Authenticated Arbitrary Code Execution vulnerability in Soflyy Import any XML or CSV File to WordPress plugin <= 3.6.7 at WordPress.

CVE-2022-36386: Import any XML or CSV File to WordPress

Multiple Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerabilities in WHA Word Search Puzzles game plugin <= 2.0.1 at WordPress.

 Verified

 Not fixed

**5.4**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Software

Word Search Puzzles game

Vulnerable versions

<= 2.0.1

PSID 

b189ec77df94

Classification 

Cross Site Scripting (XSS)

OWASP Top 10 

A7: Cross-Site Scripting (XSS)

Required privilege 

Requires contributor or higher role user authentication.

Publicly disclosed

2022-09-01

**Details**

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities were discovered by Vlad Vector (Patchstack) in the WordPress Word Search Puzzles game plugin (versions <= 2.0.1).

**Solution**

Deactivate and delete. No reply from the vendor.

**References**

CVE-2022-36383: WordPress Word Search Puzzles game plugin <= 2.0.1 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities - Patchstack

Multiple Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerabilities in WHA Crossword plugin <= 1.1.10 at WordPress.

 Verified

 Not fixed

**5.4**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Vulnerable versions

<= 1.1.10

PSID 

c155cfbae813

Classification 

Cross Site Scripting (XSS)

OWASP Top 10 

A7: Cross-Site Scripting (XSS)

Required privilege 

Requires contributor or higher role user authentication.

Publicly disclosed

2022-09-01

**Details**

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities were discovered by Vlad Vector (Patchstack) in the WordPress WHA Crossword plugin (versions <= 1.1.10).

**Solution**

Deactivate and delete. No reply from the vendor.

**References**

CVE-2022-36365: WordPress WHA Crossword plugin <= 1.1.10 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities - Patchstack

By Deeba Ahmed
Dubbed AttachMe by researchers; the vulnerability was a severe one since it targeted all OIC customers.
This is a post from HackRead.com Read the original post: AttachMe – Oracle Patches  “Severe” Vulnerability in its Cloud Infrastructure

Wiz security researcher Elad Gabay reported that they discovered a critical vulnerability in the Oracle Cloud Infrastructure (OCI), which a customer may have exploited to read/write another customer’s data on the same platform without permission.

This means the vulnerability could allow any Oracle customer unauthorized access to the Cloud storage data of another customer.

The good news is that when Wiz researchers notified Oracle about the bug, the IT firm fixed it within 24 hours. The even better news is that customers don’t need to do anything regarding the fix.

**Vulnerability Analysis**

Dubbed AttachMe by researchers, the vulnerability is one of the best examples of cloud isolation vulnerabilities and how threat actors can exploit the flaws to gain unauthorized access to someone else’s data.

The vulnerability, according to Wiz’s blog post, was discovered by Wiz in June 2022 and was regarded as one of the severest cloud vulnerabilities that could impact all OCI customers and violate cloud storage’s most significant pledge of customer data safety.

> AttachMe is one of the most severe cloud vulnerabilities reported since it could have impacted all OCI customers. Cloud isolation vulnerabilities usually impact a specific cloud service. However, in this case, the impact is related to a core cloud service. 
> 
> Elad Gabay – Wix

1.  Attackers Exploit Oracle WebLogic Flaw to Mine $266K in Monero
2.  Oracle, Google, and Microsoft generated most vulnerabilities in 2021
3.  Oracle’s Point-of-service Division MICROS Suffers Massive Data Breach
4.  Hackers Use Malware To Steal Cisco, IBM and Oracle Certification Manager

**Exploiting the Vulnerability**

Gabay said the flaw was exploitable if the threat actor knew the Oracle Cloud Identifier for a customer’s storage volume. Since this identified isn’t confidential data, it was possible to attach that volume to the actor’s virtual machine in Oracle’s cloud if the volume was not attached already or supported multiple attachments.

Therefore, all the attacker needed was the identifier to attach a volume and access the storage volume, including the target user’s sensitive data. Perhaps the flaw emerged because Oracle Infrastructure didn’t verify permission for linking the storage, which caused the issue.

After hijacking someone’s cloud storage, a threat actor could perform several destructive acts, such as leaking sensitive data, altering code, and gaining privilege escalation. Nevertheless, since the vulnerability has been fixed, users should not be worried.

**More Vulnerability News**

1.  Critical WordPress plugin vulnerability allowed wiping databases
2.  Attackers exploiting Windows Installer vulnerability despite patching
3.  Critical Amazon Ring Vulnerability Could Expose Camera Recordings
4.  Attackers can Exploit Dirty Pipe Linux Vulnerability to Overwrite Data
5.  Rarible NFT Market Vulnerability Let Attackers to Transfer Crypto Assets

AttachMe – Oracle Patches  “Severe” Vulnerability in its Cloud Infrastructure

Cross-Site Request Forgery (CSRF) vulnerability in SedLex FavIcon Switcher plugin <= 1.2.11 at WordPress allows plugin settings change.

*   Details
*   Reviews
*   Support
*   Development

**Description**

This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.

