The OAuth Client by DigitialPixies WordPress plugin through 1.1.0 does not have CSRF checks in some places, which could allow attackers to make logged-in users perform unwanted actions.

CVE-2022-3632

A new malicious campaign has compromised over 15,000 WordPress websites in an attempt to redirect visitors to bogus Q&A portals.
"These malicious redirects appear to be designed to increase the authority of the attacker's sites for search engines," Sucuri researcher Ben Martin said in a report published last week, calling it a "clever black hat SEO trick."
The search engine poisoning technique

A new malicious campaign has compromised over 15,000 WordPress websites in an attempt to redirect visitors to bogus Q&A portals.

"These malicious redirects appear to be designed to increase the authority of the attacker's sites for search engines," Sucuri researcher Ben Martin said in a report published last week, calling it a "clever black hat SEO trick."

The search engine poisoning technique is designed to promote a "handful of fake low quality Q&A sites" that share similar website-building templates and are operated by the same threat actor.

A notable aspect of the campaign is the ability of the hackers to modify over 100 files on average per website, an approach that contrasts dramatically from other attacks of this kind wherein only a limited number of files are tampered with to reduce footprint and escape detection.

Some of the most commonly infected pages consist of wp-signup.php, wp-cron.php, wp-links-opml.php, wp-settings.php, wp-comments-post.php, wp-mail.php, xmlrpc.php, wp-activate.php, wp-trackback.php, and wp-blog-header.php.

This extensive compromise allows the malware to execute the redirects to websites of the attacker's choice. It's worth pointing out that the redirects don't occur if the wordpress\_logged\_in cookie is present or if the current page is wp-login.php (i.e., the login page) so as to avoid raising suspicion.

The ultimate goal of the campaign is to "drive more traffic to their fake sites" and "boost the sites' authority using fake search result clicks to make Google rank them better so that they get more real organic search traffic."

The injected code achieves this by initiating a redirect to a PNG image hosted on a domain named "ois\[.\]is" that, instead of loading an image, takes the website visitor to a Google search result URL of a spam Q&A domain.

It's not immediately clear how the WordPress sites are breached, and Sucuri said it did not notice any obvious plugin flaws being exploited to carry out the campaign.

That said, it's suspected to be a case of brute-forcing the WordPress administrator accounts, making it essential that users enable two-factor authentication and ensure that all software is up-to-date.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Over 15,000 WordPress Sites Compromised in Malicious SEO Campaign

Broken Access Control vulnerability leading to Stored Cross-Site Scripting (XSS) in Traffic Manager plugin <= 1.4.5 on WordPress.

 Verified

 Not fixed

**6.5**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 1.4.5

PSID 

e058716fc77e

Classification 

Multiple Vulnerabilities

OWASP Top 10 

A5: Broken Access Control

Required privilege 

Requires subscriber or higher role user authentication.

Publicly disclosed

2022-10-24

**Details**

Broken Access Control vulnerability leading to Stored Cross-Site Scripting (XSS) discovered by Lana Codes (Patchstack Alliance) in the WordPress Traffic Manager plugin (versions <= 1.4.5).

**Solution**

Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.

**References**

CVE-2022-42460: WordPress Traffic Manager plugin <= 1.4.5 - Broken Access Control vulnerability leading  to Stored Cross-Site Scripting (XSS) - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in James Lao's Simple Video Embedder plugin <= 2.2 on WordPress.

 Verified

 Not fixed

**5.4**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Software

Simple Video Embedder

Vulnerable versions

<= 2.2

PSID 

0ab080724815

Classification 

Cross Site Scripting (XSS)

OWASP Top 10 

A7: Cross-Site Scripting (XSS)

Required privilege 

Requires contributor or higher role user authentication.

Publicly disclosed

2022-11-09

**Details**

Auth. Stored Cross-Site Scripting (XSS) vulnerability discovered by thiennv (Patchstack Alliance) in WordPress Simple Video Embedder plugin (versions <= 2.2).

**Solution**

Deactivate and delete. This plugin has been closed as of November 8, 2022 and is not available for download. This closure is temporary, pending a full review.

**References**

CVE-2022-44590: WordPress Simple Video Embedder plugin <= 2.2 - Auth. Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

Auth. (subscriber+) Arbitrary Options Update vulnerability in Zoho CRM Lead Magnet plugin <= 1.7.5.8 on WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Websites are one of the most important sources of leads for your business. That means your CRM system should be well integrated with your website to contextually capture each and every visitor to turn them into a lead.

Introducing the Zoho CRM Lead Magnet plugin for WordPress. This lets you create webforms, embed them in your website, and automatically capture leads directly into your CRM with zero attenuation.

Not only is the integration easy to set-up but it’s also easy on your wallet.

**Overall usage flow**

1.  Install the Zoho CRM forms plugin from the WordPress plugin Marketplace.
2.  Create a form using Zoho CRM webforms or Contact form 7 plugin.
3.  Configure the settings for your form.
4.  Use the short code to embed the form.
5.  A prospect’s information is automatically captured upon entering your site. All that’s left is lead nurturing.

For businesses that want to maximize their websites, the Zoho CRM Lead Capture plugin for WordPress CMS is an ideal solution.

