Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-0968: takings.php in watu/trunk/views – WordPress Plugin Repository

The Watu Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘dn’, 'email’, 'points’, and ‘date’ parameters in versions up to, and including, 3.3.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVE
#xss#web#js#java#wordpress#php#auth

1<style type="text/css">2<?php watu_resp_table_css(800);?>3</style>45<?php if(!$in_shortcode):?>6<div class="wrap">7 <h2><?php printf(__(“Users who submitted the %s '%s’", ‘watu’), WATU_QUIZ_WORD, $exam->name); ?></h2>8 9 <p><?php _e(“A lot more detailed reports, filters, exports, and other important features are available in", ‘watu’)?> <a href="http://calendarscripts.info/watupro” target="_blank">WatuPRO</a></p>10 11 <p><a href="admin.php?page=watu_exams"><?php printf(__('Back to %s list’, ‘watu’), WATU_QUIZ_WORD_PLURAL)?></a>12 <?php if($count):?> | 13 <a href="#” onclick="jQuery(‘#filterForm’).toggle(‘slow’);return false;"><?php _e(‘Filter/search these records’, ‘watu’)?></a> 14  | 15 <a href="admin.php?page=watu_takings&exam_id=<?php echo $exam->ID?>&watu_export=1&noheader=1&<?php echo $filters_url;?>"><?php printf(__(‘Export as CSV (%s delimited)‘, ‘watu’), ($delim == ‘,’ ? __(‘comma’, ‘watu’) : __(‘tab’, ‘watu’)) );?><?php if($display_filters):?> <?php _e('(Filters apply)‘, ‘watu’)?><?php endif;?></a>16  | 17 <a href="#" onclick="WatuDelAll();return false;"><?php printf(__(‘Delete all user-submitted data for this %s’, ‘watu’), WATU_QUIZ_WORD)?></a><?php endif;?></p> 18 19 <p><?php _e(‘Shortcode to publish a simplified version of this page:’, ‘watu’);?> <input type="text" size="30" value=’[watu-takings quiz_id=<?php echo $exam->ID?>]' readonly="readonly" onclick="this.select();"> <?php _e(‘You can switch off some columns.’, ‘watu’);?> <a href="admin.php?page=watu_help"><?php _e(‘See the help page for configuration parementers.’, ‘watu’);?></a></p>20 21 <div class="wrap" style="min-width:60%;margin-right:2%;float:left"> 22 <div id="filterForm" style=’display:<?php echo $display_filters?’block’:’none’;?>;margin-bottom:10px;padding:5px;’ class="widefat">23 <form method="get" class="watu-admin" action="admin.php">24 <input type="hidden" name="page" value="watu_takings">25 <input type="hidden" name="exam_id" value="<?php echo $exam->ID?>">26 <div><label><?php _e(‘Username’, ‘watu’)?></label> <select name="dnf">27 <option value="equals" <?php if(empty($_GET[‘dnf’]) or $_GET[‘dnf’]==’equals’) echo “selected"?>><?php _e('Equals’, ‘watu’)?></option>28 <option value="starts” <?php if(!empty($_GET[‘dnf’]) and $_GET[‘dnf’]==’starts’) echo “selected"?>><?php _e('Starts with’, ‘watu’)?></option>29 <option value="ends” <?php if(!empty($_GET[‘dnf’]) and $_GET[‘dnf’]==’ends’) echo “selected"?>><?php _e('Ends with’, ‘watu’)?></option>30 <option value="contains” <?php if(!empty($_GET[‘dnf’]) and $_GET[‘dnf’]==’contains’) echo “selected"?>><?php _e('Contains’, ‘watu’)?></option>31 </select> <input type="text” name="dn" value="<?php echo esc_attr($_GET[‘dn’] ?? ‘’)?>"></div>32 <div><label><?php _e(‘Email’, ‘watu’)?></label> <select name="emailf">33 <option value="equals" <?php if(empty($_GET[‘emailf’]) or $_GET[‘emailf’]==’equals’) echo “selected"?