The Social Warfare plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several AJAX actions in versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete post meta information and reset network access tokens.

Timestamp:

01/05/2023 01:44:34 PM (2 weeks ago)

WarfarePlugins

Message:

Added user role checks for admin ajax calls. Removed PHP short tags. Sanitized inputs.  

Location:

social-warfare

Files:

  

*   tags/4.3.0/lib/options/SWP\_Options\_Page.php (1 diff)
*   tags/4.3.0/lib/utilities/SWP\_Utility.php (1 diff)
*   trunk/lib/options/SWP\_Options\_Page.php (1 diff)
*   trunk/lib/utilities/SWP\_Utility.php (1 diff)

**Legend:**

Unmodified

Added

Removed

*   **social-warfare/tags/4.3.0/lib/options/SWP\_Options\_Page.php**
    
    r2844082
    
    r2844092
    
     
    
    922
    
    922
    
         \*/
    
    923
    
    923
    
        public function delete\_network\_tokens() {
    
    924
    
     
    
            $network = $\_POST\['network'\];
    
     
    
    924
    
     
    
    925
    
            // Bail out if the user is not allowed to manage options.
    
     
    
    926
    
            if(false === current\_user\_can('manage\_options') ) {
    
     
    
    927
    
                return;
    
     
    
    928
    
            }
    
     
    
    929
    
     
    
    930
    
            $network = sanitize\_text\_field( $\_POST\['network'\] );
    
    925
    
    931
    
            $response = array('ok' => false);
    
    926
    
    932
    
            $response\['ok'\] = SWP\_Credential\_Helper::delete\_token($network);
    
*   **social-warfare/tags/4.3.0/lib/utilities/SWP\_Utility.php**
    
    r2844082
    
    r2844092
    
     
    
    474
    
    474
    
         \*/
    
    475
    
    475
    
        public static function reset\_post\_meta() {
    
    476
    
     
    
            $post\_id = $\_POST\['post\_id'\];
    
     
    
    476
    
     
    
    477
    
            // Bail out if the user is not allowed to manage options.
    
     
    
    478
    
            if(false === current\_user\_can('manage\_options') ) {
    
     
    
    479
    
                return;
    
     
    
    480
    
            }
    
     
    
    481
    
     
    
    482
    
            $post\_id = sanitize\_key( $\_POST\['post\_id'\] );
    
    477
    
    483
    
            if ( empty( $post\_id ) ) {
    
    478
    
    484
    
                wp\_die(0);
    
*   **social-warfare/trunk/lib/options/SWP\_Options\_Page.php**
    
    r2844082
    
    r2844092
    
     
    
    922
    
    922
    
         \*/
    
    923
    
    923
    
        public function delete\_network\_tokens() {
    
    924
    
     
    
            $network = $\_POST\['network'\];
    
     
    
    924
    
     
    
    925
    
            // Bail out if the user is not allowed to manage options.
    
     
    
    926
    
            if(false === current\_user\_can('manage\_options') ) {
    
     
    
    927
    
                return;
    
     
    
    928
    
            }
    
     
    
    929
    
     
    
    930
    
            $network = sanitize\_text\_field( $\_POST\['network'\] );
    
    925
    
    931
    
            $response = array('ok' => false);
    
    926
    
    932
    
            $response\['ok'\] = SWP\_Credential\_Helper::delete\_token($network);
    
*   **social-warfare/trunk/lib/utilities/SWP\_Utility.php**
    
    r2844082
    
    r2844092
    
     
    
    474
    
    474
    
         \*/
    
    475
    
    475
    
        public static function reset\_post\_meta() {
    
    476
    
     
    
            $post\_id = $\_POST\['post\_id'\];
    
     
    
    476
    
     
    
    477
    
            // Bail out if the user is not allowed to manage options.
    
     
    
    478
    
            if(false === current\_user\_can('manage\_options') ) {
    
     
    
    479
    
                return;
    
     
    
    480
    
            }
    
     
    
    481
    
     
    
    482
    
            $post\_id = sanitize\_key( $\_POST\['post\_id'\] );
    
    477
    
    483
    
            if ( empty( $post\_id ) ) {
    
    478
    
    484
    
                wp\_die(0);
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2023-0402: Changeset 2844092 for social-warfare – WordPress Plugin Repository

The Custom 404 Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.7.1. This is due to missing or incorrect nonce validation on the custom_404_pro_admin_init function. This makes it possible for unauthenticated attackers to delete logs, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.

