Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Kiboko Labs Watu Quiz plugin <= 3.3.9.2 versions.

**Solution**

 Fixed

Update the WordPress Watu Quiz plugin to the latest available version (at least 3.3.9.3).

Skalucy discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Watu Quiz Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 3.3.9.3.

**Other vulnerabilities in this plugin**

 0 present

 6 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-30483: WordPress Watu Quiz plugin <= 3.3.9.2 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Essitco AFFILIATE Solution plugin <= 1.0 versions.

 No fix

No patched version available.

Prasanna V Balaji discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress AFFILIATE Solution Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-30477: WordPress AFFILIATE Solution plugin <= 1.0 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Elliot Sowersby, RelyWP WooCommerce Affiliate Plugin – Coupon Affiliates plugin <= 5.4.5 versions.

**Solution**

 Fixed

Update the WordPress Coupon Affiliates plugin to the latest available version (at least 5.4.6).

Ivy (TOOR, LISA) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Coupon Affiliates Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 5.4.6.

**Other vulnerabilities in this plugin**

 0 present

 7 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-30475: WordPress Coupon Affiliates plugin <= 5.4.5 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

The Premium Packages - Sell Digital Products Securely plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.7.4 due to insufficient restriction on the 'wpdmpp_update_profile' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'profile[role]' parameter during a profile update.

CVE-2023-4293: wpdm-premium-packages.php in wpdm-premium-packages/tags/5.7.4 – WordPress Plugin Repository

The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 3.0.4 via the 'wp_abspath' parameter. This allows unauthenticated attackers to include and execute arbitrary remote code on the server, provided that allow_url_include is enabled. Local File Inclusion is also possible, albeit less useful because it requires that the attacker be able to upload a malicious php file via FTP or some other means into a directory readable by the web server.

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

CVE-2023-3452: Canto <= 3.0.4 - Unauthenticated Remote File Inclusion — Wordfence Intelligence

Cross Site Scripting (XSS) vulnerability in Name Input Field in Contact Us form in Laborator Kalium before 3.0.4, allows remote attackers to execute arbitrary code.

CVE-2020-24075: Kalium Changelog - Laborator

There is a Cross Site Scripting (XSS) vulnerability in the "action" parameter of index.php in PHPJabbers Callback Widget v1.0.

Turn your website visitors into hot leads by enabling them to request a callback.

Version: 1.0

The Callback Widget is a simple PHP script that places a discreet callback button on your website. It allows your clients and website visitors to establish direct contact with your customer support or sales team and schedule a free callback at a convenient time. The callback form fields and color theme can be easily customized from the back-end Admin Panel. The callback button facilitates communication both within and outside business hours and is also an indispensable lead generation tool that will drive conversions.

**Callback Widget**

*   Highlights
*   Features
*   Demo
*   Faq
*   Pricing

**Product Highlights**

Add a Callback Widget on your website and make it easier for your potential customers to get in touch with your customer support or sales team. The request callback widget can be integrated into any website, including WordPress and Joomla sites. The front end of the PHP script consists of a callback button and an editable callback form.

Editable Callback Form

Depending on the information you need to collect from your clients, you can customize the callback request form and enable or disable fields or add required fields.

Email & SMS Notifications

You can create autoresponder messages that are sent via email or SMS both to clients and admins upon a new callback request. To enable the SMS functionality, just contact us.

Different Callback Reasons

According to their type of business, script admins can predefine different reasons for callbacks that will appear in the request callback form. These can be edited and enabled or disabled at any time.

Mobile-Friendly & Modern Design

The Callback Widget's front end can be loaded across various devices and screen sizes. The callback form is available in 10 different color variations designed to best match your website branding.

Automatic Time Conversion

In order to prevent potential time difference mix-ups, the best time to call and the timezone specified by customers is automatically converted to the default time set in the back-end system.

Export Callback Requests

Generate CSV and XML files for the callback requests in any selected period. You can also import iCal to Google Calendar. Password-protect your data so only authorized people have access.

Multi-Language Support

Translate all titles and alerts in the front end and back end to any language you need. Search for specific text parts and use the unique text IDs to add the translations in a new language.

PHP Source Code Customization

Buy the Callback Widget with a Developer License and make your own modifications to the source code. We can also customize the callback form for you upon request. Compare licenses  

SPECIAL OFFER

**Callback Widget for $4.29 Only**

Get all 65 PHPJabbers scripts in a bundle for just $299.

**Live Demo**

Preview both the front end and back end of the Callback Widget and test out the whole functionality.  
If you have any questions or need technical advice, go ahead and contact us.

**Callback Widget**

**Key Benefits**

Key Features

One admiN

Extended Licence

Installation Support

Payment Gateways

**Pricing**

You can buy the Callback Widget both with a Developer and a User License – compare them below.  
Do you need a custom modification? We'll happily do it for you! Just contact us, describe what you need, and we'll send you a quote!