**Key features**

Two forms, one solution

This plugin works well with forms created using Zoho CRM and Contact 7 Form plugin.

Light on code

Creating a form is incredibly simple and the entire process of establishing an integration involves a few drag-drops and copy-pastes. Simply create, embed, and capture.

  Capture leads and more

Using this plugin not only lets you capture leads but also additional custom modules you create for unique business needs.

  Capture. nurture. win.

The Information entered in a website’s form is automatically pushed into Zoho CRM with zero attenuation. Now you never miss out on another lead. 

Light on your purse

The plugin is absolutely free of cost. No hidden fees, no additional costs. All you need is a website hosted with WordPress and a Zoho CRM account.

Special mail-tags support

1.  \[\_url\]
2.  \[\_site\_title\]
3.  \[\_site\_description\]
4.  \[\_site\_url\]

For examples  
\[hidden get-url default:\_url\]  
\[hidden site\_title default:\_site\_title\]  
\[hidden site-description default:\_site\_description\]  
\[hidden site-url default:\_site\_url\]

Please feel free to contact us for any further assistance: **support@zohoextensions.com**

1.  Install the WordPress plugin from WordPress Marketplace. Upload the plugin folder to the /wp-content/plugins/ directory or install via the Add New Plugin menu.
2.  Activate the plugin through the ‘Plugins’ menu in WordPress.
3.  Once you activate your Zoho CRM forms plugin, you’ll be asked to authenticate access from Zoho CRM. To do that, simply  enter the username and password of your CRM account.

The plugin installation is now complete and the integration between Zoho CRM forms and WordPress is established.

How to download the old versions of this plugin

I discourage anyone from using this plugin. When it works, it does what it should. When it breaks, don't rely on Zoho for support. During two years of using the plugin, I've repeatedly been told by Zoho that it is simply not a Zoho product. Of course, it is managed and produced by the Zoho extensions team. And of course, occasionally I find someone at the Zoho Extensions team with time to investigate issues with this plugin, obviating the false claim from Zoho support teams that this is not a Zoho product. Three years after launch the plugin only has 3000 documented installations, which falls well below the threshold for user interest that would encourage reliable developer support. Zoho CRM email parsers not quite as efficient to set up, but if they break, they do not break functionality of live Webforms. I'll probably work with Zoho to fix whatever is broken in this, but more likely I'll be moving all my forms to an email parser for CRM integration.

Hi. I have this issue in Wordpress after installing the plugin Zoho CRM Lead Magnet in WP I have entered the Domain zoho.in, my Client Id and Client secret and when I click Authenticate Zoho CRM button I’m redirected to Zoho Accounts where I enter username/password but after that I get this error message “invalid\_redirect\_uri”. Thank you!

select { height: auto !important; } Are you kidding me? You singlehandedly destroyed all the selects on my website. Couldn't you just wrap your elements in some id or class?

It works really well with Contact Form 7 and Elementor together.

Using the forms as provided by Zoho. Anytime I attempt to submit Zoho forms, I get the following message: "Sorry, there were some issues in submitting your data. Please try again later"

Read all 21 reviews

“Zoho CRM Lead Magnet” is open source software. The following people have contributed to this plugin.

Contributors

*    Zoho CRM

**1.2**

*   Added: Contact form relation issue fixed.  
    1.3.1
*   Responsive issue fixed  
    1.3.2  
    Added jquery ui css file  
    1.3.4
*   Contact form hidden field issue fixed  
    1.3.5
*   jquery ui css file missing issue fixed  
    1.3.6
*   Multiselectpicklist hidden field issue fixed  
    1.4  
    Added functionality for EU Account  
    1.4.1  
    Css loading issue fixed  
    1.4.2  
    Checkbox mapping issue fixed  
    1.4.3  
    Registeration magic intergration merge issue fixed  
    1.4.4  
    We have added authorization url (https://extensions.zoho.com/plugin/wordpress/callback) and 402,403 authorization issue fixed  
    1.4.5  
    We have added authorization url (https://extensions.zoho.eu/plugin/wordpress/callback) issue fixed  
    1.4.6  
    We have added authorization url (https://extensions.zoho.eu/plugin/wordpress/callback) issue fixed  
    1.4.7  
    Code optimaztion  
    1.4.8  
    Code optimaztion  
    1.5.0  
    Specific layout issue fixed  
    1.5.1  
    Code optimaztion  
    1.5.2  
    Code optimaztion  
    1.5.3  
    Code optimaztion  
    1.5.4  
    EU Setup Authentication issue fixed  
    1.5.5  
    Field migration issue fixed  
    1.5.7  
    Added Multipicklist  
    1.5.8  
    Code optimaztion  
    1.5.9  
    Php version issue fixed  
    1.6.0  
    Code optimaztion  
    1.6.1  
    Contact form 7 captcha v3 api issue fixed  
    1.6.2  
    Contact form 7 v3 api script issue fixed  
    (Latest Contact form7 version)  
    1.6.3  
    Php Notice issue fixed  
    1.6.3  
    Php Notice issue fixed  
    1.6.6  
    Added Form Submit Logs  
    1.6.7  
    Added Form Submit Logs

