Directory traversal vulnerability in Snow Monkey Forms versions v5.1.0 and earlier allows a remote unauthenticated attacker to delete arbitrary files on the server.

Published:2023/06/27  Last Updated:2023/06/27

**Overview**

WordPress Plugin "Snow Monkey Forms" provided by Monkey Wrench Inc. contains a directory traversal vulnerability.

**Products Affected**

*   Snow Monkey Forms versions v5.1.0 and earlier

**Description**

WordPress Plugin "Snow Monkey Forms" provided by Monkey Wrench Inc. contains a directory traversal vulnerability (CWE-22).

**Impact**

Arbitrary files on the server may be deleted by a remote attacker.

**Solution**

**Update the plugin**  
Update the plugin according to the information provided by the developer.

**Vendor Status**

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Attack Vector(AV)

Physical (P)

Local (L)

Adjacent (A)

Network (N)

Attack Complexity(AC)

High (H)

Low (L)

Privileges Required(PR)

High (H)

Low (L)

None (N)

User Interaction(UI)

Required (R)

None (N)

Scope(S)

Unchanged (U)

Changed (C)

Confidentiality Impact(C)

None (N)

Low (L)

High (H)

Integrity Impact(I)

None (N)

Low (L)

High (H)

Availability Impact(A)

None (N)

Low (L)

High (H)

CVSS v2 AV:N/AC:L/Au:N/C:N/I:P/A:N

Access Vector(AV)

Local (L)

Adjacent Network (A)

Network (N)

Access Complexity(AC)

High (H)

Medium (M)

Low (L)

Authentication(Au)

Multiple (M)

Single (S)

None (N)

Confidentiality Impact(C)

None (N)

Partial (P)

Complete (C)

Integrity Impact(I)

None (N)

Partial (P)

Complete (C)

Availability Impact(A)

None (N)

Partial (P)

Complete (C)

**Comment**

This analysis assumes that an attacker removes a file outside the web contents area.

**Credit**

Shinsaku Nomura of Bitforest Co.,Ltd. reported this vulnerability to IPA.  
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

**Other Information**

CVE-2023-32623: WordPress Plugin "Snow Monkey Forms" vulnerable to directory traversal

The Subscribe2 plugin for WordPress is vulnerable to unauthorized access to email functionality due to a missing capability check when sending test emails in versions up to, and including, 10.40. This makes it possible for author-level attackers to send emails with arbitrary content and attachments to site users.