Mega Sale deal

$4.29

per script

Free installation support

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Contact us and you'll receive quotation for the custom changes you may need

buy now

Free installation support

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Modify the software on your own or contact us and we will give you a quote

buy now

Mega Sale deal

$4.29 per script

Get 65 PHP Scripts

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Modify the software on your own or contact us and we will give you a quote

buy now

LIMITED OFFER

Get the Mega Sale bundle deal with all the PHP scripts you'll ever need for a total of

$299

VIEW DETAILS

**Testimonials**

Let our clients share their experience with our callback button and how the widget has improved their online business.

“

I am very impressed with the scripts you provide, and for non-highly technical users like me, your PHP scripts are so easy to use. Plus, you just saved me money and time for installing the scripts for me. Your customer service is unbeatable.

Jennifer Solis

“

You guys are great! Your PHP scripts helped me to upgrade my websites. Your after-sales help is the best I have ever had. I can't thank you enough. Anyone who doesn't give PHPJabbers a try will be missing out! Thanks again! I'll be back for more! And I mean it too!  
Grace and Peace

Eric Mapp

“

What a great service. I'm telling everyone about how good you guys are. I will always look to your site for scripts before anywhere else.

Cameron Forster

**FAQ & Knowledge Base**

Pre-Sale FAQ

Read the most Frequently Asked Questions about this script, its features and use.

Support Service FAQ

Read more about our Support Service and how we can help you install Callback Widget.

Custom Mods FAQ

Do you need something changed? We offer customization services.

How to install a Script

See how easy it is to install the script. Just follow the instructions or leave it all to us.

FTP Clients

See how to upload our scripts using different FTP clients.

PHP Framework Used

We use our own in-house build framework which is really easy to understand and work with.

Our Services

We offer a wide range of web development       services.

License Types Explained

User and Developer licence available. We also have a special Extended Licence for webmasters.

Didn’t find exactly what you were looking for?

Contact Us

**Related Scripts**

**Ticket Support Script**

$19 / $29

**PHP Contact Form Generator**

$19 / $29

**Member Directory Script**

$39 / $79

**Appointment Scheduler**

$69 / $129

**Make An Offer Widget**

$19 / $29

**PHP Review Script**

$39 / $79

CVE-2023-36315: Callback Widget | Callback Button

There is a Cross Site Scripting (XSS) vulnerability in the value-enum-o_bf_include_timezone parameter of index.php in PHPJabbers Callback Widget v1.0.

Turn your website visitors into hot leads by enabling them to request a callback.

Version: 1.0

The Callback Widget is a simple PHP script that places a discreet callback button on your website. It allows your clients and website visitors to establish direct contact with your customer support or sales team and schedule a free callback at a convenient time. The callback form fields and color theme can be easily customized from the back-end Admin Panel. The callback button facilitates communication both within and outside business hours and is also an indispensable lead generation tool that will drive conversions.

**Callback Widget**

*   Highlights
*   Features
*   Demo
*   Faq
*   Pricing

**Product Highlights**

Add a Callback Widget on your website and make it easier for your potential customers to get in touch with your customer support or sales team. The request callback widget can be integrated into any website, including WordPress and Joomla sites. The front end of the PHP script consists of a callback button and an editable callback form.

Editable Callback Form

Depending on the information you need to collect from your clients, you can customize the callback request form and enable or disable fields or add required fields.

Email & SMS Notifications

You can create autoresponder messages that are sent via email or SMS both to clients and admins upon a new callback request. To enable the SMS functionality, just contact us.

Different Callback Reasons

According to their type of business, script admins can predefine different reasons for callbacks that will appear in the request callback form. These can be edited and enabled or disabled at any time.

Mobile-Friendly & Modern Design

The Callback Widget's front end can be loaded across various devices and screen sizes. The callback form is available in 10 different color variations designed to best match your website branding.

Automatic Time Conversion

In order to prevent potential time difference mix-ups, the best time to call and the timezone specified by customers is automatically converted to the default time set in the back-end system.

Export Callback Requests

Generate CSV and XML files for the callback requests in any selected period. You can also import iCal to Google Calendar. Password-protect your data so only authorized people have access.

Multi-Language Support

Translate all titles and alerts in the front end and back end to any language you need. Search for specific text parts and use the unique text IDs to add the translations in a new language.

PHP Source Code Customization

Buy the Callback Widget with a Developer License and make your own modifications to the source code. We can also customize the callback form for you upon request. Compare licenses  

SPECIAL OFFER

**Callback Widget for $4.29 Only**

Get all 65 PHPJabbers scripts in a bundle for just $299.

**Live Demo**

Preview both the front end and back end of the Callback Widget and test out the whole functionality.  
If you have any questions or need technical advice, go ahead and contact us.

**Callback Widget**

**Key Benefits**

Extended Licence

High Performance

Remote Hosting

Customizations

Key Features

**Pricing**

You can buy the Callback Widget both with a Developer and a User License – compare them below.  
Do you need a custom modification? We'll happily do it for you! Just contact us, describe what you need, and we'll send you a quote!