>><?php _e('Equals’, ‘watu’)?></option>34 <option value="starts” <?php if(!empty($_GET[‘emailf’]) and $_GET[‘emailf’]==’starts’) echo “selected"?>><?php _e('Starts with’, ‘watu’)?></option>35 <option value="ends” <?php if(!empty($_GET[‘emailf’]) and $_GET[‘emailf’]==’ends’) echo “selected"?>><?php _e('Ends with’, ‘watu’)?></option>36 <option value="contains” <?php if(!empty($_GET[‘emailf’]) and $_GET[‘emailf’]==’contains’) echo “selected"?>><?php _e('Contains’, ‘watu’)?></option>37 </select> <input type="text” name="email" value="<?php echo sanitize_email($_GET[‘email’] ?? ‘’)?>"></div> 38 <div><label><?php _e(‘Date Taken’, ‘watu’)?></label> <select name="datef">39 <option value="equals" <?php if(empty($_GET[‘datef’]) or $_GET[‘datef’]==’equals’) echo “selected"?>><?php _e('Equals’, ‘watu’)?></option>40 <option value="before” <?php if(!empty($_GET[‘datef’]) and $_GET[‘datef’]==’before’) echo “selected"?>><?php _e('Is before’, ‘watu’)?></option>41 <option value="after” <?php if(!empty($_GET[‘datef’]) and $_GET[‘datef’]==’after’) echo “selected"?>><?php _e('Is after’, ‘watu’)?></option> 42 </select> <input type="text” name="date" value="<?php echo esc_attr($_GET[‘date’] ?? ‘’)?>"> <i>YYYY-MM-DD</i></div>43 <div><label><?php _e(‘Points received’, ‘watu’)?></label> <select name="pointsf">44 <option value="equals" <?php if(empty($_GET[‘pointsf’]) or $_GET[‘pointsf’]==’equals’) echo “selected"?>><?php _e('Equal’, ‘watu’)?></option>45 <option value="less” <?php if(!empty($_GET[‘pointsf’]) and $_GET[‘pointsf’]==’less’) echo “selected"?>><?php _e('Are less than’, ‘watu’)?></option>46 <option value="more” <?php if(!empty($_GET[‘pointsf’]) and $_GET[‘pointsf’]==’more’) echo “selected"?>><?php _e('Are more than’, ‘watu’)?></option> 47 </select> <input type="text” name="points" value="<?php echo absint($_GET[‘points’] ?? 0)?>"></div>48 49 <div><label><?php _e('Grade/result equals:’, ‘watu’)?></label> <select name="grade_id">50 <option value="0"><?php _e('- Any grade / result -', ‘watu’)?></option>51 <?php foreach($grades as $grade):?>52 <option value="<?php echo $grade->ID?>" <?php if(!empty($_GET[‘grade_id’]) and $_GET[‘grade_id’] == $grade->ID) echo 'selected’?>><?php echo stripslashes($grade->gtitle)?></option>53 <?php endforeach;?> 54 </select> <?php _e('(This filter will exclude grades earned prior to Watu version 2.4.7)', ‘watu’)?></div>55 56 <?php if(!empty($namaste_courses)):?>57 <div><label><?php _e('Student in course:’, ‘watu’)?></label> <select name="namaste_course_id">58 <option value=""><?php _e('Any course’, ‘watu’)?></option>59 <?php foreach($namaste_courses as $namaste_course):?>60 <option value="<?php echo $namaste_course->ID?>" <?php if(!empty($_GET[‘namaste_course_id’]) and $_GET[‘namaste_course_id’] == $namaste_course->ID) echo 'selected’?>><?php echo stripslashes($namaste_course->post_title)?></option>61 <?php endforeach;?> 62 </select></div>63 <?php endif;?>64 65 <?php if(count($source_urls)):?>66 <div><label><?php _e('Submitted from page:’, ‘watu’)?></label> <select name="source_url">67 <option value=""><?php _e('Any source’, ‘watu’)?></option>68 <?php foreach($source_urls as $source_url):?>69 <option value="<?php echo $source_url->source_url?