1.6.8  
Custom module related issue fixed  
1.6.9  
Hidden field related issue fixed  
1.6.9.1  
Security issue fixed check\_admin\_referer  
1.6.9.2  
performance issue fixed  
1.6.9.3  
performance issue fixed  
1.6.9.4  
performance issue fixed  
1.6.9.5  
performance issue fixed  
1.6.9.6  
redirection url issue fixed  
1.6.9.7  
rewrite an arbitrary option added  
1.7.0.1  
Hidden field issue fixed  
1.7.0.2  
checkbox field issue fixed  
1.7.0.3  
Added au domain centre  
1.7.0.5  
Lead Score mapping issue fixed  
1.7.0.6  
Added in domain centre and hidden field issue fixed  
1.7.0.8  
Security issue fixed  
1.7.1.0  
Security issue fixed  
1.7.1.1  
Security issue fixed  
1.7.1.2  
Security issue fixed and latest version updated  
1.7.1.3  
added option for international telephone option  
1.7.1.4  
Modules log added  
1.7.1.5  
Modules log added  
1.7.1.6  
Loading issue fixed  
1.7.1.7  
Added user lookup  
1.7.2.0  
performance issue fixed  
1.7.2.1  
performance issue fixed  
1.7.2.5  
Security issue fixed  
1.7.2.6  
Latest wordpress version updated and Security issue fixed  
1.7.2.7  
Security issue has been fixed  
1.7.2.8  
Security issue has been fixed  
1.7.2.9  
Security issue has been fixed  
1.7.3.0  
Security issue has been fixed  
1.7.3.1  
Get-url and site description field support added  
1.7.3.2  
Special mail-tags support  
1.7.3.3  
Added: GCLID field Support in Zoho CRM for Contact Form 7.  
1.7.3.4  
Added: A new tab added in the Zoho authentication.  
1.7.3.5  
Added: webform form save script error fixed.  
1.7.3.6  
Added: performance issue fixed.  
1.7.3.7  
Added: UI changes.  
1.7.3.9  
Added: Script issue has been fixed.  
1.7.4.0  
Added:Added Authentication check.  
1.7.4.1  
Added: SSL verified issue fixed

1.7.4.4  
Added: GCLID field api issue fixed

1.7.4.5  
Added: Japan data centre authentication option added  
1.7.4.6  
Added: Multiselect hidden field issue fixed  
1.7.4.7  
Added: Api data added to logs  
1.7.4.8  
Added: Api data added to logs  
1.7.4.9  
Added: removed empty space for email id

1.7.5.1  
zcga.js file 404 issue fixed

1.7.5.2  
Added : added fetch field option in the contact form  
1.7.5.3  
Added: In Japan dc added check for email encode

1.7.5.4  
Added: Unused css removed

1.7.5.5  
Added : Select2 component z-index issue has been fixed

1.7.5.6  
Added : Unwanted Caching file has been removed

CVE-2022-41978: Zoho CRM Lead Magnet

Cross-Site Request Forgery (CSRF) vulnerability in Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress leading to rule type migration.

 Verified

 Fixed

**5.4**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 4.1.5

PSID 

13403873238a

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-10-30

**Details**

Cross-Site Request Forgery (CSRF) vulnerability leading to Rule Type Migration discovered by Muhammad Daffa (Patchstack Alliance) in WordPress Advanced Dynamic Pricing for WooCommerce plugin (versions <= 4.1.5).

**Solution**

Update the WordPress Advanced Dynamic Pricing for WooCommerce plugin to the latest available version (at least 4.1.6).

**References**

CVE-2022-43488: WordPress Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

WordPress Blog2Social versions 6.9.11 and below suffer from a missing authorization vulnerability.

Description: Missing Authorization to Authenticated (Subscriber+) Settings Update

Affected Plugin: Blog2Social

Plugin Slug: blog2social

Affected Versions: <= 6.9.11

CVE ID: CVE-2022-3622

CVSS Score: 4.7 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Researcher/s: Marco Wotschka

Fully Patched Version: 6.9.12

Blog2Social: Social Media Auto Post & Scheduler is a plugin offered by Blog2Social/Adenion that provides content-creators with the ability to quickly share site content to their social media accounts. It offers automatic post sharing as well as optimized scheduling and also extends some of its features to subscribers, enabling them to share posts to their own social media accounts.

As part of the plugin’s functionality, there are some more advanced settings that can be managed. Unfortunately, this was implemented insecurely making it possible for authenticated attackers to update these settings even without the authorization to do so.

More specifically, the plugin provides administrators with the ability to enable legacy mode, which is intended to reduce server load. In legacy mode, the plugin will load content one item at a time instead of loading all content in bulk in an attempt to reduce the likelihood of dashboard freeze-ups. In order to reduce the number of concurrent outgoing connections, legacy mode will also load connections to social media accounts in sequential order as opposed to doing so simultaneously. While functionality should not be significantly affected by this for most use cases, this legacy option setting is reserved for administrators only. Unfortunately, due to a lack of capability checking on the function and in the user interface, site subscribers had access to this setting via the dashboard:

/wp-admin/admin.php?page=blog2social-settings

Furthermore, the same URL offers access to a Social Meta Data tab, which contains forms that are disabled for non-administrative users. However, browsers offer inspector tools, which can be used to modify html on the fly in order to change properties of such forms and their elements. For instance, a save button with the following properties can be modified to become functional by removing the disabled attribute from the button:

<button class="btn btn-primary pull-right" disabled="disabled" type="submit">save</button> – as a result, such a form can be submitted by a subscriber. This indicates the developer used client-side validation, which can easily be bypassed by modifying the request sent to the server.

