
• Social Sharing Plugin < 1.2.10 – Cross-Site Request Forgery in Settings
• TC Custom JavaScript < 1.2.2 – Unauthenticated Stored Cross-Site Scripting (XSS)
• JobSearch < 1.5.5 – Unauthenticated Reflected Cross-Site Scripting
• Email Subscribers & Newsletters < 4.5.1 – Authenticated SQL injection in es_newsletters_settings_callback()
• Email Subscribers & Newsletters < 4.5.1 – Cross-site Request Forgery in send_test_email()
• All in One SEO Pack < 3.6.2 – Authenticated Stored Cross-Site Scripting
• Email Verification for WooCommerce < 1.8.2 – Loose Comparison to Authentication Bypass
• SendPress Newsletter < 1.20.7.13 – Authenticated Stored Cross-Site Scripting (XSS)
• Form Maker by 10Web < 1.13.40 – Authenticated Reflected XSS
• Newsletter < 6.7.7 – Authenticated Stored Cross-Site Scripting
• WP-Live Chat by 3CX < 8.2.0 – Authenticated Stored Cross-Site Scripting
• SRS Simple Hits Counter <= 1.0.4 – Unauthenticated Blind SQL Injection
• Powie’s WHOIS Domain Check < 0.9.33 – Authenticated Stored Cross-Site Scripting
• Wise Chat < 2.8.4 – CSV Injection
• Knight Lab Timeline < 3.7.0.0 – Outdated TimelineJS library could Lead to Stored XSS
• KingComposer < 2.9.5 – Unauthenticated Reflected Cross-Site Scripting
• Adning Advertising < 1.5.6 – Unauthenticated Arbitrary File Upload/Deletion
• Security & Malware scan by CleanTalk < 2.51 – Security Nonce Leak leading to Unauthorised AJAX call
• JobSearch < 1.5.3 – Multiple Cross-Site Scripting Issues
• Testimonials Widget <= 3.5.1 – Multiple Authenticated Stored (XSS)
• Payment Form For Paypal Pro < 1.1.65 – Unauthenticated SQL Injection
• WPForms < 1.6.0.2 – Authenticated Stored Cross-Site Scripting (XSS)

More

This is a copy of the WPScan User Documentation. Please refer to the Github Wiki version for the most up to date information.

Introduction

WPScan is a free, for non-commercial use, black box WordPress security scanner written for security professionals and blog maintainers to test the security of their sites.

WPScan is written in the Ruby programming language. The first version of WPScan was released on the 16th of June 2011.

More

WordPress is undisputedly the most popular Content Management System (CMS) in use today. With the most commonly quoted figure being the one published by w3techs, putting WordPress at 37.7% of all websites today (July 2020) and growing. It is no surprise then that WordPress is also the most targeted CMS by hackers.

Despite what some believe, WordPress is a secure CMS, depending on what your definition of “secure” is.

More

WordPress Core Vulnerabilities

• WordPress < 5.4.2 – Disclosure of Password-Protected Page/Post Comments
• WordPress < 5.4.2 – Misuse of set-screen-option Leading to Privilege Escalation
• WordPress < 5.4.2 – Authenticated XSS via Theme Upload
• WordPress < 5.4.2 – Open Redirection
• WordPress < 5.4.2 – Authenticated XSS via Media Files
• WordPress < 5.4.2 – Authenticated XSS in Block Editor

More

Yesterday, June 10th, WordPress released version 5.4.2, which was a security and maintenance release.

Version 5.4.2 of WordPress fixes 6 separate security issues. Three of which addressed authenticated Cross-Site Scripting (XSS) vulnerabilities. One addressing an potential Open Redirect vulnerability. One privilege escalation vulnerability, and one issue where password protected posts and pages comments could be exposed in certain circumstances.