1<?php23class AdminClass {45    public function \_\_construct() {6        $this\->helpers \= Helpers::singleton();7    }89    public function create\_menu() {10        if(current\_user\_can('administrator')) {11            add\_menu\_page( 'Custom 404 Pro', 'Custom 404 Pro', 'manage\_options', 'c4p-main', array( $this, 'page\_logs' ), 'dashicons-chart-bar' );12            add\_submenu\_page( 'c4p-main', 'Logs', 'Logs', 'manage\_options', 'c4p-main', array( $this, 'page\_logs' ) );13            add\_submenu\_page( 'c4p-main', 'Settings', 'Settings', 'manage\_options', 'c4p-settings', array( $this, 'page\_settings' ) );14            add\_submenu\_page( 'c4p-main', 'About', 'About', 'manage\_options', 'c4p-about', array( $this, 'page\_about' ) );15        }16    }1718    public function page\_logs() {19        include 'views/logs.php';20    }2122    public function page\_settings() {23        include 'views/settings.php';24    }2526    public function page\_about() {27        include 'views/about.php';28    }2930    public function enqueue\_styles() {31        if(current\_user\_can('administrator')) {32            if ( array\_key\_exists( 'page', $\_REQUEST ) ) {33                $request \= sanitize\_text\_field($\_REQUEST\['page'\]);34                if ( $request \=== 'c4p-settings' || $request \=== 'c4p-main' || $request \=== 'c4p-about' ) {35                    wp\_enqueue\_style( 'custom-404-pro-admin-css', plugin\_dir\_url( \_\_FILE\_\_ ) . 'css/custom-404-pro-admin.css', array(), '3.2.0' );36                }37            }38        }39    }4041    public function enqueue\_scripts() {42        if(current\_user\_can('administrator')) {43            if ( array\_key\_exists( 'page', $\_REQUEST ) ) {44                $request \= sanitize\_text\_field($\_REQUEST\['page'\]);45                if ( $request \=== 'c4p-settings' || $request \=== 'c4p-main' ) {46                    wp\_enqueue\_script( 'custom-404-pro-admin-js', plugin\_dir\_url( \_\_FILE\_\_ ) . 'js/custom-404-pro-admin.js', array( 'jquery' ), '3.2.0', false );47                }48            }49        }50    }5152    public function custom\_404\_pro\_notices() {53        $message     \= '';54        $messageType \= 'success';55        $html        \= '';56        if(current\_user\_can('administrator')) {57            if ( array\_key\_exists( 'c4pmessage', $\_REQUEST ) ) {58                $message \= urldecode( sanitize\_text\_field($\_REQUEST\['c4pmessage'\]) );59                if ( array\_key\_exists( 'c4pmessageType', $\_REQUEST ) ) {60                    $messageType \= sanitize\_text\_field($\_REQUEST\['c4pmessageType'\]);61                }62                $html .= '<div class="notice notice-' . $messageType . ' is-dismissible">';63                $html .= '<p>' . $message . '</p>';64                $html .= '</div>';65                echo $html;66            }67        }68    }6970    public function form\_settings\_global\_redirect() {71        global $wpdb;72        if(wp\_verify\_nonce($\_POST\['form-settings-global-redirect'\], 'form-settings-global-redirect') && check\_admin\_referer("form-settings-global-redirect", "form-settings-global-redirect") && current\_user\_can('administrator')) {73            $mode \= sanitize\_text\_field($\_POST\['mode'\]);74            $page \= sanitize\_text\_field($\_POST\['mode\_page'\]);75            $url  \= sanitize\_text\_field($\_POST\['mode\_url'\]);76            self::update\_mode( $mode, $page, $url );77            $message \= urlencode( 'Saved!' );78            wp\_redirect( admin\_url( 'admin.php?page=c4p-settings&tab=global-redirect&c4pmessage=' . $message . '&c4pmessageType=success' ) );79        }80    }8182    public function form\_settings\_general() {83        global $wpdb;84        if(wp\_verify\_nonce($\_POST\['form-settings-general'\], 'form-settings-general') && check\_admin\_referer("form-settings-general", "form-settings-general") && current\_user\_can('administrator')) {85            $send\_email \= sanitize\_text\_field($\_POST\['send\_email'\]);86            $logging\_enabled \= sanitize\_text\_field($\_POST\['logging\_enabled'\]);87            $log\_ip \= sanitize\_text\_field($\_POST\['log\_ip'\]);88            $field\_redirect\_error\_code \= sanitize\_text\_field($\_POST\['redirect\_error\_code'\]);89            if ( isset( $send\_email ) && $send\_email \=== 'on' ) {90                $field\_send\_email \= true;91            } else {92                $field\_send\_email \= false;93            }94            if ( isset( $logging\_enabled ) && $logging\_enabled \=== 'enabled' ) {95                $field\_logging\_enabled \= true;96            } else {97                $field\_logging\_enabled \= false;98            }99            if ( isset( $log\_ip ) && $log\_ip \=== 'on' ) {100                $field\_log\_ip \= true;101            } else {102                $field\_log\_ip \= false;103            }104            $this\->helpers\->update\_option( 'send\_email', $field\_send\_email );105            $this\->helpers\->update\_option( 'logging\_enabled', $field\_logging\_enabled );106            $this\->helpers\->update\_option( 'redirect\_error\_code', $field\_redirect\_error\_code );107            // New options108            $this\->helpers\->upsert\_option( 'log\_ip', $field\_log\_ip );109            $message \= urlencode( 'Saved!' );110            wp\_redirect( admin\_url( 'admin.php?page=c4p-settings&tab=general&c4pmessage=' . $message . '&c4pmessageType=success' ) );111        }112    }113114    public function custom\_404\_pro\_admin\_init() {115        global $wpdb;116        if(current\_user\_can('administrator')) {117            if ( array\_key\_exists( 'action', $\_REQUEST ) ) {118                $action \= sanitize\_text\_field($\_REQUEST\['action'\]);119                if ( $action \=== 'c4p-logs--delete' ) {120                    if ( array\_key\_exists( 'path', $\_REQUEST ) ) {121                        $this\->helpers\->delete\_logs( sanitize\_url($\_REQUEST\['path'\]) );122                        $message \= urlencode( 'Log(s) successfully deleted!' );123                        wp\_redirect( admin\_url( 'admin.php?page=c4p-main&c4pmessage=' . $message . '&c4pmessageType=success' ) );124                    } else {125                        $message \= urlencode( 'Please select a few logs to delete and try again.' );126                        wp\_redirect( admin\_url( 'admin.php?page=c4p-main&c4pmessage=' . $message . '&c4pmessageType=warning' ) );127                    }128                } elseif ( $action \=== 'c4p-logs--delete-all' ) {129                    $this\->helpers\->delete\_logs( 'all' );130                    $message \= urlencode( 'All Logs successfully deleted!' );131                    wp\_redirect( admin\_url( 'admin.php?page=c4p-main&c4pmessage=' . $message . '&c4pmessageType=success' ) );132                } elseif ( $action \=== 'c4p-logs--export-csv' ) {133                    $this\->helpers\->export\_logs\_csv();134                }135            }136        }137    }138139    public function custom\_404\_pro\_redirect() {140        global $wpdb;141        if ( is\_404() ) {142            $sql                     \= 'SELECT \* FROM ' . $wpdb\->prefix . $this\->helpers\->table\_options;143            $sql\_result              \= $wpdb\->get\_results( $sql );144            $row\_mode                \= $sql\_result\[0\];145            $row\_mode\_page           \= $sql\_result\[1\];146            $row\_mode\_url            \= $sql\_result\[2\];147            $row\_send\_email          \= $sql\_result\[3\];148            $row\_logging\_enabled     \= $sql\_result\[4\];149            $row\_redirect\_error\_code \= $sql\_result\[5\];150            if ( $row\_logging\_enabled\->value ) {151                self::custom\_404\_pro\_log( $row\_send\_email\->value );152            }153            if ( $row\_mode\->value \=== 'page' ) {154                $page \= get\_post( $row\_mode\_page\->value );155                wp\_redirect( $page\->guid, $row\_redirect\_error\_code\->value );156            } elseif ( $row\_mode\->value \=== 'url' ) {157                wp\_redirect( $row\_mode\_url\->value, $row\_redirect\_error\_code\->value );158            }159        }160    }161162    private function custom\_404\_pro\_log( $is\_email ) {163        global $wpdb;164        if ( ! $this\->helpers\->is\_option( 'log\_ip' ) ) {165            $this\->helpers\->insert\_option( 'log\_ip', true );166        }167        if ( empty( $this\->helpers\->get\_option( 'log\_ip' ) ) ) {168            $ip \= 'N/A';169        } else {170            if ( ! empty( $\_SERVER\['HTTP\_CLIENT\_IP'\] ) ) {171                $ip \= $\_SERVER\['HTTP\_CLIENT\_IP'\];172            } elseif ( ! empty( $\_SERVER\['HTTP\_X\_FORWARDED\_FOR'\] ) ) {173                $ip \= $\_SERVER\['HTTP\_X\_FORWARDED\_FOR'\];174            } else {175                $ip \= $\_SERVER\['REMOTE\_ADDR'\];176            }177        }178        $path    \= $\_SERVER\['REQUEST\_URI'\];179        $referer \= '';180        if ( array\_key\_exists( 'HTTP\_REFERER', $\_SERVER ) ) {181            $referer \= $\_SERVER\['HTTP\_REFERER'\];182        }183        $user\_agent \= $\_SERVER\['HTTP\_USER\_AGENT'\];184        $sql\_save   \= 'INSERT INTO ' . $wpdb\->prefix . $this\->helpers\->table\_logs . " (ip, path, referer, user\_agent) VALUES ('$ip', '$path', '$referer', '$user\_agent')";185        $wpdb\->query( $sql\_save );186        if ( ! empty( $is\_email ) ) {187            self::custom\_404\_pro\_send\_mail( $ip, $path, $referer, $user\_agent );188        }189    }190191    private function custom\_404\_pro\_send\_mail( $ip, $path, $referer, $user\_agent ) {192        $admin\_email \= get\_option( 'admin\_email' );193        if ( is\_multisite() ) {194            global $blog\_id;195            $current\_blog\_details \= get\_blog\_details( array( 'blog\_id' \=> $blog\_id ) );196            $current\_site\_name    \= $current\_blog\_details\->blogname;197        } else {198            $current\_site\_name \= get\_bloginfo( 'name' );199        }200        $headers\[\] \= 'From: Site Admin <' . $admin\_email . '>' . "\\r\\n";201        $headers\[\] \= 'Content-Type: text/html; charset=UTF-8';202        $message   \= '<p>Here are the 404 Log Details:</p>';203        $message  .= '<table>';204        $message  .= '<tr>';205        $message  .= '<th>Site</th>';206        $message  .= '<td>' . $current\_site\_name . '</td>';207        $message  .= '</tr>';208        $message  .= '<tr>';209        $message  .= '<th>User IP</th>';210        $message  .= '<td>' . $ip . '</td>';211        $message  .= '</tr>';212        $message  .= '<tr>';213        $message  .= '<th>404 Path</th>';214        $message  .= '<td>' . $path . '</td>';215        $message  .= '</tr>';216        $message  .= '<tr>';217        $message  .= '<th>Referer</th>';218        $message  .= '<td>' . $referer . '</td>';219        $message  .= '</tr>';220        $message  .= '<tr>';221        $message  .= '<th>User Agent</th>';222        $message  .= '<td>' . $user\_agent . '</td>';223        $message  .= '</tr>';224        $message  .= '</table>';225        $is\_sent   \= wp\_mail(226            $admin\_email,227            '404 Error on Site',228            $message,229            $headers230        );231    }232233    private function update\_mode( $mode, $page, $url ) {234        global $wpdb;235        if(current\_user\_can('administrator')) {236            $mode\_val      \= '';237            $mode\_page\_val \= '';238            $mode\_url\_val  \= '';239            switch ( $mode ) {240                case 'page':241                    $mode\_val      \= 'page';242                    $mode\_page\_val \= $page;243                    $mode\_url\_val  \= '';244                    break;245                case 'url':246                    $mode\_val      \= 'url';247                    $mode\_page\_val \= '';248                    $mode\_url\_val  \= $url;249                    break;250                case '':251                    $mode\_val      \= '';252                    $mode\_page\_val \= '';253                    $mode\_url\_val  \= '';254                    break;255            }256            $this\->helpers\->update\_option( 'mode', $mode\_val );257            $this\->helpers\->update\_option( 'mode\_page', $mode\_page\_val );258            $this\->helpers\->update\_option( 'mode\_url', $mode\_url\_val );259        }260    }261262    // Not needed for now, commenting263    // public function custom\_404\_pro\_upgrader( $upgrader\_object, $options ) {264    //     global $wpdb;265    //     if(current\_user\_can('administrator')) {266    //         if ( $options\['action'\] === 'update' && $options\['type'\] === 'plugin' ) {267    //             if ( ! empty( get\_option( 'c4p\_mode' ) ) ) {268    //                 $mode = get\_option( 'c4p\_mode' );269    //                 $page = get\_option( 'c4p\_selected\_page' );270    //                 $url  = get\_option( 'c4p\_selected\_url' );271    //                 self::update\_mode( $mode, $page, $url );272    //                 delete\_option( 'c4p\_mode' );273    //                 delete\_option( 'c4p\_selected\_page' );274    //                 delete\_option( 'c4p\_selected\_url' );275    //             }276    //             // When new features are requested by customers, they usually get a new option.277    //             // This is where we add new option keys when customers upgrade the plugin.278    //             $this->helpers->upsert\_option( 'log\_ip', true );279    //         }280    //     }281    //     // TODO: Migrate old logs282    // }283}