1<?php2if ( ! function\_exists( 'add\_action' ) ) {3        exit();4}56global $current\_user;78$s2\_admin \= ! empty( $\_POST\['s2\_admin'\] ) ? sanitize\_key( $\_POST\['s2\_admin'\] ) : '';910// was anything POSTed?11if ( 'mail' \=== $s2\_admin ) {12        if ( ! current\_user\_can( 'manage\_options' ) ) {13                die( '<p>' . esc\_html\_\_( 'Security error! You are not able to send email.', 'subscribe2' ) . '</p>' );14        }1516        if ( ! isset( $\_REQUEST\['\_wpnonce'\] ) || ! wp\_verify\_nonce( sanitize\_key( $\_REQUEST\['\_wpnonce'\] ), 'subscribe2-write\_subscribers' . S2VERSION ) ) {17                die( '<p>' . esc\_html\_\_( 'Security error! Your request cannot be completed.', 'subscribe2' ) . '</p>' );18        }1920        $subject \= html\_entity\_decode( stripslashes( wp\_kses( $this\->substitute( $\_POST\['subject'\] ), '' ) ), ENT\_QUOTES );21        $body    \= wpautop( $this\->substitute( stripslashes( $\_POST\['content'\] ) ), true );22        if ( '' !== $current\_user\->display\_name || '' !== $current\_user\->user\_email ) {23                $this\->myname  \= html\_entity\_decode( $current\_user\->display\_name, ENT\_QUOTES );24                $this\->myemail \= $current\_user\->user\_email;25        }26        if ( isset( $\_POST\['send'\] ) ) {27                if ( 'confirmed' \=== $\_POST\['what'\] ) {28                        $recipients \= $this\->get\_public();29                } elseif ( 'unconfirmed' \=== $\_POST\['what'\] ) {30                        $recipients \= $this\->get\_public( 0 );31                } elseif ( 'public' \=== $\_POST\['what'\] ) {32                        $confirmed   \= $this\->get\_public();33                        $unconfirmed \= $this\->get\_public( 0 );34                        $recipients  \= array\_merge( (array) $confirmed, (array) $unconfirmed );35                } elseif ( is\_numeric( $\_POST\['what'\] ) ) {36                        $category   \= intval( $\_POST\['what'\] );37                        $recipients \= $this\->get\_registered( "cats=$category" );38                } elseif ( 'all\_users' \=== $\_POST\['what'\] ) {39                        $recipients \= $this\->get\_all\_registered();40                } elseif ( 'all' \=== $\_POST\['what'\] ) {41                        $confirmed   \= $this\->get\_public();42                        $unconfirmed \= $this\->get\_public( 0 );43                        $registered  \= $this\->get\_all\_registered();44                        $recipients  \= array\_merge( (array) $confirmed, (array) $unconfirmed, (array) $registered );45                } else {46                        $recipients \= $this\->get\_registered();47                }48        } elseif ( isset( $\_POST\['preview'\] ) ) {49                global $user\_email;50                $recipients\[\] \= $user\_email;51        }5253        $uploads \= array();54        if ( ! empty( $\_FILES ) ) {55                foreach ( $\_FILES\['file'\]\['name'\] as $key \=> $value ) {56                        if ( 0 \=== $\_FILES\['file'\]\['error'\]\[ $key \] ) {57                                $file \= array(58                                        'name'     \=> $\_FILES\['file'\]\['name'\]\[ $key \],59                                        'type'     \=> $\_FILES\['file'\]\['type'\]\[ $key \],60                                        'tmp\_name' \=> $\_FILES\['file'\]\['tmp\_name'\]\[ $key \],61                                        'error'    \=> $\_FILES\['file'\]\['error'\]\[ $key \],62                                        'size'     \=> $\_FILES\['file'\]\['size'\]\[ $key \],63                                );6465                                $uploads\[\] \= wp\_handle\_upload(66                                        $file,67                                        array(68                                                'test\_form' \=> false,69                                        )70                                );71                        }72                }73        }74        $attachments \= array();75        if ( ! empty( $uploads ) ) {76                foreach ( $uploads as $upload ) {77                        if ( ! isset( $upload\['error'\] ) ) {78                                $attachments\[\] \= $upload\['file'\];79                        } else {80                                $upload\_error \= $upload\['error'\];81                        }82                }83        }8485        if ( empty( $body ) ) {86                $error\_message \= \_\_( 'Your email was empty', 'subscribe2' );87                $success       \= false;88        } elseif ( isset( $upload\_error ) ) {89                $error\_message \= $upload\_error;90                $success       \= false;91        } else {92                $success       \= $this\->mail( $recipients, $subject, $body, 