A request could be submitted using a third party tool similar to this one:

POST /wp-admin/admin-ajax.php HTTP/1.1

Host: 127.0.0.1

Cookie:

b2s_og_default_title=SiteTitle&b2s_og_default_desc=Just%20another%20WordPress%20site&b2s_og_default_image=&b2s_og_imagedata_active=1&b2s_og_objecttype_active=1&b2s_og_locale_active=1&b2s_og_locale=en_US&b2s_card_default_type=Summary&b2s_card_default_title=SiteTitle&b2s_card_default_desc=Just%20another%20WordPress%20site&b2s_card_default_image=&is_admin=1&version=0&action=b2s_save_social_meta_tags&b2s_security_nonce=<nonce>

This had consequences such as allowing subscribers to change social meta tags which could potentially be used to impact brand reputation.

A third issue that we discovered surrounded the plugin’s general authorization mechanism.

[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VWydX-1ZpVtDW5m3pbH5yxlc9W2C4PM94S6TLRN1sYgXV5mNXrV3Zsc37CgPpPW1_8BsQ650vs3W86NLQQ1Cb22gW8qlQJx717QmtN2Cx03MLNfRLW2-JNJb7nLtJDW6WM7R34PtmhMW1Q6y_X7lS_zWVjVDs36QWQxhVzcJwS8zW-6JW8R8sdQ5n8VyMW3xQZRx311bNnW52MK5T99M-WqN2bB3jwTbxZzW1VZPJL4W2QZ5W1sVXxZ2kr-JTTbvjx4xd9hxN1FlKQT1fwwDW7k9F6p6vRy5QVbh2jM4ll2JJW999K9x38XkPRW6ZTcyY2C85K-W5CC1TG1747mhW7gFskm1Y2Zy8W1f8khN7hdTbPVNS67c54W0xjW19nHJ55SGL4QW4BD90m6r6kRYW90HD6J3JT--YW9cg9wz21JSczW3tFWZp50-1qtW8wjp8m8gL9xyW7JNDB-5x1VB83f5z1 )

The first if-statement is intended to prevent unauthorized use of this function and similar functions using the same protection. The following parts need to evaluate to true in order for the if-statement to do the same:

- current_user_can('read') – This gives access to the administration screens and user profiles. This permission is generally available to all authenticated users such as subscribers.  
- isset($_POST['b2s_security_nonce']) – this nonce is set by the plugin and can be obtained by searching the code of /wp-admin/profile.php for the string ‘b2s_security_nonce’. This nonce is generated for subscribers and higher.  
- (int) wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['b2s_security_nonce'])), 'b2s_security_nonce') > 0 – this verifies the nonce after some sanitization.

As long as a userId is provided, we are able to lock B2S_LOCK_AUTO_POST_IMPORT_ for any user, resulting in that user being unable to automatically import posts. We found that many other functions lacked proper capability checks as well.

The Importance of Capability Checks

Capability checks are an important part of securing AJAX actions since those are available to any logged in users, including subscribers. The following is an example of an AJAX action from the Blog2Social plugin.

add_action('wp_ajax_b2s_lock_auto_post_import', array($this, 'lockAutoPostImport'));

While nonce checks ensure that the user initiating the request intended to do so, they don’t provide authorization. As mentioned above, the check current_user_can('read') does ensure that the user initiating the request has that specific capability, but it does not suffice to protect actions intended for administrators only. A proper way to secure such actions would be to utilize a check such as

current_user_can('manage_options').

The plugin does make use of B2S_PLUGIN_BLOG_USER_ID, which determines the current user’s ID in order to ensure that options saved are personalized thus preventing overwriting other users’ preferences:

define('B2S_PLUGIN_BLOG_USER_ID', get_current_user_id());

Timeline

October 1, 2022 – Initial outreach to the plugin developer.

October 5, 2022 – We disclosed details of the vulnerabilities with the developer.

October 6, 2022 – Version 6.9.11 is released which provides a patch for the legacy mode update vulnerability.

October 10, 2022 – The remaining authorization vulnerabilities are patched in version 6.9.12.

October 27, 2022 – Wordfence Premium, Care, and Response customers receive a firewall rule to provide additional protection.

November 26, 2022 – Wordfence Free users receive a firewall rule.

Conclusion

In today’s post, we covered several vulnerabilities in the Blog2Social: Social Media Auto Post & Scheduler plugin that could be used by subscribers to update plugin settings due to improper authorization checks. The vulnerabilities were patched by ensuring that capabilities were checked.

Wordfence Premium, Care, and Response users received a firewall rule on October 27th, 2022 for enhanced protection. Wordfence free users will receive this rule after 30 days on November 26th, 2022. We strongly recommend updating to version 6.9.12 or higher of Blog2Social: Social Media Auto Post & Scheduler to ensure that your site is protected against any exploits targeting this vulnerability.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care.  If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance. If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of Blog2Social as soon as possible.