CVE-2023-0385: AdminClass.php in custom-404-pro/tags/3.7.1/admin – WordPress Plugin Repository

Auth. SQL Injection (SQLi) vulnerability in Adeel Ahmed's IP Blacklist Cloud plugin <= 5.00 versions.

**Solution**

Deactivate and delete. This plugin has been closed as of September 28, 2022 and is not available for download. This closure is temporary, pending a full review.

Mika discovered and reported this SQL Injection vulnerability in WordPress IP Blacklist Cloud Plugin. This could allow a malicious actor to directly interact with your database, including but not limited to stealing information and creating new administrator accounts. This vulnerability has not been known to be fixed yet.

**2 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-43462: WordPress IP Blacklist Cloud plugin <= 5.00 - Auth. SQL Injection (SQLi) vulnerability - Patchstack

Auth. Stored Cross-Site Scripting (XSS) vulnerability in Adeel Ahmed's IP Blacklist Cloud plugin <= 5.00 versions.

**Solution**

Deactivate and delete. This plugin has been closed as of September 28, 2022 and is not available for download. This closure is temporary, pending a full review.

Mika discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress IP Blacklist Cloud Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**2 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-42462: WordPress IP Blacklist Cloud plugin <= 5.00 - Auth. Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) in MiKa's OSM – OpenStreetMap plugin <= 6.0.1 versions.

**Solution**

No patched version is available. No reply from the vendor.

Rasi discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress OSM – OpenStreetMap Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-30544: WordPress OSM – OpenStreetMap plugin <= 6.0.1 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

The RSSImport WordPress plugin through 4.6.1 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.

CVE-2022-4658

The Welcart e-Commerce WordPress plugin before 2.8.9 does not validate and escapes one of its shortcode attributes, which could allow users with a role as low as a contributor to perform a Stored Cross-Site Scripting attack.

CVE-2022-4655

The Greenshift WordPress plugin before 4.8.9 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.

CVE-2022-4653

The MashShare WordPress plugin before 3.8.7 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

CVE-2022-4544

The ConvertKit WordPress plugin before 2.0.5 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high-privilege users such as admins.

Tag

#wordpress