Authenticated (shop manager+) Reflected Cross-Site Scripting (XSS) vulnerability in AlgolPlus Advanced Order Export For WooCommerce plugin <= 3.3.1 at WordPress.

CVE-2022-35275

Cross-Site Request Forgery (CSRF) vulnerability in GetResponse plugin <= 5.5.20 at WordPress.

CVE-2022-35277

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Hans Matzen's wp-forecast plugin <= 7.5 at WordPress.

CVE-2022-35725

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Liam Gladdy / Thirty8 Digital Culture Object plugin <= 4.0.1 at WordPress.

CVE-2022-36356

Unauthenticated Event Deletion vulnerability in Totalsoft Event Calendar – Calendar plugin <= 1.4.6 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Event Calendar is a flexible calendar plugin that allows you to connect to your database and show up your event days on a view. Calendar can render a Day, Week, Month and Resource calendar view. The also provides an interface for manipulating and formatting dates and times. Each event box has a link to the original event you defined in your calendar.

*   Event Calendar Premium
*   All Calendar Demo Types
*   Event Calendar FAQ
*   Event Calendar User Manual
*   Support Forum

**Features**

*   Plugin for create a calendar with events.
*   Intuitive event labels.
*   Easy to customize.
*   Use as a date picker or a full fledged calendar.
*   10 free themes with the option of select data ranges, mark events and others (4 versions of the event calendar type, 2 versions of the simple type, 2 versions of the flexible type and 2 versions of the timeline type)
*   You can easily list your events on wherever you want on your page via shortcodes.
*   Each event box has a link to the original event you defined in your calendar.
*   Allows you to set the most appropriate navigation arrows, which will suit the best for your web site.
*   The ability to display multiple events for a single day.
*   Plugin lets you change the color and set it to the colors of your site.
*   You can change the start and end date of the event.
*   You can change the start and end time of events.
*   You can customize the calendar color, font size and font family.
*   The ability to change the color of the arrow and background color.
*   Each species has a unique customizable settings.
*   Add an unlimited number of events in one calendar. As you have already created a number of events, you can add via the shortcodes on your page as you need.
*   Each calendar can be inserted in a page, post or widget shortcode.
*   You can add photos to the events (all types)
*   Total Calendar, Timeline, Crazy, Schedule and Full Year types each event has its own color.
*   Recurring events
*   Possibility to preview the theme in calendar before putting it on the page.

**Premium version adds**

*   3 beautiful customizable themes
*   Crazy Calendar Theme
*   Schedule Theme
*   Full Year Calendar Theme
*   **Recurring events** – Daily, Weekly, Monthly, Yearly
*   **WeekDay Start** – Can select that day, which must be the first in the week.
*   **Weekday** – Ability to select the style of calendar week.
*   **Todays numbers Color** – Can choose the date color, that will be displayed.
*   **Icon** – Possibility select the right and the left icons, which are, for change the months by sequence.
*   **Color** – The plugin allows to change the color and enter it in the colors of your site.
*   **Font** – The plugin allows to change the color of the date, font size and font family.
*   This opens up new useful functions and new possibilities.

**In addition to the features mentioned above, there are many other functions inside the plugin. You get the advantage of an intuitive user interface, that makes the plugin operation easy, easy to understand the calendar options, as well as many hooks and filters to control the output.**

**Main features of Event.**

*   **Event Title** – You can give a name for event.
*   **Calendar Name** – Choose that version of themes, in which you want to see the Events.
*   **Start Date** – You Can select the start of the event (To display events in the calendar if you have a browser Safari, firefox or Internet explorer should write yyyy-mm-dd).
*   **End Date** – You Can select the finish date of the event (To display events if you have a browser Safari, firefox or Internet explorer should write yyyy-mm-dd).
*   **Event URL** – You can set external URL, which should be included in the event.
*   Open in new tab – Choose, by clicking on the link should open in new tab or not.
*   **Start Time (Required field)** – Can select the event start time (To display events in the calendar if you have a browser Safari, Firefox or Internet explorer should write hh:mm).
*   **End Time (Required field)** – Can select the event end time (To display events if you have a browser Safari, Firefox or Internet explorer should write hh:mm).
*   **Event color** – Select that color, which you want to see for your event, which shows in the calendar (Event Color option is only for Event Calendar Type.).
*   **Description** – You can give a description for event.
*   **Event Image/Video** – You can give a Image and Video(YouTube and Vimeo) for event. Event Image and Video option is available for all types.

**Insert plugin to the WordPress page, post, widget** – Every calendar could be inserted into a page, post or widget with shortcode.

