The WooCommerce EnvioPack WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the dataid parameter found in the ~/includes/functions.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2.

CVE-2021-39314: Vulnerability Advisories - Wordfence

The True Ranker plugin <= 2.2.2 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be accessed via the src parameter found in the ~/admin/vendor/datatables/examples/resources/examples.php file.

CVE-2021-39312: Vulnerability Advisories - Wordfence

The duoFAQ - Responsive, Flat, Simple FAQ WordPess plugin is vulnerable to Reflected Cross-Site Scripting via the msg parameter found in the ~/duogeek/duogeek-panel.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.4.8.

CVE-2021-39319: Vulnerability Advisories - Wordfence

glFusion CMS 1.7.9 is affected by an access control vulnerability via /public_html/users.php.

Incidentally, it's worth mentioning that the lockout is based on failed attempts from an IP address, not by user name. So the valid user could still log into the site. Unless they're sharing a public IP with the attacker, of course.

…

On Thu, Dec 9, 2021 at 9:43 AM Lee Garner \*\*\*@\*\*\*.\*\*\*> wrote: Currently the full name (could be a nickname) is shown along with the username. I don't think it would hurt to show only the fullname, if available, otherwise the user name. Creating a "nickname" field is interesting, but I suspect most users will leave it blank if allowed, or use their login names for it as well. On Thu, Dec 9, 2021 at 2:12 AM Topsec\_bunney \*\*\*@\*\*\*.\*\*\*> wrote: > We can get username on this link: > > http://192.168.255.130/glfusion1.7.9/public\_html/users.php?mode=profile&uid=3 > \[image: firefox\_fIwf2EDlUU\] > <https://user-images.githubusercontent.com/73220685/145376552-976aae00-0893-44b7-ac14-0c1e7de9233f.png\> > > So, attacker can get all username . > > Then they can always log in to all users with the wrong password, which > will prevent all users from logging in to the website normally. > > \[image: firefox\_LrrbnCvHFd\] > <https://user-images.githubusercontent.com/73220685/145376725-bde27dbe-c667-4ba4-8cf4-4b5f99998885.png\> > > There are two solutions: > > 1. > > set the verification code on the login page > 2. > > The second is to display the user's nickname instead of the login name > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > <#487\>, or unsubscribe > <https://github.com/notifications/unsubscribe-auth/ABYLFOJM34JDJPZKT6FGA4TUQB6JPANCNFSM5JWB3F2Q\> > . > Triage notifications on the go with GitHub Mobile for iOS > <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675\> > or Android > <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm\_campaign%3Dnotification-email%26utm\_medium%3Demail%26utm\_source%3Dgithub\>. > >

CVE-2021-44949: glFusion CMS 1.7.9 user Login denied vulnerability · Issue #487 · glFusion/glfusion

An issue was discovered in AbanteCart before 1.3.2. Any low-privileged user with file-upload permissions can upload a malicious SVG document that contains an XSS payload.

AbanteCart version 1.3.2

In this release:

Core:

*   PHP v8.0 Compatibility
*   Page builder supportability
*   Magic methods support in the hook classes
*   core/engine/extension.php improvement (see commit for details)
*   DOM Based Cross-Site Scripting fix
*   added restrictions for available shipping methods during checkoout
*   Maximum Weight of Parcel #1497
*   Added dimensions and weight into order products
*   default Resource library Types icons + Retina fix
*   changes related to page builder + fix of extensions hook calls
*   phar internal corruption resolution #1504
*   SVG File type suppoer a& validation
*   Options value weight class follow the products base weight class
*   Query optimization for MariaDB
*   Email base64 encoding
*   Multistore subdomain fixes
*   Multistore template selection fixes

Admin:

*   added validation for svg/svgz files on script calls inside.
*   Product form volume validation #1496
*   improvement of Tabs on product and category edit pages
*   tables size calculation fix
*   weight description fix in the option values table
*   extensions grid & extension summary section
*   New resource library type icons
*   Product options SKU display
*   Backup fix and improvement
*   Embed bug fixes
*   global search bug fix
*   Taxes report fix

Storefront:

*   Login Display Prices OFF block issue #1493
*   Shipping limits by weight volume #1495
*   Minimal order parcel size volume not work #1499
*   "Wrong Dimensions of product" error #1498
*   jquery.flexyslider upgraded to v2.7.2
*   custom.js improvement
*   Fastcheckout improvement and fixes
*   Coupon session fix
*   Brands block improvement

Extensions:

*   Number of new hooks for expandability
*   CardKnox payment instance id issue resolution

AbanteCart version 1.3.1

In this release:

*   Core: taskManager. fix of error output
*   Core: ALoader improvement. Added debug backtrace
*   Core: added Date product option type ACORN-108
*   minimal php version now 7.3.0
*   Core: ACart minor improvements
*   Core: core/lib/config.php fixes related to seo-postfix and config store id type cast
*   Core+ SF: changes related to virtual products purchasing (gift certificates etc)
*   Core: changes related to virtual products purchasing (gift certificates etc)
*   Core: changes related to AResource::getMainThumbList() method.
*   Core: add hook to category\_top, category\_bottom block and manufacturer page
*   Core: changes related to virtual products purchasing (gift certificates etc)
*   Core+ SF: changes related to virtual products purchasing (gift certificates etc)
*   Core: html-class improvement (number, email input types)
*   Core: AResource minor improvement
*   Core: core/engine/extensions reformatting
*   Core: ALayout improvement related to hooks
*   Core: AResource bug fix

Admin:

*   Admin: ACORN-563 embed in multistore fix
*   Admin: general.js fix related to tasks ACORN-554
*   Admin: collection controller fix
*   Admin: global search improvement, added search by sku ACORN-549
*   Admin: collection controller fix
*   Admin: email templates controller and model code improvements
*   Admin: fix related to cdn-image-downloads from import csv-file
*   Admin: added hook calls into customer controller
*   Admin: order details minor improvement of tpl
*   Admin: added check for extensions layouts xml into template installation and template switch processes
*   Admin: fix for storefront\_order\_confirm email template
*   Admin: collection model fix
*   Admin: lib configManager fix
*   Admin: order totals grid improvement (related to predefined sort and calculation orders for balance and total)
*   Admin: collection form js-fix
*   Admin: language manager fix related to auto-translations
*   Admin: package manager fix. Added "tax" extension type + reformatting
*   Admin: package manager fix. Added "tax" extension type + reformatting
*   Admin: sale/contact email RL-image's URL fix
*   Admin: product option value url fix
*   Admin: controller for downloading file improvement

Storefront:

*   improvement related to option value images
*   ACORN-561 guest and logged in customer sessions fix
*   fast checkout payment fix ACORN-560
*   Request add cost column method (#1485)
*   ACORN-559 fast checkout order summary tax display fix
*   ACORN-552 taxes report: incorrect orders count
*   Guest Checkout Create Account feature fix ACORN-557
*   ACORN-558 base product weight field description
*   upgrade scripts fixes
*   Add product option cost (#1484)
*   ACORN-553 banner group name issue fix
*   ACORN-551 "add to cart" buttons on home page blocks
*   #1472 typo fix
*   fix ACORN-548 embed: options values images
*   fix ACORN-267 Pickup from Store use the store address for taxes
*   #1464 wordpress embed fast checkout buttons fix
*   #1483 embed fix
*   embed code default height fix
*   ACORN-550 Typed property ControllerPagesCatalogCollections::$error fix
*   #1472 fileinfo PHP extension check to the 1.3 installation and upgrade
*   #1464 mobile add to cart buttons fix
*   fix ACORN-255 Import wizard category split separator
*   ACORN-547 FastCheckout fix
*   #1482 WordPress 5.8 SameSite cookie issue
*   #1473 default\_ups. reformatted code
*   #1472 system requirements refactoring
*   #1472 minimal version of php now 7.4
*   #1457 extra white space in front of the email headers
*   add hooks to admin order details and order invoice (#1480)
*   Storefront: order details minor improvement of tpls
*   Collection model fix
*   Account/logout controller improvement
*   Catalog/collection model fix
*   Rounding fix related to taxes and 3 digits after decimal points. ref. https://forum.abantecart.com/index.php?topic=9072.new;topicseen#new
*   add the label id and the additional hook (#1474)
*   add hook, change hook location and change private $error to public $error (#1469)
*   FastCheckout shipping method icon fix
*   add hooks to templates and admin product options page (#1467)
*   FastCheckout: added hook vars call into tpls

Extensions:

*   avatax improvement related to getting taxLines
*   FastCheckout stripe address line fix ACORN-318
*   Default Stripe minor fix ACORN-318
*   Avatax fix
*   authorizenet error in php v8 (#1479)
*   FastCheckout. changed default sort order (run order) from 1 to 10
*   FastCheckout installation improvement (adding layouts to custom templates)
*   Avatax fix

AbanteCart version 1.3.0

In this release, we bring a few new features

Core:

*   Wodrpress integration support
*   PHP v8.0 support
*   jQuery upgrade to v3.5.1
*   Resource Library images path improvement
*   New Get Embed code modal. Embed links code and copy
*   Added error reporting levels support based on settings
*   SSL detection improvement
*   Same site cookies fix
*   tinyMCE editor update
*   AMail class remove of final and change private to protected properties
*   Deprecated HTML Page cache
*   Overall cache fixes and improvement

Control Panel:

*   Dashboard new icons
*   Default extensions new icons
*   Category selector multi-store display
*   Product and categories grid new bulk action
*   Grid filters improvements
*   Email preview page
*   show map for order address. Google Maps API
*   order recalculation fix related to adding total in not default currency
*   сontroller/pages/extension. added hook call
*   model language fix related to mysql8
*   Crontab help with ready to run Linux command
*   Resource library drag-n-drop fix

Storefront:

*   Multilingual store logo support
*   Same domain multi-store support
*   Improved phone validation and Regex Pattern setting
*   Allow coupons to be assigned per category
*   Reformat of account/edit controller
*   Search in product descriptions now includes blurb field
*   Controller account subscriber fix related to hook calls
*   performance improvement of onlineNow model
*   responses/product/product added backward compatibility
*   Fast checkout is now default and standard checkout is deprecated (will be removed in 1.3.2).

Core Extensions:

*   Additional extension hooks for AOrder and ACartclases and improve extensions API
*   Allow extending of ADownload class
*   Cardknox new payment extension
*   PayPal standard store logo fixes
*   2Checkout sandbox deprecated
*   PayPal Express totals details
*   Local delivery Tax class selection
*   Update default local delivery to work with asterisk/wildcard
*   Fast Checkout summary tax fixes
*   Fast checkout downloads email fix
*   Fast checkout requires a phone number for registered customer
*   Fast checkout form validations improvements
*   cardconnect currency admin display fix
*   Neowise deprecated
*   Stripe account transactions list fix
*   Stripe Added Account ID
*   Stripe publishable key fix
*   shipping extensions grid fix

Additional improvements and bug fixes reported on the forum and GitHub.

AbanteCart version 1.3.0

In this release, we bring a few new features

Core:

*   Wodrpress integration support
*   PHP v8.0 support
*   jQuery upgrade to v3.5.1
*   Resource Library images path improvement
*   New Get Embed code modal. Embed links code and copy
*   Added error reporting levels support based on settings
*   SSL detection improvement
*   Same site cookies fix
*   tinyMCE editor update
*   AMail class remove of final and change private to protected properties
*   Deprecated HTML Page cache
*   Overall cache fixes and improvement

Control Panel:

*   Dashboard new icons
*   Default extensions new icons
*   Category selector multi-store display
*   Product and categories grid new bulk action
*   Grid filters improvements
*   Email preview page
*   show map for order address. Google Maps API
*   order recalculation fix related to adding total in not default currency
*   ontroller/pages/extension. added hook call
*   model language fix related to mysql8
*   Crontab help with ready to run Linux command
*   Resource library drag-n-drop fix

Storefront:

*   Multilingual store logo support
*   Same domain multi-store support
*   Improved phone validation and Regex Pattern setting
*   Allow coupons to be assigned per category
*   Reformat of account/edit controller
*   Search in product descriptions now includes blurb field
*   Controller account subscriber fix related to hook calls
*   performance improvement of onlineNow model
*   responses/product/product added backward compatibility

Core Extensions:

*   Aditional extension hooks for AOrder and ACartclases and improve extensions API
*   Allow extending of ADownload class
*   Cardknox new payment extension
*   PayPal standard store logo fixes
*   2Checkout sandbox deprecated
*   PayPal Express totals details
*   Local delivery Tax class selection
*   Update default local delivery to work with asterisk/wildcard
*   Fast Checkout summary tax fixes
*   Fast checkout downloads email fix
*   Fast checkout require a phone number for registered customer
*   Fast checkout form validations improvements
*   cardconnect currency admin display fix
*   Neowise deprecated
*   Stripe account transactions list fix
*   Stripe Added Account ID
*   Stripe publishable key fix
*   shipping extensions grid fix

Additional improvements and bug fixes reported on the forum and GitHub.

In this release, we bring a few new features, such as one-page fast checkout, product collections, email templates, local delivery, and others.  
AbanteCart v1.2.16 also includes a number of improvements and fixes based on customer feedback.