WordPress Blog2Social 6.9.11 Missing Authorization

Microsoft's latest round of monthly security updates has been released with fixes for 68 vulnerabilities spanning its software portfolio, including patches for six actively exploited zero-days.
12 of the issues are rated Critical, two are rated High, and 55 are rated Important in severity. This also includes the weaknesses that were closed out by OpenSSL the previous week.
Also separately

Microsoft's latest round of monthly security updates has been released with fixes for 68 vulnerabilities spanning its software portfolio, including patches for six actively exploited zero-days.

12 of the issues are rated Critical, two are rated High, and 55 are rated Important in severity. This also includes the weaknesses that were closed out by OpenSSL the previous week.

Also separately addressed at the start of the month is an actively exploited flaw in Chromium-based browsers (CVE-2022-3723) that was plugged by Google as part of an out-of-band update late last month.

"The big news is that two older zero-day CVEs affecting Exchange Server, made public at the end of September, have finally been fixed," Greg Wiseman, product manager at Rapid7, said in a statement shared with The Hacker News.

"Customers are advised to update their Exchange Server systems immediately, regardless of whether any previously recommended mitigation steps have been applied. The mitigation rules are no longer recommended once systems have been patched."

The list of actively exploited vulnerabilities, which allow privilege elevation and remote code execution, is as follows -

*   **CVE-2022-41040** (CVSS score: 8.8) - Microsoft Exchange Server Elevation of Privilege Vulnerability (aka ProxyNotShell)
*   **CVE-2022-41082** (CVSS score: 8.8) - Microsoft Exchange Server Elevation of Privilege Vulnerability (aka ProxyNotShell)
*   **CVE-2022-41128** (CVSS score: 8.8) - Windows Scripting Languages Remote Code Execution Vulnerability
*   **CVE-2022-41125** (CVSS score: 7.8) - Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
*   **CVE-2022-41073** (CVSS score: 7.8) - Windows Print Spooler Elevation of Privilege Vulnerability
*   **CVE-2022-41091** (CVSS score: 5.4) - Windows Mark of the Web Security Feature Bypass Vulnerability

Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group (TAG) have been credited with reporting CVE-2022-41128, which resides in the JScript9 component and occurs when a target is tricked into visiting a specially crafted website.

CVE-2022-41091 is one of the two security bypass flaws in Windows Mark of the Web (MoTW) that came to light in recent months. It was recently discovered as weaponized by the Magniber ransomware actor to target users with fake software updates.

"An attacker can craft a malicious file that would evade Mark of the Web (MotW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MotW tagging," Microsoft said in an advisory.

The second MotW flaw to be resolved is CVE-2022-41049 (aka ZippyReads). Reported by Analygence security researcher Will Dormann, it relates to a failure to set the Mark of the Web flag to extracted archive files.

The two privilege escalation flaws in Print Spooler and the CNG Key Isolation Service are likely to be abused by threat actors as a follow-up to an initial compromise and gain SYSTEM privileges, Kev Breen, director of cyber threat research at Immersive Labs, said.

"This higher level of access is required to disable or tamper with security monitoring tools before running credential attacks with tools like Mimikatz that can allow attackers to move laterally across a network," Breen added.

Four other Critical-rated vulnerabilities in the November patch worth pointing out are privilege elevation flaws in Windows Kerberos (CVE-2022-37967), Kerberos RC4-HMAC (CVE-2022-37966), and Microsoft Exchange Server (CVE-2022-41080), and a denial-of-service flaw affecting Windows Hyper-V (CVE-2022-38015).

The list of fixes for Critical flaws is tailended by four remote code execution vulnerabilities in the Point-to-Point Tunneling Protocol (PPTP), all carrying CVSS scores of 8.1 (CVE-2022-41039, CVE-2022-41088, and CVE-2022-41044), and another impacting Windows scripting languages JScript9 and Chakra (CVE-2022-41118).

In addition to these issues, the Patch Tuesday update also resolves a number of remote code execution flaws in Microsoft Excel, Word, ODBC Driver, Office Graphics, SharePoint Server, and Visual Studio, as well as a number of privilege escalation bugs in Win32k, Overlay Filter, and Group Policy.

**Software Patches from Other Vendors**

Microsoft aside, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

*   AMD
*   Android
*   Apple
*   Cisco
*   Citrix
*   CODESYS
*   Dell
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   HP
*   IBM
*   Intel
*   Juniper Networks
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   NVIDIA
*   Qualcomm
*   SAP
*   Schneider Electric
*   Siemens
*   Trend Micro
*   VMware, and
*   WordPress

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Install Latest Windows Update ASAP! Patches Issued for 6 Actively Exploited Zero-Days

CSV Injection vulnerability in Activity Log Team Activity Log <= 2.8.3 on WordPress.



**Solution**

 Fixed

Update the WordPress Activity Log plugin to the latest available version (at least 2.8.4).

Universe discovered and reported this CSV Injection vulnerability in WordPress Activity Log Plugin. This could allow a malicious actor to craft malicious formulas to then exploit vulnerabilities in the spreadsheet software or to execute commands to gain access to the victim';s PC. This vulnerability has been fixed in version 2.8.4.