>" <?php if(!empty($_GET[‘source_url’]) and $_GET[‘source_url’] == $source_url->source_url) echo 'selected’?>><?php echo $source_url->source_url?></option>70 <?php endforeach;?> 71 </select></div>72 <?php endif;?>73 74 <div><input type="submit" value="<?php _e('Search/Filter’, ‘watu’)?>">75 <input type="button" value="<?php _e('Clear Filters’, ‘watu’)?>" onclick="window.location=’admin.php?page=watu_takings&exam_id=<?php echo $exam->ID;?>’;"></div>76 </form>77 </div>78 <?php endif; // end if not in shortcode 79 if($count):?>80 <p><?php printf(__('%d records found’, ‘watu’), $count);?></p>81 <form method="post">82 <table class="widefat watu-table">83 <thead>84 <tr>85 <?php if(!$in_shortcode):?><th><input type="checkbox" onclick="watuSelectAll(this);"></th><?php endif;;?>86 <th><a href="<?php echo $target_url?>&ob=tU.user_login&offset=<?php echo $offset?>&dir=<?php echo $odir?>&<?php echo $filters_url;?>"><?php 87 if($show_email) _e('Name & Email’, ‘watu’);88 else _e('Name’, ‘watu’);?></a></th>89 <th><a href="<?php echo $target_url?>&ob=tT.date&offset=<?php echo $offset?>&dir=<?php echo $odir?>&<?php echo $filters_url;?>"><?php _e('Date’, ‘watu’)?></a></th>90 <?php if($show_points):?><th><a href="<?php echo $target_url?>&ob=tT.points&offset=<?php echo $offset?>&dir=<?php echo $odir?>&<?php echo $filters_url;?>"><?php _e('Points’, ‘watu’)?></a></th><?php endif;?>91 <?php if($show_percent):?><th><a href="<?php echo $target_url?>&ob=tT.percent_correct&offset=<?php echo $offset?>&dir=<?php echo $odir?>&<?php echo $filters_url;?>"><?php _e('% correct’, ‘watu’)?></a></th><?php endif;?> 92 <th><?php _e('Result’, ‘watu’)?></th>93 <?php if(!$in_shortcode):?>94 <th><?php _e('Details’, ‘watu’)?></th><th><?php _e('Delete’, ‘watu’)?></th>95 <?php endif; // end if not in shortcode; ?></tr>96 </thead>97 <tbody> 98 99 <?php foreach($takings as $taking):100 if(empty($taking->email) and !empty($taking->user_email)) $taking->email = $taking->user_email;101 $class = (‘alternate’ == @$class) ? “” : 'alternate’;?>102 <tr class="<?php echo $class?>">103 <?php if(!$in_shortcode):?><td><input type="checkbox" name="ids[]" value="<?php echo $taking->ID?>" class="wtpChk" onclick="watuShowHideButton();"></td><?php endif;?>104 <td><?php echo $taking->user_id ? '<a href="user-edit.php?user_id=’.$taking->user_id.’">’.$taking->user_login.’</a>’: _e('N/a’, ‘watu’);?>105 <?php if(!empty($taking->email) and $show_email) echo “<br>".$taking->email;?></td>106 <td><?php echo date_i18n(get_option(‘date_format’), strtotime($taking->date));107 if(!empty($taking->source_url)) printf('<br>’.__('Source: %s’, ‘watu’), $taking->source_url);?></td>108 <?php if($show_points):?><td><?php echo $taking->points?></td><?php endif;?>109 <?php if($show_percent):?><td><?php printf(__('%d%%’, ‘watu’), $taking->percent_correct)?> <br>110 <?php printf(__('%d correct, %d wrong, and %d unanswered’, ‘watu’), $taking->num_correct, $taking->num_wrong, $taking->num_empty);?></td><?php endif;?>111 <td><?php echo $in_shortcode ? stripslashes($taking->grade_title) : apply_filters(WATU_CONTENT_FILTER, $taking->result)?></td>112 <?php if(!$in_shortcode):?> 113 <td><?php if(empty($taking->snapshot)): _e('n/a’, ‘watu’);114 else:?><a href="#” onclick="Watu.takingDetails(‘<?php echo $taking->ID?>’);return false;"><?php _e('view’, ‘watu’)?