The IP Blacklist Cloud plugin exposes several AJAX functions to users. One of these is the ‘importCSVIPCloud’ action, which looks to be used to import CSV files into the systems blacklist. This action is susceptible to Directory Traversal, and does...
The script ‘includes/ajax.php’ allows execution of various actions by anonymous users. The action name is provided in the ‘elementCode’ parameter. One of these actions is named ‘ajaxUpload’. This function allows for upload of arbitrary files, due to...
An AJAX action named ‘cc2_advanced_settings_save’ is registered both with and without the ‘nopriv’ prefix. This allows anonymous execution of this AJAX action. The ‘settings[custom_css]’ form field accepts user input, without encoding or validation....
The AJAX action ‘request_response’, defined in formget-contact-form/index.php line 278 is available to any logged in user. The parameter ‘value’ is accepted as valid, so long as the string ‘sideBar’ is found at a position other than 0 (i.e. prefix the...
The Gallery Bank – Responsive Photo Gallery plugin exposes a Short Code named ‘gallery_bank’, in order to allow site publishers to insert galleries into pages / posts. This Short Code is vulnerable to a UNION based SQL Injection. This is possible by...
Using a combination of GET fields, it is possible to perform a SQL Injection attack using the ‘sl-xml.php’ script. This injection is performed on the LIMIT of the SQL query, however retrieving data via this vulnerability is very easy, due to the...
The AJAX action ‘edit_photo_cate’, which is defined in the file ‘users-ultra/addons/photocategories/admin/admin.php’, allows for SQL Injection via the POST parameter ‘cate_id’. This parameter is used in a call to the WordPress function...
The ‘Tags’ section of ‘WordPress Video Player’ under WordPress Administration contains a two fields that are vulnerable to a Reflected XSS attack. This is due to the fact that the value passed through to these fields are not encoded prior to output....
The AJAX action ‘inbound_form_save’ allows unauthenticated users to update the content of any specific form on the site. In order to exploit this, a form ID must be enumerated using another unauthenticated AJAX action, ‘inbound_get_form_data’. Once a...