**Other vulnerabilities in this plugin**

 0 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2022-27858: WordPress Activity Log plugin <= 2.8.3 - CSV Injection vulnerability - Patchstack

CSV Injection vulnerability in Activity Log Team Activity Log <= 2.8.3 on WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

**A COMPLETE, EASY TO USE & WELL SUPPORTED WORDPRESS ACTIVITY LOG PLUGIN**

Want to monitor and track your WordPress website activity? Find out exactly who does what on your WordPress website. the Activity Log plugin is like an airplane’s black box that logs every activity in WordPress admin, and lets you see exactly what users are doing on your WordPress website.

*   Like, if someone is trying to hack your site.
*   Or, when a post was published, and who published it.
*   Or, if a plugin/theme was activated/deactivated.
*   Log suspicious admin activity.
*   Securing your site by tracking log of all user activity?

Useful, right? Trust us, you won’t understand how you managed your website without it. The plugin is also lightning fast and works behind the scenes, so it doesn’t affect site and admin performance. For optimal performance, we built the plugin so it runs on a separate table in the database.

If you have tens of users or more, you really can’t know who did what. This plugin tries to solve this issue by tracking what users do, and displaying it in an easy to use and easy to filter view on the dashboard of your WordPress site.

**Export to CSV** Export your Activity Log data records to CSV. Developers can easily add support for custom data formats with our new dedicated Export API.

**Data Privacy and GDPR Compliance** We provide the tools to help you be GDPR compliant, including Export/Erasure of data via the WordPress Privacy Tools.

**With the Activity Log you can record:**

*   **WordPress** – Core Updates
*   **Posts** – Created, Updated, Deleted
*   **Pages** – Created, Updated, Deleted
*   **Custom Post Type** – Created, Updated, Deleted
*   **Tags** – Created, Edited, Deleted
*   **Categories** – Created, Edited, Deleted
*   **Taxonomies** – Created, Edited, Deleted
*   **Comments** – Created, Approved, Unproved, Trashed, Untrashed, Spammed, Unspammed, Deleted
*   **Media** – Uploaded, Edited, Deleted
*   **Users** – Login, Logout, Login has failed, Update profile, Registered and Deleted
*   **Plugins** – Installed, Updated, Activated, Deactivated, Changed
*   **Themes** – Installed, Updated, Deleted, Activated, Changed (Editor and Customizer)
*   **Widgets** – Added to a sidebar / Deleted from a sidebar, Order widgets
*   **Menus** – A menu is being Created, Updated, Deleted
*   **Setting** – General, Writing, Reading, Discussion, Media, Permalinks
*   **Options** – Can be extend by east filter
*   **Export** – User download export file from the site
*   **WooCommerce** – Monitor all shop settings and options
*   **bbPress** – Forums, Topics, Replies, Taxonomies and other actions
*   There’s more, but you get the point…

**What people are saying**

*   _“Best 10 Free WordPress Plugins of the Month – July 2014: Keeping tabs on what your users do with their access to the Dashboard”_ – ManageWp.com
*   _“Thanks to this step, we’ve discovered that our site was undergoing a brute force attack”_ – artdriver.com
*   _“Optimized code – The plugin itself is blazing fast and leaves almost no footprint on the server.”_ – freshtechtips.com
*   _“The plugin successful for activity log for WordPress.”_ – wp-tricks.co.il
*   _“This is a pretty simple yet quite effective plugin for keeping track of what your admins and users do on your sites.”_ – shadowdragonunlimited.com
*   _“Activity Log lets you track a huge range of activities. Overall, very easy to use and setup.”_ – elegantthemes.com

**Translators:**

*   German (de\_DE) – Robert Harm
*   Dutch (nl\_NL) – Tom Aalbers
*   Serbo-Croatian (sr\_RS) – Borisa Djuraskovic
*   Danish (da\_DK) – Morten Dalgaard Johansen
*   Hebrew (he\_IL) + RTL Support – Pojo.me
*   Armenia (hy\_AM) – Hayk Jomardyan
*   Brazilian Portuguese (pt\_BR) – Criação de Sites
*   Turkish (tr\_TR) – Ahmet Kolcu
*   Persian (fa\_IR) – Promising
*   Russian (ru\_RU) – Oleg Reznikov
*   Polish (pl\_PL) – Maciej Gryniuk
*   Czech (cs\_CZ) – Martin Kokeš
*   Finnish (fi) – Nazq

The plugin does not require any kind of setup. It works out of the box (and that’s another reason people love it).

We’re planning to add a lot more features in the upcoming releases. If you think we’re missing something big time, please post your suggestions in the plugin’s forum.

**Contributions:**

Would you like to like to contribute to Activity Log? You are more than welcome to submit your pull requests on the GitHub repo. Also, if you have any notes about the code, please open a ticket on the issue tracker.

1.  Upload plugin files to your plugins folder, or install using WordPress’ built-in Add New Plugin installer
2.  Activate the plugin
3.  Go to the plugin page (under Dashboard > Activity Log)

**Requirements**

*   **Requires PHP5** for list management functionality.

**What is the plugin license?**

*   This plugin is released under a GPL license.

**Can I export logs?**

*   You can easily export logs with Activity Log. We also support exporting filtered results. Filter by the time the action took place, roles, users, options, action type, and more.