></a><?php endif;?></td>115 <td><a href="#" onclick="WatuDelTaking('<?php echo wp_nonce_url(‘admin.php?page=watu_takings’, ‘watu_del_taking’);?>&exam_id=<?php echo $exam->ID?>&del_taking=1&id=<?php echo $taking->ID?>’);return false;"><?php _e('Delete’, ‘watu’)?></a></td>116 <?php endif; // end if not in shortcode ?> 117 </tr>118 <?php endforeach;?>119 </tbody>120 </table>121 <?php if(!$in_shortcode):?>122 <p align="center" style="display:none;" id="watuMassFrm">123 <input type="button" class="button" value="<?php _e('Delete selected’, ‘watu’);?>" onclick="confirmDelTakings(this.form);">124 <input type="hidden" name="del_takings" value="0">125 </p>126 <?php wp_nonce_field(‘watu_del_takings’);?>127 <?php endif;?> 128 </form>129 130 <?php if(!$in_shortcode or empty($atts[‘num’])):?>131 <p align="center"><?php if($offset>0):?><a href="<?php echo $target_url?>&offset=<?php echo ($offset-10)?>&ob=<?php echo $ob?>&dir=<?php echo $dir?>&<?php echo $filters_url;?>"><?php _e('Previous page’, ‘watu’)?></a><?php endif;?>132 133 <?php if($offset + 10 < $count):?> <a href="<?php echo $target_url?>&offset=<?php echo ($offset+10)?>&ob=<?php echo $ob?>&dir=<?php echo $dir?>&<?php echo $filters_url;?>"><?php _e('Next page’, ‘watu’)?></a> <?php endif;?></p>134 <?php endif;?>135 136 <?php else:?>137 <p><?php _e(‘No results match your search criteria.’,’watu’)?></p>138 <?php endif;?>139 140 141<?php if(!$in_shortcode):?> 142 </div> 143 144 <div id="watu-sidebar">145 <?php include(WATU_PATH."/views/sidebar.php");?>146 </div>147148 <form id="cleanupTakingsForm" method="post">149 <input type="hidden" name="delete_all_takings" value="0">150 <?php wp_nonce_field(‘watu_delete_all’);?>151 </form>152 <script type="text/javascript" >153 function WatuDelTaking(url) {154 if(confirm(“<?php _e('Are you sure?’, ‘watu’)?>”)) {155 window.location = url;156 } 157 }158 159 function WatuDelAll() {160 if(!confirm(“<?php printf(__('Are you sure? This will delete ALL user results for this %s!’, ‘watu’), WATU_QUIZ_WORD)?>”)) return false;161 162 jQuery('#cleanupTakingsForm input[name=delete_all_takings]').val(“1”);163 jQuery(‘#cleanupTakingsForm’).submit();164 }165 </script>166</div> 167 <?php endif;?>168169170<script type="text/javascript">171<?php watu_resp_table_js();?>172173function watuSelectAll(chk) {174 if(chk.checked) jQuery(‘.wtpChk’).prop('checked’, true);175 else jQuery(‘.wtpChk’).prop('checked’, false);176 177 watuShowHideButton();178}179180function watuShowHideButton() {181 var anyChecked = false;182 183 jQuery(‘.wtpChk’).each(function(e, elt) {184 if(elt.checked) {185 anyChecked = true;186 return true;187 }188 });189 190 if(anyChecked) jQuery(‘#watuMassFrm’).show();191 else jQuery(‘#watuMassFrm’).hide();192}193194function confirmDelTakings(frm) {195 if(confirm('<?php _e(‘Are you sure?’, ‘watu’)?>’)) {196 frm.del_takings.value = 1;197 frm.submit();198 }199}200</script>

Related news

WordPress Watu Quiz 3.3.9 / GN Publisher 1.5.5 / Japanized For WooComerce 2.5.4 XSS

WordPress plugins Watu Quiz versions 3.3.9 and below, GN Publisher versions 1.5.5 and below, and Japanized For WooCommerce versions 2.5.4 and below suffer from cross site scripting vulnerabilities.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda