Multiple Authenticated (custom specific plugin role) Persistent Cross-Site Scripting (XSS) vulnerability in Awesome Support plugin <= 6.0.7 at WordPress.

CVE-2022-38073: Awesome Support – WordPress HelpDesk & Support Plugin

Authenticated (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Totalsoft Event Calendar – Calendar plugin <= 1.4.6 at WordPress.

 Verified

 Fixed

**4.1**

CVSS 3.1 score Medium severity

Monitoring Coming soon

PSID 

aee14c950d8b

Classification 

Cross Site Scripting (XSS)

OWASP Top 10 

A7: Cross-Site Scripting (XSS)

Required privilege 

Requires subscriber or higher role user authentication.

Publicly disclosed

2022-08-25

**Details**

Authenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered by Vlad Vector (Patchstack) in WordPress Event Calendar – Calendar plugin (versions <= 1.4.6).

**Solution**

Update the WordPress Event Calendar – Calendar plugin to the latest available version (at least 1.4.7).

**References**

CVE-2022-36390: WordPress Event Calendar – Calendar plugin <= 1.4.6 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability - Patchstack

Authenticated Arbitrary Code Execution vulnerability in Soflyy Import any XML or CSV File to WordPress plugin <= 3.6.7 at WordPress.

CVE-2022-36386: Import any XML or CSV File to WordPress

Multiple Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerabilities in WHA Word Search Puzzles game plugin <= 2.0.1 at WordPress.

 Verified

 Not fixed

**5.4**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Software

Word Search Puzzles game

Vulnerable versions

<= 2.0.1

PSID 

b189ec77df94

Classification 

Cross Site Scripting (XSS)

OWASP Top 10 

A7: Cross-Site Scripting (XSS)

Required privilege 

Requires contributor or higher role user authentication.

Publicly disclosed

2022-09-01

**Details**

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities were discovered by Vlad Vector (Patchstack) in the WordPress Word Search Puzzles game plugin (versions <= 2.0.1).

**Solution**

Deactivate and delete. No reply from the vendor.

**References**

CVE-2022-36383: WordPress Word Search Puzzles game plugin <= 2.0.1 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities - Patchstack

Multiple Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerabilities in WHA Crossword plugin <= 1.1.10 at WordPress.

 Verified

 Not fixed

**5.4**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Vulnerable versions

<= 1.1.10

PSID 

c155cfbae813

Classification 

Cross Site Scripting (XSS)

OWASP Top 10 

A7: Cross-Site Scripting (XSS)

Required privilege 

Requires contributor or higher role user authentication.

Publicly disclosed

2022-09-01

**Details**

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities were discovered by Vlad Vector (Patchstack) in the WordPress WHA Crossword plugin (versions <= 1.1.10).

**Solution**

Deactivate and delete. No reply from the vendor.

**References**

CVE-2022-36365: WordPress WHA Crossword plugin <= 1.1.10 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities - Patchstack

By Deeba Ahmed
Dubbed AttachMe by researchers; the vulnerability was a severe one since it targeted all OIC customers.
This is a post from HackRead.com Read the original post: AttachMe – Oracle Patches  “Severe” Vulnerability in its Cloud Infrastructure

Wiz security researcher Elad Gabay reported that they discovered a critical vulnerability in the Oracle Cloud Infrastructure (OCI), which a customer may have exploited to read/write another customer’s data on the same platform without permission.

This means the vulnerability could allow any Oracle customer unauthorized access to the Cloud storage data of another customer.

The good news is that when Wiz researchers notified Oracle about the bug, the IT firm fixed it within 24 hours. The even better news is that customers don’t need to do anything regarding the fix.

**Vulnerability Analysis**

Dubbed AttachMe by researchers, the vulnerability is one of the best examples of cloud isolation vulnerabilities and how threat actors can exploit the flaws to gain unauthorized access to someone else’s data.

The vulnerability, according to Wiz’s blog post, was discovered by Wiz in June 2022 and was regarded as one of the severest cloud vulnerabilities that could impact all OCI customers and violate cloud storage’s most significant pledge of customer data safety.