**Reviews**

There are no reviews for this plugin.

**Contributors & Developers**

“FavIcon Switcher” is open source software. The following people have contributed to this plugin.

Contributors

*    Sed Lex

CVE-2022-40219: FavIcon Switcher

Zentao Demo15 is vulnerable to Directory Traversal. The impact is: obtain sensitive information (remote). The component is: URL : view-source:https://demo15.zentao.pm/user-login.html/zentao/index.php?mode=getconfig.

_I am Shubham Sudhir Sawant a Security Researcher, super thrilled to write my very first blog. Medium is one of my favorite platform where I can read on Security Bug blogs. I came across so many great contents which made me write one today. It not only helps us grow our knowledge or built our skill set in a particular field but also in exploring new ideas and think out of the box._

This article gives a walk through on what directory traversal is, explains how to perform path traversal attack, and elucidate how to prevent directory traversal vulnerability.

> **_What is Directory Traversal?_**

Path Traversal alias Directory Traversal, is a web related vulnerability that allows an attacker to read arbitrary files on the server running an application. (Example: application assets, backend systems credentials, and sensitive operating system files). In certain cases, an attacker can potentially tamper the arbitrary file on the server, which eventually give full control over the server running the application.

> **_Read arbitrary file through directory traversal_**

The Basic Steps are given below:

1\. Shoot up **Burp Professional** Suite/ **Burp Community** Edition Tool on your browser.

2\. Open The Web Application which has to be intercepted in burp Intercept **proxy tab**.

3\. Now before intercepting, set the proxy in web browser **network setting**.

4\. Open the burp tool and enable the **proxy intercept** tab.

5\. The request URL will be captured and send it to the **repeater** to launch the attack.

6\. Look for an Crawled Website(performed in repeater tab)

In Crawled Website I found the below URL:-

https://demo15.zentao.pm/user-login.html/zentao/index.php?mode=getconfig

Figure 1: File Path Traversal Simple Example

{“version”:”16.5",”requestType”:”PATH\_INFO”,”requestFix”:”-”,”moduleVar”:”m”,”methodVar”:”f”,”viewVar”:”t”,”sessionVar”:”zentaosid”,”systemMode”:”new”,”sprintConcept”:”0",”URAndSR”:”0",”sessionName”:”zentaosid”,”sessionID”:”vgpgn3knuc5g2jod6uptc8db42",”random”:7923,”expiredTime”:”1440",”serverTime”:1663360511,”rand”:7923}

I found it is a sensitive config file which is getting executed for which was assigned a CVE-2022–37700

> **_How to prevent a directory traversal attack?_**

Although there are many ways in which the security professionals can avoid the possibility of path traversal attack some preventive measure are listed below: which includes..

1\. User supplied dynamic input should be strictly validated before being passed to any filesystem operation. After validating user input, the application can use a suitable filesystem API to verify that the file to be accessed is actually located within the base directory used by the application.

2\. Input containing dot-dot-slash sequences should be blocked.

3\. Also, the directory used to store files that are accessed using user supplied dynamic input can be located on a separate logical volume to other sensitive application and operating system files, so that these cannot be reached via path traversal attacks.

4\. If user provided data passed to input filesystem APIs is unavoidable then 2 layers of defense should be used together such as:

\- 1st step : The application should validate user input before processing it. This done by comparing to the whitelist of permitted values. If this is not possible then it should be validated based of “alphanumeric characters.”

\- 2nd step: After validation the application should append the input to the base directory and use a platform filesystem API to canonicalize the path.

**_For example: A java code to validate the canonical path of a file based on user input:_**

File f = new File (base\_Dir, user\_Input);

If (f.getCanonicalPath() .startsWith(base\_Dir))

{

//process file

}

5\. The developer should avoid storing sensitive data in the web root of the application.

6\. It is advisable to run the latest version of these web servers because by default it will have good directory security, if possible one can make sure that they are running the latest version (up- to-date with current patches).

> **_References_**

1\. https://portswigger.net/web-security/file-path-traversal

2\. https://www.acunetix.com/websitesecurity/directory-traversal/

3\. https://portswigger.net/daily-swig/patched-wordpress-plugin-still-susceptible-to-attacks

4\. https://portswigger.net/daily-swig/vulnerability-found-in-oracle-pos-terminals

5\. https://owasp.org/www-project-web-security-testing-guide/latest/4-Web\_Application\_Security\_Testing/05-Authorization\_Testing/01-Testing\_Directory\_Traversal\_File\_Include

CVE-2022-37700: CVE-2022–37700 Directory Transversal in ZenTao Easy soft ALM v16.5

WordPress GetYourGuide Ticketing plugin version 1.0.1 suffers from a persistent cross site scripting vulnerability.