'html', $attachments );93                $error\_message \= \_\_( 'Check your settings and check with your hosting provider', 'subscribe2' );94        }9596        if ( $success ) {97                if ( isset( $\_POST\['preview'\] ) ) {98                        $message \= '<p class="s2\_message">' . \_\_( 'Preview message sent!', 'subscribe2' ) . '</p>';99                } elseif ( isset( $\_POST\['send'\] ) ) {100                        $message \= '<p class="s2\_message">' . \_\_( 'Message sent!', 'subscribe2' ) . '</p>';101                }102        } else {103                global $phpmailer;104105                $mailer\_error \= ! empty( $phpmailer\->ErrorInfo ) ? $phpmailer\->ErrorInfo : '';106                $message      \= '<p class="s2\_error">' . \_\_( 'Message failed!', 'subscribe2' ) . '</p>' . $error\_message . $mailer\_error;107        }108109        echo '<div id="message" class="' . ( $success ? 'updated' : 'error' ) . '"><strong><p>' . wp\_kses\_post( $message ) . '</p></strong></div>' . "\\r\\n";110}111112// show our form113echo '<div class="wrap">';114echo '<h1>' . esc\_html\_\_( 'Send an email to subscribers', 'subscribe2' ) . '</h1>' . "\\r\\n";115echo '<form method="post" enctype="multipart/form-data">' . "\\r\\n";116117wp\_nonce\_field( 'subscribe2-write\_subscribers' . S2VERSION );118119$body \= ! empty( $\_POST\['content'\] ) ? esc\_textarea( $\_POST\['content'\] ) : '';120if ( isset( $\_POST\['subject'\] ) ) {121        $subject \= stripslashes( esc\_html( $\_POST\['subject'\] ) );122} else {123        $subject \= \_\_( 'A message from', 'subscribe2' ) . ' ' . html\_entity\_decode( get\_option( 'blogname' ), ENT\_QUOTES );124}125126echo '<p>' . esc\_html\_\_( 'Subject', 'subscribe2' ) . ': <input type="text" size="69" name="subject" value="' . esc\_attr( $subject ) . '" /> <br><br>';127echo '<textarea rows="12" cols="75" name="content">' . $body . '</textarea>';128echo "<br><div id=\\"upload\_files\\"\><input type=\\"file\\" name=\\"file\[\]\\" onChange=\\"remove\_selected\_image()\\"\></div>\\r\\n";129echo '<input type="button" class="button-secondary" name="addmore" value="' . esc\_attr( \_\_( 'Add More Files', 'subscribe2' ) ) . "\\" onClick=\\"add\_file\_upload();\\" />\\r\\n";130echo "<br><br>\\r\\n";131echo esc\_html\_\_( 'Recipients:', 'subscribe2' ) . ' ';132$this\->display\_subscriber\_dropdown( apply\_filters( 's2\_subscriber\_dropdown\_default', 'registered' ), false );133echo '<input type="hidden" name="s2\_admin" value="mail" />';134echo '<p class="submit"><input type="submit" class="button-secondary" name="preview" value="' . esc\_attr( \_\_( 'Preview', 'subscribe2' ) ) . '" />&nbsp;<input type="submit" class="button-primary" name="send" value="' . esc\_attr( \_\_( 'Send', 'subscribe2' ) ) . '" /></p>';135echo '</form></div>' . "\\r\\n";136echo '<div style="clear: both;"><p>&nbsp;</p></div>';137?>138<script type="text/javascript">139    //<!\[CDATA\[140    function add\_file\_upload() {141        const fileUploadContainer = document.getElementById('upload\_files'),142            fileNode = document.createElement('input'),143            spanNode = document.createElement('span'),144            lineBreak = document.createElement('br');145146        // Insert multiple file.147        if (!Boolean(fileNode.value)) {148            fileNode.type = 'file';149            fileNode.name = 'file\[\]';150            spanNode.classList.add('dashicons', 'dashicons-no-alt');151            spanNode.style.marginTop = '4px';152153            fileUploadContainer.appendChild(lineBreak);154            fileUploadContainer.appendChild(fileNode);155            fileUploadContainer.appendChild(spanNode);156        }157158        // Remove uploaded image if selected otherwise remove field.159        spanNode.addEventListener('click', function () {160            if (Boolean(fileNode.value)) {161                fileNode.value = '';162                return;163            }164165            fileNode.remove();166            spanNode.remove();167            lineBreak.remove();168        });169    }170171    // Handle first selected image.172    function remove\_selected\_image() {173        const fileUploadContainer = document.getElementById('upload\_files'),174            firstFile = fileUploadContainer.getElementsByTagName('input')\[0\],175            spanNode = document.createElement('span');176177        if (!Boolean(firstFile.nextSibling)) {178            spanNode.style.marginTop = '4px';179            spanNode.classList.add('dashicons', 'dashicons-no-alt');180            firstFile.after(spanNode);181        }182183        spanNode.addEventListener('click', function () {184            firstFile.value = '';185            this.remove();186        });187    }188    //\]\]>189</script>190<?php191require ABSPATH . 'wp-admin/admin-footer.php';192// just to be sure193die;