A really simple activity log, easy to use. The UI is intuitive and search feature is nice. There aren't a lot of options or feature but it does what I need it to, and it's free.

This is one of simple, easy to use plugin and, never broke or had any issue despite being free. This plugin really helps to find out the unauthorized and malicious activity with ease. I really appreciate the good work. Thank you so much.

Love it! Have it installed on about ~300 sites, no issues except one site that was getting slammed with spam login attempts and the log grew to big to quick but ultimately this plugin helped identify the need to restrict the login url.

An earlier review reported failure to activate and impossible to delete: I suspect that those issues were caused by an out-of-date WordPress and PHP installation. I upgraded and the plug-in does what it says it does.

It saved one of my client's project requests. Simple, intuitive and it even exports information as CSV! Thank you developers! 🙂

Very good plug-in never had any issue, I installed in 5 websites so far and no problem.

Read all 67 reviews

“Activity Log” is open source software. The following people have contributed to this plugin.

Contributors

**2.8.4 – 2022-09-04**

*   Tweak: Added Activity Log setting to records log
*   Tweak: Added encoded value in CSV file (#165)

**2.8.3 – 2022-03-09**

*   Tweak: Run Clear old items from DB once daily to avoid unexpected errors (#156)

**2.8.2 – 2022-01-25**

*   Fix: Auto-updates of core, plugins and themes are not registered to the log (#155, props @nicomollet)

**2.8.1 – 2021-12-01**

*   Fix: Activity log database table not being dropped after deleting the plugin in multisite installation

**2.8.0 – 2021-11-17**

*   New: Added Privacy Settings to records log
*   New: Added Site Language to records log
*   New: Added a filter link to Topic, IP, Date, User and Action in the log table screen
*   Tweak: Aligned Topics to be in plural instead of singular
*   Fix: Filter by users dropdown on activity page threw a timeout error in some cases (#141)
*   Fix: CSV Export issue with comma separated values (Topic)

**2.7.0 – 2021-05-06**

*   New: Added an option to skip or keep the failed login logs for better optimization (#125)
*   Tweak: Improved the activity log table with clear labels and re-order columns for better UX
*   Tweak: Changed the wrong\_password action to failed\_login in User topic
*   Tweak: Changed the added action to uploaded in Attachment topic
*   Tweak: Changed the created action to registered in User topic
*   Fix: Add input sanitization to avoid security issues

**2.6.1 – 2021-02-15**

*   Fix: Conflict with WooCommerce while you using new block editor

**2.6.0 – 2020-10-19**

*   Tweak: Added support for CloudFlare and CloudFlare Enterprise client IP header (#133)
*   Tweak: Added browser confirmation to Reset Database option
*   Tweak: Notification tab is now deprecated for new installations
*   Tweak: Added support for displaying custom role activity log (#78, #135, Topic, Topic)
*   Fix: Show user data on log-out action (#126, Topic)
*   Fix: Removed unused help context in admin to resolve deprecated WP error (Topic)
*   Fix: PHP Notices are thrown when Debug mode is active (Topic)
*   Fix: Resolve jQuery Deprecation Notice and compatibility with WordPress 5.6+ (Topic)

**2.5.2**

*   Fix: Conflict with Elementor and WordPress Widgets

**2.5.1**

*   Fix! – PHP < 5.4 compatibility (Topic)

**2.5.0**

*   New! Added log to Export Personal Data tool for better GDPR Compliance (Topic)

**2.4.1**

*   Fix! – Escape title before saving to database

**2.4.0**

*   New! Export your Activity Log data records to CSV (#70)

**2.3.6**

*   Fix! – Admin table filters

**2.3.5**

*   Fix! – Added comparability for WordPress 4.8.2 & 4.7.6

**2.3.4**

*   Tweak! – Change Guest user to “N/A”

**2.3.3**

*   Fixed! – Minor XSS vulnerability, credit to Han Sahin

**2.3.2**

*   Fixed! – Minor XSS vulnerability, credit to Han Sahin

**2.3.1**

*   Tweak! – Added seconds in time column
*   Tweak! – Rearrange filters in list table

**2.3.0**

*   Tweak! – All translates moved to GlotPress
*   Tweak! – Added restore status for Posts (#46)
*   Tweak! – A11y changes for WordPress 4.4 which requires h1 tags (#84)
*   Tweak! – Allow some ajax requests just for admin

**2.2.12**

*   Tested up to WordPress v4.5

**2.2.11**

*   Tweak! – Temporarily remove Freemius SDK from the plugin

**2.2.10**

*   Tweak! Update Freemius SDK
*   Tested up to WordPress v4.4.2

**2.2.9**

*   Tweak! Update Freemius SDK

**2.2.8**

*   Tweak! Update Freemius SDK

**2.2.7**

*   Added! – Freemius Insights platform to improve plugin UX
*   Tweak! Update translate: Russian (ru\_RU) – Thanks to Oleg Reznikov
*   Tested up to WordPress v4.4

**2.2.6**

*   Tweak! – Added sort by IP address (#77)
*   Tweak! – Added more actions/types in notification

**2.2.5**

*   New! – Added translate: Finnish (fi) – Thanks to Nazq (topic)
*   Tweak! – Better actions label in list table
*   Fixed! – Notice php warring in MU delete site
*   Tested up to WordPress v4.3