Mega Sale deal

$4.29

per script

Free installation support

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Contact us and you'll receive quotation for the custom changes you may need

buy now

Free installation support

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Modify the software on your own or contact us and we will give you a quote

buy now

Mega Sale deal

$4.29 per script

Get 65 PHP Scripts

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Modify the software on your own or contact us and we will give you a quote

buy now

LIMITED OFFER

Get the Mega Sale bundle deal with all the PHP scripts you'll ever need for a total of

$299

VIEW DETAILS

**Testimonials**

Let our clients share their experience with our callback button and how the widget has improved their online business.

“

I am very impressed with the scripts you provide, and for non-highly technical users like me, your PHP scripts are so easy to use. Plus, you just saved me money and time for installing the scripts for me. Your customer service is unbeatable.

Jennifer Solis

“

You guys are great! Your PHP scripts helped me to upgrade my websites. Your after-sales help is the best I have ever had. I can't thank you enough. Anyone who doesn't give PHPJabbers a try will be missing out! Thanks again! I'll be back for more! And I mean it too!  
Grace and Peace

Eric Mapp

“

What a great service. I'm telling everyone about how good you guys are. I will always look to your site for scripts before anywhere else.

Cameron Forster

**FAQ & Knowledge Base**

Pre-Sale FAQ

Read the most Frequently Asked Questions about this script, its features and use.

Support Service FAQ

Read more about our Support Service and how we can help you install Callback Widget.

Custom Mods FAQ

Do you need something changed? We offer customization services.

How to install a Script

See how easy it is to install the script. Just follow the instructions or leave it all to us.

FTP Clients

See how to upload our scripts using different FTP clients.

PHP Framework Used

We use our own in-house build framework which is really easy to understand and work with.

Our Services

We offer a wide range of web development       services.

License Types Explained

User and Developer licence available. We also have a special Extended Licence for webmasters.

Didn’t find exactly what you were looking for?

Contact Us

**Related Scripts**

**Ticket Support Script**

$19 / $29

**PHP Contact Form Generator**

$19 / $29

**Member Directory Script**

$39 / $79

**Appointment Scheduler**

$69 / $129

**Make An Offer Widget**

$19 / $29

**PHP Review Script**

$39 / $79

CVE-2023-36312: Callback Widget | Callback Button

WordPress WP Project Manager plugin versions 2.6.4 and below suffer from a privilege escalation vulnerability.

    Description: WP Project Manager <= 2.6.4 – Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation Affected Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt chartsPlugin Slug: wedevs-project-managerAffected Versions: <= 2.6.4CVE ID: CVE-2023-3636CVSS Score: 8.8 (High)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HResearcher/s: Lana Codes and Chloe Chamberland Fully Patched Version: 2.6.5The WP Project Manager plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.4 due to insufficient restriction on the ‘save_users_map_name’ function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the ‘usernames’ parameter.Technical AnalysisWP Project Manager plugin is a task, project, and team management tool for WordPress. Upon closer examination of the code, we see that there is an API endpoint, the ‘save_users_map_name’ function, which updates a user’s github and bitbucket username.[View this code snippet on the blog.]  The most significant problem and vulnerability is caused by the way the explode() and in_array() functions are used to ensure that only the ‘github’ and ‘bitbucket’ meta values can be updated. Unfortunately, these functions are not sufficient to prevent exploitation, because they can be bypassed with a special character, known as a homoglyph, that acts like an underscore, however, won’t be properly “exploded” but will be saved in the database as a proper underscore.This made it possible for authenticated users, such as subscribers, to supply the ‘wp_capabilities’ array parameter with any desired role, such as administrator, when updating what should be username metadata, which would grant the user access to capabilities based on that role.As with any Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.Disclosure TimelineJuly 9, 2023 – Discovery of the Privilege Escalation vulnerability in WP Project Manager.July 11, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.July 13, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.July 16, 2023 – The vendor confirms the inbox for handling the discussion.July 16, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.July 24, 2023 – A fully patched version of the plugin, 2.6.5, is released.August 12, 2023 – Wordfence Free users receive the same protection.ConclusionIn this blog post, we detailed a Privilege Escalation vulnerability within the WP Project Manager plugin affecting versions 2.6.4 and earlier. This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to elevate their privileges to those of a site administrator which could ultimately lead to complete site compromise. The vulnerability has been fully addressed in version 2.6.5 of the plugin.We encourage WordPress users to verify that their sites are updated to the latest patched version of WP Project Manager.Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on July 13, 2023. Sites still using the free version of Wordfence will receive the same protection on August 12, 2023.If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

WordPress WP Project Manager 2.6.4 Privilege Escalation

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Sudipto Pratap Mahato Simple Light Weight Social Share plugin <= 2.0 versions.

**Solution**

 No fix

No patched version is available. No reply from the vendor.

Found this useful? Thank Yuki Haruma for reporting this vulnerability. Buy a coffee ☕

Yuki Haruma discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Simple Light Weight Social Share (Tweet, Like, Share and Linkedin) Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-37388: WordPress Simple Light Weight Social Share (Tweet, Like, Share and Linkedin) plugin <= 2.0 - Cross Site Scripting (XSS) vulnerability - Patchstack

Tag

#wordpress