**Plugin works in Chrome, Safari, Opera, Firefox, Internet Explorer** – Use your calendar with all the popular browsers.

**Navigation Arrow** – Plugin allows you to get the most suitable navigation arrows that fit best for your website.

**The Plugin is Truly Wonderful** – You can create a very nice and beautiful calendar for your website. The plugin is easily editable and functionality perfectly.

**Link** – There is a special place for adding a Link to each event. Choose to open the Link in the new tab or not.

**Technical Support**

*   If you notice any errors or have any questions with our event calendar, you can notify us. We will investigate and solve the problem. Check out the Event Calendar Support Forum on our website. If you don’t find a solution to your question here, don’t hesitate to click here to contact us.

THANK YOU FOR YOUR INTEREST IN EVENT CALENDAR TS.

Here’s how you install and activate the Event Calendars plugin:

Download the plugin.  
Upload the .zip file in your WordPress plugin directory.  
Activate the plugin from the “Plugins” menu in WordPress.  
After activating Event Calendar, choose the type of version you wish to use.

For users of MAC

*   Go to the downloads folder and local the folder with the event calendar.
*   Right click on the folder and select Compress. Now you have just created the .zip file, which can be installed as described here.
*   Click the download and install button to download and install the plugin.
*   Click the Activate plugin button to activate the calendar plugin.
*   If the installation is succeeded, you will see a message in the image.
*   In case of any problems during the installation of the calendar, please click here to contact us.

**1). There are some restrictions for adding events?**

*   There is no limit for the amount of events.
*   You can add as many events as you want. Plugin has no limitations.

**2.) How many calendar may I create for WordPress website?**

*   You may create unlimited calendars by this plugin and by many options.

**3.) How to change the font size of the theme?**

*   The settings can include custom header settings where you can adjust the font size and see the results in the live preview.

**4.) How can I add plugin in widget?**

*   Get to the widget, then add our plugin widget to the sidebar. Then select your name.

**5.) How many themes can I create for my plugin?**

*   You can create as many themes as you want.

**6.) \*\*\*\* Where to change the settings?**

*   The settings you can change in the manager’s calendar.

**7.) I create an event in the calendar but it does not show. What can I do?**

*   First, check that you don’t have the same plugin again.
*   It is necessary to write the begging and ending day of the event.
*   If you have Safari, Firefox, Opera or Internet Explorer, you must write yyyy-mm-dd , that would show the events in calendar.

**8). How many calendar themes can I create for my plugin?**

*   You can create as many themes as you want.

**9.) How many event can I create for my plugin?**

*   You can create as many events as you need.

**10.) Has each event own color or color is for everyone in Simple Type?**

*   In this version you are setting events color in general options and its for all events. In Total Calendar and Timeline types each event has its own color.

**11.) How to change date format?**

*   If you need to change event date format, please open Event Manager Settings and type necessary type in Date format input. For instance, in case you want to have dates as 08/1/2020, set the format to M/d/Y.

awesomeness in this calendar

I bought the full version. After installing on my template, not everything was fine, but the support from the developer was great / fast. The calendar fully suits me both in terms of features and usability bars - on pages or widgets. So far, I am very satisfied.

In my case I needed a yearly calendar. It is the plugin that I was looking for. Functional, easy to use, cheap ... In addition, the customer service is incredible. I definitely recommend it.

This plugin is all I need for a simple event calendar with no bells and whistles. Had some issues in the beginning with the backend but support fixed them quickly and released an updated version. The only issues I have now, I have with all free plugins. They all seem to think it is okay to bombard us with promotions to upgrade to pro. If that is what we wanted we would have done this once we confirmed the plugin was well structured and we could use the added features. Why not allow us to remove the promos forever? After all there is a link to your page inside the plugin itself if we change our minds later.

We had a Problem with the Size of the Date for one Calendar Type, because we wanted it to be different from the headline of one event, so we contacted the Support. It was really really fast and help us out as fast as possible. They even changed the code for us so we got what we wanted. I never saw that Developer made a change for one single user. Its awesome Service in my opinion! I would recommend this plugin again, if you want to use a simple but clear calendar plugin for wordpress.

Read all 98 reviews

“Event Calendar – Calendar” is open source software. The following people have contributed to this plugin.

Contributors

*    totalsoft

**Version 1.4.8**

*   Changed TS Poll plugin banner

**Version 1.4.7**

*   Fixed a bug in the plugin.

**Version 1.4.6**

*   Fixed issue with theme options.

**Version 1.4.5**

*   Fixed bug with admin panel.

**Version 1.4.4**

*   Added the ability to change the icon to events.
*   Changed several fonts.
*   Fixed bugs related to PHP 8 version.

**Version 1.4.3**

*   Fixed bug in “update” functions.

**Version 1.4.2**

*   Fixed bug in “edit” functions.

**Version 1.4.1**

*   Changed function for font size.
*   Fixed issue in events option.