**2.2.4**

*   New! – Added translate: Czech (cs\_CZ) – Thanks to Martin Kokeš (#76)

**2.2.3**

*   Tweak! – Added more filters in table list columns

**2.2.2**

*   Fixed! some PHP strict standards (PHP v5.4+)

**2.2.1**

*   Fixes from prev release

**2.2.0**

*   New! – Adds search box, to allow users to search the description field.
*   New! – Allows users to now filter by action
*   New! – Added translate: Polish (pl\_PL) – Thanks to Maciej Gryniuk
*   Tweak! – SQL Optimizations for larger sites

**2.1.16**

*   New! Added translate: Russian (ru\_RU) – Thanks to Oleg Reznikov
*   Fixes Undefined property with some 3td party themes/plugins
*   Tested up to WordPress v4.2

**2.1.15**

*   Tested up to WordPress v4.1
*   Change plugin name to “Activity Log”

**2.1.14**

*   New! Added translate: Persian (fa\_IR) – Thanks to Promising

**2.1.13**

*   New! Added filter by User Roles (#67)

**2.1.12**

*   New! Added translate: Turkish (tr\_TR) – Thanks to Ahmet Kolcu

**2.1.11**

*   Fixed! Compatible for old WP version

**2.1.10**

*   New! Now tracking when menus created and deleted
*   New! Added translate: Portuguese (pt\_BR) – Thanks to Criação de Sites

**2.1.9**

*   New! Store all WooCommerce settings (#62)
*   Tested up to WordPress v4.0

**2.1.8**

*   New! Now tracking when plugins installed and updated (#59 and #43)

**2.1.7**

*   New! Now tracking when user download export file from the site (#58 and #63)

**2.1.6**

*   Tested up to WordPress v3.9.2

**2.1.5**

*   New! Now tracking when theme installed, updated, deleted (#44)

**2.1.4**

*   Fixed! Store real IP address in Proxy too (#53)

**2.1.3**

*   New! Added translate: Dutch (nl\_NL) – Thanks to Tom Aalbers (#55)

**2.1.2**

*   Tweak! Update translate: Hebrew (he\_IL)

**2.1.1**

*   New! Track about WordPress core update (manual or auto-updated) (#41)
*   New! Track post comments (created, approved, unproved, trashed, untrashed, spammed, unspammed, deleted) (#42)

**2.1.0**

*   New! Personally-tailored notifications that can be triggered by various types of events, users and action type (currently only email notifications are supported)
*   Bug fixes, stability improvements
*   Fixed an error that occurred on PHP 5.5

**2.0.7**

*   Tested up to WordPress v3.9.0

**2.0.6**

*   Fixed! Random fatal error (topic)

**2.0.5**

*   New! Register aal_init_caps filter.
*   Tweak! Change all methods to non-static.
*   Tweak! Some improved coding standards and PHPDoc.
*   Tweak! Split AAL_Hooks class to multiple classes.
*   New! Added translate: Armenia (hy\_AM) – Thanks to Hayk Jomardyan.

**2.0.4**

*   Tweak! Don’t allowed to access in direct files.
*   New! Added translate: Danish (da\_DK) – Thanks to Morten Dalgaard Johansen

**2.0.3**

*   New! Record when widgets change orders.

**2.0.2**

*   New! Save more Options:
*   General
*   Writing
*   Reading
*   Discussion
*   Media
*   Permalinks

**2.0.1**

*   New! filter for disable erase all the log
*   Bugs fixed

**2.0.0**

*   Added Screen Options
*   New! Ability to select a number of activity items per page
*   New! Columns are now sortable
*   Added filter by date – All Time, Today, Yesterday, Week, Month
*   Added Avatar to author
*   Added role for author
*   Added log for activeted theme
*   Re-order Culoumns
*   Compatible up to 3.8.1
*   Settings page is now accessible directly from Activity Log’s menu
*   Keep your log for any time your wants
*   Delete Log Activities from Database.
*   Bugs fixed

**1.0.8**

*   Added translate: Serbo-Croatian (sr\_RS) – Thanks to Borisa Djuraskovic.

**1.0.7**

*   Added ‘view\_all\_aryo\_activity\_log’ user capability (topic).

**1.0.6**

*   Added WooCommerce integration (very basic).
*   Added Settings link in plugins page.

**1.0.5**

*   Fix – Make sure no save double lines (menu taxonomy / post).

**1.0.4**

*   Added Taxonomy type (created, updated, deleted).

**1.0.3**

*   Added Multisite compatibility.
*   Added Options hooks (limit list, you can extend by simple filter).
*   Added Menu hooks.
*   Tweak – Ensure no duplicate logs..

**1.0.2**

*   Forget remove old .pot file

**1.0.1**

*   Added translate: German (de\_DE) – Thanks to Robert Harm
*   Added translate: Hebrew (he\_IL)
*   Plugin name instead of file name on activation/deactivation
*   **New Hooks:**
*   A widget is being deleted from a sidebar
*   A plugin is being changed
*   Theme Customizer (Thanks to Ohad Raz)

**1.0**

*   Blastoff!

Tag

#wordpress