Core:

*   PHP v7.4 support
*   Webp image format support
*   Append php call stack into db-driver exception
*   HTML Cache deprecated
*   Improve tax class
*   Add Mustache library
*   Parameter tampering fix: Price manipulation of products
*   Enforce same-origin iframe use only

Control Panel:

*   Additional settings for local business into the store details page
*   Products/categories/brands collections
*   New product review settings and management
*   Stock auto-disable fix
*   Order edits, currency handling on different browsers
*   Bugfix with multi-currency order recalculation
*   Email templates and management
*   Product import bug fix
*   Listing grid icons and CSS updates
*   Set minimal search chars of 2 for ajax chosen
*   mce-editor JavaScript fix

Storefront:

*   Google Recaptcha V3 support
*   Fast one-page checkout
*   improvement validation of parameters for a few methods of catalog/product model.
*   A country without States issue fix
*   Google Tag Management

Core Extensions:

*   New Fast one page checkout
*   New Local Delivery shipment
*   default\_stripe added 3d-secure support. 3d-party library updated
*   default\_cod minor fixes
*   LiqPay upgrade
*   Realex upgrade
*   Cardconnect upgrade
*   Payza payment deprecated

Improvements and bug fixes reported on the forum and GitHub.

This is unplanned release to provide clarity and better interface for multi-location stock management.  
Release includes fixes to multi-location stock management as well

Core:

*   Stock multi-locations support improvement
*   Mysql strict mode improvement (#1236)
*   Added default value for invoice\_prefix
*   Add ability to import product option images
*   Added buffering into apdomysql driver
*   Tax order total's calculation order improvement
*   Package manager sql error handle
*   Added Manila zone to location data

Control Panel:

*   Added multi-locations support to order edit page
*   Menu and dashboard display now reflects user permissions
*   Return to stock order edit page corrections.
*   Balance order total now readonly

Storefront:

*   Shopping Cart page fix related to tax included in the price (#1269)
*   Correction to images display for product options in shopping cart and product details pages
*   Listings Out of Stock and Call to Order fixes
*   Availability fix in product details page

Extensions:

*   PayPal express minor fix (#1267)

Improvements and bug fixes reported on the forum and github.

This release comes with improvements, bug fixes and default extension updates.

Core:

*   Stock multi-locations support for products and options
*   Testing with PHP 7.3 and warnings resolution
*   Testing with MySQL 8.0 and warnings resolution
*   Error backtrace and handling improvement
*   Refactoring related to csrf-tokens and backward compatibility
*   Cache related bug fixes and improvements
*   Fix to get remote IP while server behind Cloudflare or proxy
*   MySQL driver improvement
*   Product sorting cross-site scripting vulnerability fix

Control Panel:

*   improvement of scheduled tasks running
*   Added column sku into order\_products and order\_options tables
*   Improve product tags filtering on product create and update
*   Improved UI for switch (on/off) buttons
*   Multi-store custom block content support
*   Product tags improvement
*   Multi-store blocks handling improvement
*   Form Manager fix for checkboxgroup/multiselectbox field type

Storefront:

*   Added product listing layout
*   Manufacturers listing block fix
*   Menu language related bug fix
*   added new data-sources for auto-listing block (manufacturers, featured, bestsellers,latest)
*   Show options specific image for product in the cart and after purchase
*   Set logo container to be fixed width/height
*   Embed mode JavaScript error bug fix.
*   Google Analytics ecommerce tracking fix

Extensions:

*   Deprecated Authorize.net AIM payment and replaced with new one
*   Stripe API and SDK update
*   Fix for partial payment issue with PayPal payment (in case of partial store credit)
*   Resolved issue with PayPal refund with non-default currency.

API:

*   Added subcategories handling to Storefront API

A list of improvements and bug fixes reported on the forum and github.

This release comes with improvements, bug fixes and default extension updates.

Core:

*   Testing with PHP 7.2 and warnings resolution
*   ARouter fix related to \\0 at the end of route and further improvement
*   cache file driver minor fix
*   sql fix in store\_description table
*   improved error handling in response controllers when not found
*   Fix for duplicating images on import
*   PHP files reformating to PSR

Control Panel:

*   TinyMCE updated to v4.7.10
*   improve SQL error handling in product creation
*   Added save to store ID in case of missing category
*   extension settings saving improvement
*   task modal js-fix related to attempts on fail requests

Storefront:

*   minor fix of product-controller related to "rating" html-field
*   Add activation link resend option
*   Add CSS class to BODY tag to identify pages.

Extensions:

*   PayPal Standard and Express Improvment
*   Avatax integration
*   Fixes in CardConnect
*   Stripe payment update
*   Twilio update
*   Neowize terms and conditions link update
*   Update for encryption extension

API:

*   Add SEO data returned to API
*   Fix for latest product API and currency conversion rounding (rare case)

Number of improvements and bug fixes reported on the forum and github.

This release comes with minor improvements and bug fixes.