As well as the 5.4.2 minor version release, WordPress also released security fix for WordPress versions as far back as WordPress version 3.7, which was released in 2013. This is the full list of minor versions that WordPress released to fix the six security issues:

More

WordPress Plugin Vulnerabilities

• Multi Scheduler <= 1.0.0 – Arbitrary Record Deletion via CSRF
• MapPress Maps < 2.54.6 – Improper Capability Checks in AJAX Calls
• bbPress < 2.6.5 – Authenticated Stored Cross-Site Scripting via the forums list table
• bbPress 2.6-2.6.5 – Authenticated Privilege Escalation via the Super Moderator feature
• bbPress < 2.6.5 – Unauthenticated Privilege Escalation when New User Registration enabled
• Final Tiles Gallery < 3.4.19 – Authenticated Stored Cross-Site Scripting (XSS)
• Page Builder: PageLayer – Drag and Drop website builder < 1.1.2 – CSRF leading to XSS
• Page Builder: PageLayer – Drag and Drop website builder < 1.1.2 – Unprotected AJAX’s leading to XSS
• Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.3.3 – Unauthenticated File Upload Bypass
• Form Maker by 10Web <= 1.13.35 – Authenticated SQL Injection
• Official MailerLite Sign Up Forms < 1.4.5 – Multiple CSRF Issues
• Official MailerLite Sign Up Forms < 1.4.4 – Unauthenticated SQL Injection
• Add-on SweetAlert Contact Form 7 < 1.0.8 – Authenticated Stored Cross-Site Scripting (XSS)
• ThirstyAffiliates < 3.9.3 – Authenticated Stored XSS
• WP Frontend Profile < 1.2.2 – CSRF Check Incorrectly Implemented
• Paid Memberships Pro < 2.3.3 – Authenticated SQL Injection
• Ajax Load More < 5.3.2 – Authenticated SQL Injection
• Visual Composer < 27.0 – Multiple Authenticated Cross-Site Scripting Issues
• Team Members < 5.0.4 – Authenticated Stored Cross-Site Scripting (XSS)
• Photo Gallery by 10Web < 1.5.55 – Unauthenticated SQL Injection
• WP Product Review < 3.7.6 – Unauthenticated Stored Cross-Site Scripting (XSS)
• Login/Signup Popup < 1.5 – Authenticated Stored Cross-Site Scripting (XSS)
• Site Kit by Google < 1.8.0 – Privilege Escalation to gain Search Console Access
• Easy Testimonials < 3.6 – Authenticated Stored Cross-Site Scripting (XSS)
• WooCommerce < 4.1.0 – Unescaped Metadata when Duplicating Products
• Page Builder by SiteOrigin < 2.10.16 – CSRF to Reflected Cross-Site Scripting (XSS)
• Chopslider <= 3.4 – Unauthenticated Blind SQL Injection
• Iframe < 4.5 – Authenticated Stored Cross Site Scripting (XSS)
• Ultimate Addons for Elementor < 1.24.2 – Registration Bypass
• Elementor Pro < 2.9.4 – Authenticated Arbitrary File Upload
• Elementor < 2.9.8 – SVG Sanitizer Bypass leading to Authenticated Stored XSS
• Advanced Order Export For WooCommerce < 3.1.4 – Authenticated Cross-Site Scripting (XSS)
• WTI Like Post <= 1.4.5 – Authenticated Stored Cross-Site Scripting (XSS)

WordPress Theme Vulnerabilities

More

WordPress Core Vulnerabilities

• WordPress < 5.4.1 – Stored Cross-Site Scripting (XSS) in Customizer
• WordPress < 5.4.1 – Authenticated Cross-Site Scripting (XSS) in File Uploads
• WordPress < 5.4.1 – Cross-Site Scripting (XSS) in wp-object-cache
• WordPress < 5.4.1 – Authenticated Cross-Site Scripting (XSS) in Search Block
• WordPress < 5.4.1 – Authenticated Cross-Site Scripting (XSS) in Customizer
• WordPress < 5.4.1 – Unauthenticated Users View Private Posts
• WordPress < 5.4.1 – Password Reset Tokens Failed to Be Properly Invalidated

More

Since we launched our WordPress vulnerability database in 2014, we have been lacking one important factor, vulnerability risk scores. This was partly due to not being able to decide on which risk scoring system to use, not having the time to implement the system, and not having the time to assign risk scores to new vulnerabilities, if the system was implemented.

Today we’re happy to announce that all new WordPress vulnerability database vulnerabilities will come with a CVSS risk score. However, these will be limited to the API and to Enterprise users for now.

More