CVE-2023-1844: send-email.php in subscribe2/trunk/admin – WordPress Plugin Repository

The Salon Booking System plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.4.6. This is due to missing or incorrect nonce validation on the 'save_customer' function. This makes it possible for unauthenticated attackers to change the admin role to customer or change the user meta to arbitrary values via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.

Timestamp:

06/27/2023 11:32:24 AM (15 hours ago)

wordpresschef

Message:

Update trunk - version 8.4.8  

Location:

salon-booking-system/trunk

Files:

  

*   readme.txt (2 diffs)
*   salon.php (2 diffs)
*   src/SLN/Admin/Customers.php (1 diff)
*   views/admin/\_customer.php (1 diff)

**Legend:**

Unmodified

Added

Removed

*   **salon-booking-system/trunk/readme.txt**
    
    r2931279
    
    r2931406
    
     
    
    5
    
    5
    
    Tested up to: 6.1
    
    6
    
    6
    
    Requires PHP: 7.4.8
    
    7
    
     
    
    Stable tag: 8.4.7
    
     
    
    7
    
    Stable tag: 8.4.8
    
    8
    
    8
    
    License: GPLv2 or later
    
    9
    
    9
    
    License URI: http://www.gnu.org/licenses/gpl-2.0.html
    
    …
    
    …
    
     
    
    344
    
    344
    
    \== Changelog ==
    
    345
    
    345
    
     
    
    346
    
    27.06.2023
    
     
    
    347
    
     
    
    348
    
    \* Fix vulnerability issue
    
     
    
    349
    
    346
    
    350
    
    23.06.2023
    
    347
    
    351
    
*   **salon-booking-system/trunk/salon.php**
    
    r2931279
    
    r2931406
    
     
    
    4
    
    4
    
    Plugin Name: Salon Booking Wordpress Plugin - Free Version
    
    5
    
    5
    
    Description: Let your customers book you services through your website. Perfect for hairdressing salons, barber shops and beauty centers.
    
    6
    
     
    
    Version: 8.4.7
    
     
    
    6
    
    Version: 8.4.8
    
    7
    
    7
    
    Plugin URI: http://salonbookingsystem.com/
    
    8
    
    8
    
    Author: Salon Booking System
    
    …
    
    …
    
     
    
    42
    
    42
    
    define('SLN\_PLUGIN\_DIR', untrailingslashit(dirname(\_\_FILE\_\_)));
    
    43
    
    43
    
    define('SLN\_PLUGIN\_URL', untrailingslashit(plugins\_url('', \_\_FILE\_\_)));
    
    44
    
     
    
    define('SLN\_VERSION', '8.4.6');
    
     
    
    44
    
    define('SLN\_VERSION', '8.4.8');
    
    45
    
    45
    
    define('SLN\_STORE\_URL', 'https://salonbookingsystem.com');
    
    46
    
    46
    
    define('SLN\_AUTHOR', 'Salon Booking');
    
*   **salon-booking-system/trunk/src/SLN/Admin/Customers.php**
    
    r2779160
    
    r2931406
    
     
    
    67
    
    67
    
    68
    
    68
    
        private function save\_customer($user\_id) {
    
     
    
    69
    
            check\_admin\_referer('sln\_update\_user\_'.$user\_id);
    
    69
    
    70
    
            $customer = \[\];
    
    70
    
    71
    
            $email = isset($\_POST\['sln\_customer\_meta'\]\['\_sln\_email'\]) ? sanitize\_email( wp\_unslash($\_POST\['sln\_customer\_meta'\]\['\_sln\_email'\]) ) : false;
    
*   **salon-booking-system/trunk/views/admin/\_customer.php**
    
    r2920616
    
    r2931406
    
     
    
    28
    
    28
    
    29
    
    29
    
            <input type="hidden" name="id" id="id" value="<?php echo $customer->getId(); ?>">
    
     
    
    30
    
            <?php wp\_nonce\_field('sln\_update\_user\_'. ($customer->isEmpty() ? 0 : $customer->getId())); ?>
    
    30
    
    31
    
                <div class="sln-box sln-box--main">
    
    31
    
    32
    
                    <div class="row">
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2023-3427: Changeset 2931406 for salon-booking-system – WordPress Plugin Repository

The free tool aims to help organizations meet the requirements of the new version of the payment standard, which takes effect next March.

Jscrambler has released a free tool to help companies check the JavaScript code running on their e-commerce sites and bring them into compliance with the latest PCI DSS (Payment Card Industry Data Security Standards) version 4.0.

