The Ultimate Member plugin utilizes the Redux Framework. The Redux Framework includes a script named ‘class.p.php’, which acts as a HTTP proxy. Utilizing this script, it is possible to trigger a Reflected XSS attack, by loading data from a location...
The Smart Website Tools by AddThis plugin exposes an AJAX function called ‘at_async_loading’ in ‘addthis/addthis-for-wordpress.php’. Access to this function is restricted to Registered users, however is not restricted to Administrative users, meaning...
The Ultimate Social Media Icons plugin exposes several AJAX methods to all registered users, regardless of user level (see content of ultimate-social-media-icons/libs/controllers/sfsi_buttons_controller.php). These methods are used to update settings...
The Formidable Forms plugin exposes a function to the public, which allows for preview of forms. Within the body of the form preview, a field named ‘_wp_http_referer’ is set. This will contain arguments passed through in the URL. Due to a do_shortcode...
I've seen people playing on Vulnhub for quite a while, however have never taken part myself. After spending time training myself, and learning as much as I can in various fields of security, I thought it was about time I took a serious crack at one of...
The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to a Persistent XSS attack on the settings screen, due to a lack of sanitation of user input, and lack of CSRF token (nonce)
The Anti-Malware and Brute-Force Security by ELI has two issues which we will cover in this report. The first is that no nonce (CSRF token) is utilized on the settings screen. This could potentially result in resource utilization (by performing a...
User input is not validated correctly when accepting an Invitation Code, as such an SQL Injection attack is possible. This attack is triggered when the parameters ‘show_dash_widget’ and ‘invitaion_code’ are provided to any page, by any user (anonymous...
User input is not validated correctly when accepting a login request via the Pie Register plugin. It is possible to manipulate posted variables in order to login using an arbitrary User ID (such as 1, for the default Administrative account).