> AttachMe is one of the most severe cloud vulnerabilities reported since it could have impacted all OCI customers. Cloud isolation vulnerabilities usually impact a specific cloud service. However, in this case, the impact is related to a core cloud service. 
> 
> Elad Gabay – Wix

1.  Attackers Exploit Oracle WebLogic Flaw to Mine $266K in Monero
2.  Oracle, Google, and Microsoft generated most vulnerabilities in 2021
3.  Oracle’s Point-of-service Division MICROS Suffers Massive Data Breach
4.  Hackers Use Malware To Steal Cisco, IBM and Oracle Certification Manager

**Exploiting the Vulnerability**

Gabay said the flaw was exploitable if the threat actor knew the Oracle Cloud Identifier for a customer’s storage volume. Since this identified isn’t confidential data, it was possible to attach that volume to the actor’s virtual machine in Oracle’s cloud if the volume was not attached already or supported multiple attachments.

Therefore, all the attacker needed was the identifier to attach a volume and access the storage volume, including the target user’s sensitive data. Perhaps the flaw emerged because Oracle Infrastructure didn’t verify permission for linking the storage, which caused the issue.

After hijacking someone’s cloud storage, a threat actor could perform several destructive acts, such as leaking sensitive data, altering code, and gaining privilege escalation. Nevertheless, since the vulnerability has been fixed, users should not be worried.

**More Vulnerability News**

1.  Critical WordPress plugin vulnerability allowed wiping databases
2.  Attackers exploiting Windows Installer vulnerability despite patching
3.  Critical Amazon Ring Vulnerability Could Expose Camera Recordings
4.  Attackers can Exploit Dirty Pipe Linux Vulnerability to Overwrite Data
5.  Rarible NFT Market Vulnerability Let Attackers to Transfer Crypto Assets

AttachMe – Oracle Patches  “Severe” Vulnerability in its Cloud Infrastructure

Cross-Site Request Forgery (CSRF) vulnerability in SedLex FavIcon Switcher plugin <= 1.2.11 at WordPress allows plugin settings change.

*   Details
*   Reviews
*   Support
*   Development

**Description**

This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.

**Reviews**

There are no reviews for this plugin.

**Contributors & Developers**

“FavIcon Switcher” is open source software. The following people have contributed to this plugin.

Contributors

*    Sed Lex

CVE-2022-40219: FavIcon Switcher

Zentao Demo15 is vulnerable to Directory Traversal. The impact is: obtain sensitive information (remote). The component is: URL : view-source:https://demo15.zentao.pm/user-login.html/zentao/index.php?mode=getconfig.

_I am Shubham Sudhir Sawant a Security Researcher, super thrilled to write my very first blog. Medium is one of my favorite platform where I can read on Security Bug blogs. I came across so many great contents which made me write one today. It not only helps us grow our knowledge or built our skill set in a particular field but also in exploring new ideas and think out of the box._

This article gives a walk through on what directory traversal is, explains how to perform path traversal attack, and elucidate how to prevent directory traversal vulnerability.

> **_What is Directory Traversal?_**

Path Traversal alias Directory Traversal, is a web related vulnerability that allows an attacker to read arbitrary files on the server running an application. (Example: application assets, backend systems credentials, and sensitive operating system files). In certain cases, an attacker can potentially tamper the arbitrary file on the server, which eventually give full control over the server running the application.

> **_Read arbitrary file through directory traversal_**

The Basic Steps are given below:

1\. Shoot up **Burp Professional** Suite/ **Burp Community** Edition Tool on your browser.

2\. Open The Web Application which has to be intercepted in burp Intercept **proxy tab**.

3\. Now before intercepting, set the proxy in web browser **network setting**.

4\. Open the burp tool and enable the **proxy intercept** tab.

5\. The request URL will be captured and send it to the **repeater** to launch the attack.