    # *Exploit Title*: WordPress Plugin ‘GetYourGuide Ticketing’  - StoredCross-Site Scripting# Date: 18-09-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage:https://wordpress.org/plugins/search/GetYourGuide+Ticketing/# Version: 1.0.1# Tested on: Firefox# Contact me: mariamtariq404@gmail.com# *Vulnerable code*:``` <input type="text" name="partner_hash" value="<?php echo $partner_hash?>"></input> ```# *POC*:1- Install the plugin ‘GetYourGuide Ticketing’ & activate it.2- Navigate toward the GYG-Ticketing3- Enter the XSS payload ` “><img src=x onerror=alert(1)>`4- Go to link builder to verify the XSS pop-up.#* POC image*:https://imgur.com/amrDhIt

WordPress GetYourGuide Ticketing 1.0.1 Cross Site Scripting

The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured otherwise via the plugin settings.

CVE-2022-3142

The Translate Multilingual sites WordPress plugin before 2.3.3 is vulnerable to an authenticated SQL injection. By adding a new language (via the settings page) containing specific special characters, the backticks in the SQL query can be surpassed and a time-based blind payload can be injected.

While investigating Wordpress plugins, I stumbled upon “Translatepress Multilingual”, which is used to make Wordpress pages available in multiple languages and has 200,000 active installations.

It is not so easy to find SQL injections in Wordpress plugins, as wordpress has a feature called “magic quotes”, which means it automatically applies the addslashes PHP function to all GET and POST input, escaping quotes and backslashes. Therefore, many of the classic SQL injection attacks cannot work against wordpress, as it is impossible to break out of quotes. Still, there are some scenarios when user input is not surrounded by quotes, for example when it is supposed to be an integer. Today, we will have a closer look at another case.

In the Translatepress source code, there are a couple of functions that look like this:

The language code taken from the input parsed by a function called get_table_name and in addition to the magic quotes protection, we also have to bypass sanitize_text_field .

The language code is prefixed with a constant string and a filter is applied. However, I could not find this filter, so this seems to have no effect.

When looking at the SQL query, you can see that the table name is only surrounded by backticks. However, neither sanitize_text_field nor the magic quotes escape backticks.

I fired up a brand new Wordpress instance using docker-compose as described in this tutorial: https://docs.docker.com/samples/wordpress/. If you want to try this, make sure to also use a new Wordpress instance, as the exploit will mess up your database.

I installed and activated the at the time latest version of Translatepress Multilingual, 2.3.2. Then, I went to the Translatepress settings page, added a random language, English (UK), and intercepted the request with Burp Suite. Time to start injecting some payloads!

I started with `x=%23 , where %23 refers to # , which is needed to comment out the rest of the query. This should trigger an error if we can escape the backticks.

And yes, we can see a couple of SQL syntax errors flooding the window where we ran sudo docker-compose up :

We can see from these errors that our payload gets inserted into multiple statements, namely CREATE TABLE , CREATE_INDEX and CREATE FULLTEXT INDEX . However, these commands seemed uncommon to achieve a useful SQL injection attack vector, so I kept looking.

I went to the “Pages” section, opened “Sample Page” and clicked “Translate”. An editor opened up where I could translate strings, and I noticed more error messages in the Wordpress log.

Note that this happened without submitting another payload. My previous payload got inserted in some other statements, e.g. SELECT . As we can control the full SQL query after the table name, I concluded it should be easy to utilize a time-based payload.

I copied the POST request that adds a language from Burp Suite to translatepress_req.txt :

I also copied the GET request where we can execute the payload in a SELECT statement to translatepress_req_2.txt :

Time to launch sqlmap to execute a so-called second-order attack (because we have different pages for submitting the payload and viewing the result). This is the right command to use, specifying a few non-default option to speed up the detection:

sqlmap -r translatepress\_req.txt -p trp\_settings%5Btranslation-languages%5D%5B%5D — dbms=mysql — second-req translatepress\_req\_2.txt — technique=T — level 5 — risk 3 — fresh-queries

Now it is possible to use sqlmap at the full extent to download tables, for example the wp_users table, or do whatever is possible in the context of your database configuration.

It might also be possible to exploit this vulnerability using a boolean-based blind or UNION technique. It did not work out of the box, probably because the payload is inserted in many statements and breaks at least one of the queries that are necessary to show proper output. I did not spend much time trying to improve this, as I already had a time-based PoC.

This exploit can only be executed by an authenticated user, as you need to add a new language. I don’t know the Translatepress ecosystem well enough to know if only the administrator can add languages, or also some other roles. This might also depend on installed addons and custom configurations.

It is also worth noting that above PoC might need to be modified a little when the Pro version of Translatepress is attacked. Both Pro and Free are vulnerable, as the code responsible for the sanitization is the same, but I have not actually tried this yet with a Pro installation.

Shortly after I reported this vulnerability to the vendor, they released a patched update (version 2.3.3) which is using a regular expression to block malicious language codes.

You can find this exploit also on Github:

If you want to read about more vulnerabilities I discover, make sure you follow me on LinkedIn, Medium & Twitter:

If you run a company and are looking for an expert to make sure your web applications are secure, feel free to send an email to elias.hohl@ehtec.co to receive an offer.

CVE-2022-3141: Authenticated SQL injection vulnerability in “Translatepress Multilingual” Wordpress plugin

The Gettext override translations WordPress plugin before 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Tag

#wordpress