Due to lack of verification of a visitors permissions, it is possible to execute the ‘export.php’ script included in the default installation of this plugin, and retrieve the full contents of the user table in the WordPress installation. This results...
Leveraging a publicly accessible AJAX function named ‘update_response’, it is possible to update any option with the WordPress installation. Using this vulnerability, it is possible to gain administrative access to the WordPress installation by...
So many Themes and plugins contain XSS (both reflected and persistent) vulnerabilities. While I’ve discovered a number of these, I’ve never actually tried to leverage one to do any harm. I thought I’d do a quick experiment, to see how much damage you...
The QSA named ‘q’ for the ‘promotionProductSearch’ AJAX call is not being sanitized, which allows for MySQL injection utilizing a UNION. The user must be logged in for this to be applicable. The output is JSON encoded, however is a pure representation...
Due to the lack of sanitation of of user input, it is possible to download arbitrary files from site, under the context of the web server. This could lead to disclosure of server configuration, or other sensitive information.
Ability to change settings with a registered (non-admin) user allows us to trigger an Arbitrary File Disclosure vulnerability with any path of our choosing. One limitation with this vulnerability is that the target user (in the PoC, ‘test’) needs to...
Due to passing the $_GET variable scope into the extract function, an anonymous user can craft a request that will allow them to inject arbitrary SQL into the query which is later built from variables within the script. The output from this query is...
The default installation of Ampache includes a script in the web root named ‘show_get.php’, which when provided with two QSA’s can be made to output unsanitized content. This could be used to inject arbitrary content under the context of the user...
Due to a script having no access protection, and including the ‘wp-load.php’ script, it is possible to update the ‘post highlights’ settings for any post. Using this flaw, you can enable ‘post highlights’ and insert arbitrary HTML content, which will...