6\. Look for an Crawled Website(performed in repeater tab)

In Crawled Website I found the below URL:-

https://demo15.zentao.pm/user-login.html/zentao/index.php?mode=getconfig

Figure 1: File Path Traversal Simple Example

{“version”:”16.5",”requestType”:”PATH\_INFO”,”requestFix”:”-”,”moduleVar”:”m”,”methodVar”:”f”,”viewVar”:”t”,”sessionVar”:”zentaosid”,”systemMode”:”new”,”sprintConcept”:”0",”URAndSR”:”0",”sessionName”:”zentaosid”,”sessionID”:”vgpgn3knuc5g2jod6uptc8db42",”random”:7923,”expiredTime”:”1440",”serverTime”:1663360511,”rand”:7923}

I found it is a sensitive config file which is getting executed for which was assigned a CVE-2022–37700

> **_How to prevent a directory traversal attack?_**

Although there are many ways in which the security professionals can avoid the possibility of path traversal attack some preventive measure are listed below: which includes..

1\. User supplied dynamic input should be strictly validated before being passed to any filesystem operation. After validating user input, the application can use a suitable filesystem API to verify that the file to be accessed is actually located within the base directory used by the application.

2\. Input containing dot-dot-slash sequences should be blocked.

3\. Also, the directory used to store files that are accessed using user supplied dynamic input can be located on a separate logical volume to other sensitive application and operating system files, so that these cannot be reached via path traversal attacks.

4\. If user provided data passed to input filesystem APIs is unavoidable then 2 layers of defense should be used together such as:

\- 1st step : The application should validate user input before processing it. This done by comparing to the whitelist of permitted values. If this is not possible then it should be validated based of “alphanumeric characters.”

\- 2nd step: After validation the application should append the input to the base directory and use a platform filesystem API to canonicalize the path.

**_For example: A java code to validate the canonical path of a file based on user input:_**

File f = new File (base\_Dir, user\_Input);

If (f.getCanonicalPath() .startsWith(base\_Dir))

{

//process file

}

5\. The developer should avoid storing sensitive data in the web root of the application.

6\. It is advisable to run the latest version of these web servers because by default it will have good directory security, if possible one can make sure that they are running the latest version (up- to-date with current patches).

> **_References_**

1\. https://portswigger.net/web-security/file-path-traversal

2\. https://www.acunetix.com/websitesecurity/directory-traversal/

3\. https://portswigger.net/daily-swig/patched-wordpress-plugin-still-susceptible-to-attacks

4\. https://portswigger.net/daily-swig/vulnerability-found-in-oracle-pos-terminals

5\. https://owasp.org/www-project-web-security-testing-guide/latest/4-Web\_Application\_Security\_Testing/05-Authorization\_Testing/01-Testing\_Directory\_Traversal\_File\_Include

CVE-2022-37700: CVE-2022–37700 Directory Transversal in ZenTao Easy soft ALM v16.5

WordPress GetYourGuide Ticketing plugin version 1.0.1 suffers from a persistent cross site scripting vulnerability.

    # *Exploit Title*: WordPress Plugin ‘GetYourGuide Ticketing’  - StoredCross-Site Scripting# Date: 18-09-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage:https://wordpress.org/plugins/search/GetYourGuide+Ticketing/# Version: 1.0.1# Tested on: Firefox# Contact me: mariamtariq404@gmail.com# *Vulnerable code*:``` <input type="text" name="partner_hash" value="<?php echo $partner_hash?>"></input> ```# *POC*:1- Install the plugin ‘GetYourGuide Ticketing’ & activate it.2- Navigate toward the GYG-Ticketing3- Enter the XSS payload ` “><img src=x onerror=alert(1)>`4- Go to link builder to verify the XSS pop-up.#* POC image*:https://imgur.com/amrDhIt

WordPress GetYourGuide Ticketing 1.0.1 Cross Site Scripting

The Ketchup Restaurant Reservations WordPress plugin through 1.0.0 does not sanitise and escape some of the reservation user inputs, allowing unauthenticated attackers to perform Cross-Site Scripting attacks logged in admin viewing the malicious reservation made

Tag

#wordpress