PCI Security Standards Council released PCI DSS v4.0 in March 2022 and began a two-year phaseout of the previous versions before beginning enforcement. By March 31, 2025, all retailers and e-commerce sites – anyone who handles payment cards online, really – will need to be in compliance with these requirements. Jscrambler's PCI DSS JavaScript Compliance Tool helps organizations assess whether the JavaScript on their e-commerce sites meet to two v4.0 requirements: protection against (6.4.3) and detection (11.6.1) of skimming attacks on all scripts from a merchant or its third- and fourth-party contractors.

Section 6.4.3 requires that companies confirm that each script is authorized, ensure the integrity of the scripts, and maintain a complete inventory that explains why each script is necessary. Section 11.6.1 applies to merchants that include a third party's iframe payment form on their websites; it compels an evaluation of the HTTP header and payment page periodically (usually every seven days) that looks for and notifies the merchant about any changes to the page.

The anti-skimming requirements are necessary because attackers are launching Web skimming campaigns by injecting malicious code into Magento, WooCommerce, Shopify, and WordPress sites. Magecart skimmers have been found on 2 million websites, including those of Ticketmaster and British Airways.

The Jscrambler tool searches for and collates all scripts on a merchant's site, performing script verification and authorization, and then logging the results, including compliance status. It visualizes each script, highlighting actions that are considered suspicious, analyzes scripts for function and generates justifications for using each. Alerts are triggered if scripts are tampered with, the contents of the payment page are changed without authorization, and the HTTP header is altered. All of these functions reduce manual compliance efforts and assist in generating audit-ready reports, the company said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Jscrambler Launches JavaScript Scanner for PCI DSS 4.0 Compliance

WordPress LearnDash LMS version 4.6.0 suffers from an insecure direct object reference vulnerability.

    Description: LearnDash LMS <= 4.6.0 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change Affected Plugin: LearnDash LMSPlugin Slug: sfwd-lmsAffected Versions: <= 4.6.0CVE ID: CVE-2023-3105CVSS Score: 8.8 (High)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HResearcher/s: Lana Codes Fully Patched Version: 4.6.0.1The LearnDash LMS plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for attackers with existing account access at any level, to change user passwords and potentially take over administrator accounts.Technical AnalysisThe LearnDash LMS plugin provides the shortcode ‘[ld_reset_password]‘ to embed a password reset form into a page on a WordPress site. The form allows users to submit their username or email address to receive an email with a password reset link containing a user activation key.Examining the code reveals that the plugin checks that the user activation key belongs to the given user with the learndash_reset_password_verification() function only when displaying the new password form, where the new password can be entered.[View this code snippet on the blog]  However, there is no user activation key check when processing this form. This makes it possible for any authenticated user who has accessed the password reset form via the link sent in the email to modify the password of another user by changing the value of the username hidden input field.[View this code snippet on the blog]  As with any Arbitrary User Password Change that leads to a Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.Disclosure TimelineJune 5, 2023 – Discovery of the Arbitrary User Password Change vulnerability in LearnDash LMS.June 5, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.June 5, 2023 – The vendor confirms the inbox for handling the discussion.June 5, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.June 5, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.June 6, 2023 – A fully patched version of the plugin, 4.6.0.1, is released.July 5, 2023 – Wordfence Free users receive the same protection.ConclusionIn this blog post, we have detailed an Arbitrary User Password Change vulnerability within the LearnDash LMS plugin affecting versions 4.6.0 and earlier. This vulnerability allows threat actors to easily take over websites by resetting the password of any user, including administrators. The vulnerability has been fully addressed in version 4.6.0.1 of the plugin. We encourage WordPress users to verify that their sites are updated to the latest patched version of LearnDash LMS.Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 5, 2023. Sites still using the free version of Wordfence will receive the same protection on July 5, 2023.If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

WordPress LearnDash LMS 4.6.0 Insecure Direct Object Reference

The KiviCare WordPress plugin before 3.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as administrator

CVE-2023-2624

The ERP WordPress plugin before 1.12.4 does not properly sanitise and escape the `type` parameter in the `erp/v1/accounting/v1/people` REST API endpoint before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.

CVE-2023-2744

The wpbrutalai WordPress plugin before 2.0.0 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin via CSRF.

CVE-2023-2601

The Custom 404 Pro WordPress plugin before 3.8.1 does not properly sanitize database inputs, leading to multiple SQL Injection vulnerabilities.

CVE-2023-2032

The Aajoda Testimonials WordPress plugin before 2.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Tag

#wordpress