Core:

*   jQuery update
*   AResponse fix related to compression and embed-js
*   cache file driver minor fix

Control Panel:

*   fixed quantity field in products grid. Now calculation based on option quantity
*   added registration date to customer profile
*   content pages SEO improve
*   coupon grid refine fix

Storefront:

*   localization/country model improvement
*   minor improvement of guest\_step\_1 page post-data values validation
*   product page tpl js-improvement
*   embed products special chars improve

Extensions:

*   banktransfer minor js-fix
*   worldpay fix contribution
*   paypal standard improvements
*   paypal express improvements
*   USPS domestic methods improvements

Other bug fixes and improvements

Core:

*   added new product option type "Label" for display only purpose
*   minor improvement of core/lib/config.php related to cli-mode
*   Added URL into error text when wrong key\_param-key\_value pair
*   ahtml class fix related to https as plain store url
*   added jpeg warning ignoring via ini\_set into AImage class
*   improved ExtensionsAPI class and extension settings page controller
*   added iso\_codes for weight and length classes
*   AResource class minor improvement
*   message-info controller minor fix related to hooks-call
*   image url fix related to api-controllers. Now all urls will be without protocol (with // at the begin)
*   Depricate Mcrypt and replace with OpenSSL
*   Added CLI interface to run tasks
*   minor fix of order class

Control Panel:

*   New import Wizard with automatic and manual data mapping
*   import/export improvements using tasks.
*   import/export added schedule task
*   import/export added logging for import with internal formatted file
*   model/catalog/product fix related to product deletion
*   default weights and length classes now predefined and cannot be deleted
*   ALayoutManager minor improvement
*   updater changes related to extension versions comparison
*   Empty result set fix for listing grids
*   report of purchased products improvement
*   Initial install wizard modal fix

Storefront:

*   Update to stock handling on products and options
*   Google analytics JavaScript improvement
*   New option type "Label" for display only purpose

Extensions:

*   CardConnect new PCI validated payment
*   Update Stripe for PCI validation
*   Banner manager JavaScript fix related to seo url upgrade
*   Fix for MarketPlace price display
*   Royal Mail missing definitions
*   Parcelforce notes update
*   Weight Based shipping text update
*   USPS add help notes
*   UPS and Fedex text corrections
*   Discontinue WorldPay support

CVE-2021-42051: Releases · abantecart/abantecart-src

glFusion CMS v1.7.9 is affected by an arbitrary user registration vulnerability in /public_html/users.php. An attacker can register with the mailbox of any user. When users want to register, they will find that the mailbox has been occupied.

That's true, but I'm not sure now much of a problem it is. If the malicious user uses a valid email address, the activation email will be sent to the real email account holder. If the submission queue is used, the email is sent upon approval. If the user submission is rejected, the record is deleted and available for re-registration. I suppose it wouldn't hurt to send an email to the new user even if queued, saying "your account is pending approval"

…

On Wed, Dec 8, 2021 at 10:18 PM Topsec\_bunney \*\*\*@\*\*\*.\*\*\*> wrote: \*\*There is a logical problem with the user registration page After clicking the register button, the user does not need to confirm the email. The system directly saves the submitted content in the database. This leads to a problem. An attacker can register with the mailbox of any user. When users want to register, they will find that the mailbox has been occupied.\*\* \[image: firefox\_0LibhucPYT\] <https://user-images.githubusercontent.com/73220685/145344346-91dbbce9-01c4-4fad-8a78-b070c9959766.png\> — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#485\>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABYLFOKDJWVDPQVG2YPTBB3UQBCZ5ANCNFSM5JVTDREQ\> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675\> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm\_campaign%3Dnotification-email%26utm\_medium%3Demail%26utm\_source%3Dgithub\>.

CVE-2021-44937: glFusion CMS 1.7.9 Arbitrary user registration vulnerability · Issue #485 · glFusion/glfusion

Insufficient Input Validation in the search functionality of Wordpress plugin Use-Your-Drive prior to 1.18.3 allows unauthenticated user to craft a reflected Cross-Site Scripting attack.

CVE-2021-42546: Documentation Use-your-Drive

Insufficient Input Validation in the search functionality of Wordpress plugin Out-of-the-Box prior to 1.20.3 allows unauthenticated user to craft a reflected Cross-Site Scripting attack.

CVE-2021-42547: Documentation Out-of-the-Box

Insufficient Input Validation in the search functionality of Wordpress plugin Lets-Box prior to 1.15.3 allows unauthenticated user to craft a reflected Cross-Site Scripting attack.

CVE-2021-42549: Documentation Lets-Box

Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in moving the field group which may allow a user to move the unauthorized field group via unspecified vectors.

Tag

#google