**Version 1.4.0**

*   Fixed a bug for showing the event.

**Version 1.3.9**

*   Added font for days on the calendar.
*   Fixed bug related icons.

**Version 1.3.8**

*   Added the ability to put days on the center.

**Version 1.3.7**

*   Added the ability to select icons back to the calendar after the event.

**Version 1.3.6**

*   Fixed a bug in the Timeline type. After changing the language this type was did not work.

**Version 1.3.5**

*   Added a new opportunity in the timeline version. Shows the current days at first.
*   Fixed a bug in the flexible version. The start and the end of days in the event, showed only the starting day.
*   Fixed a bug in the Timeline version. When the year did not had any event it do not show the next year�s events.

**Version 1.3.4**

*   The bug in the “Total Soft Calendar” version has been fixed. The description is not shown in the calendar.
*   Fixed a bug with recurring events.

**Version 1.3.3**

*   Added possibility to preview the theme in calendar before putting it on the page.
*   Updated translations.
*   Changed admin menu design.

**Version 1.3.2**

*   Added Google fonts to the basic fonts.
*   Added possibility to make recurring events.
*   Added box shadow options for all types.
*   Fixed bug with media uploading process.

**Version 1.3.1**

*   Updated function for creating Simple type.

**Version 1.3.0**

*   Changed Media uploading function.
*   Changed admin menu style.
*   Added languages for Timeline type.
*   Changed function for constructing Timeline calendar.

**Version 1.2.9**

*   Changed CSS style for Flexible Calendar type.
*   Updated uploading function for videos and images.
*   Changed Basic function for creating Timeline Calendar.

**Version 1.2.8**

*   Fixed bug In Flexible Calendar type (Did not show the year in the calendar).
*   Changed all functions for creating calendar.
*   Updated the function for creating the events by ordering.

**Version 1.2.7**

*   Fixed PHP error in widget.

**Version 1.2.6**

*   Fixed a bug in the widget.

**Version 1.2.5**

*   Added new Type of calendar: ” Timeline Calendar “
*   Opened some functions for free version.

**Version 1.2.4**

*   Added possibility to create more than one flexible Calendar on the same page.

**Version 1.2.3**

*   Added Secondary question for deleting calendar or events.

**Version 1.2.2**

*   Added new text editor for making event description.

**Version 1.2.1**

*   In Category ” Total Products ” added new plugin ” Event Calendars ” by Total-Soft.

**Version 1.2.0**

*   Modified the Design Admin Panel.

**Version 1.1.9**

*   Added possibility to create more than one Simple Calendar on the same page.

**Version 1.1.8**

*   Tested with WP version 4.7.3.

**Version 1.1.7**

*   Added a function into the first and second versions. You can add descriptions, pictures, videos and choose time format.

**Version 1.1.6**

*   Added a new color picker type.
*   Opened some functions for free version.

**Version 1.1.5**

*   Added translations in several languages for the month names and weekday names.
*   Fixed bug in Flexible Calendar type with translation.

**Version 1.1.4**

*   Added new menu in the plugin.

**Version 1.1.3**

*   Fixed bugs in the 3 calendar types.

**Version 1.1.2**

*   Added new Calendar Type “Flexible Calendar” in which you can add events with images and videos from YouTube and Vimeo.

**Version 1.1.1**

*   Added Italian translation.

**Version 1.1.0**

*   Fixed a bug with icons.

**Version 1.0.8**

*   Issue with date format solved

**Version 1.0.7**

*   Fixed a problem with the widget

**Version 1.0.6**

*   Added new Type of calendar: ” Simple Calendar “

**Version 1.0.5**

*   Changed in the Admin panel
*   Added educational text for the users how to adjust the calendar

**Version 1.0.4**

*   Fixed Syntax Error

**Version 1.0.3**

*   Changed free version some parameters

**Version 1.0.2**

*   Fixed a bug in the event

**Version 1.0.1**

*   Fixed a little bug that was affecting some users

**Version 1.0.0**

*   Initial Version Release

CVE-2022-38067: Event Calendar – Calendar

Server-Side Request Forgery (SSRF) vulnerability in Rank Math SEO plugin <= 1.0.95 at WordPress.

**v3.0.20 September 14, 2022**

*   Improved: Plugin’s update checking functionality
*   Improved: Removed inStock information from the Review Schema shortcode when Offers and Pros & Cons added to the Product Schema are empty for Editorial Reviews
*   Improved: Query performance to get the Schema templates data based on the Display conditions
*   Improved: Query performance to get the Analytics data
*   Fixed: Missing GTIN in Variable Product Schema even when the value was added in the backend
*   Fixed: Secondary keywords were removed at the time of updating SEO details using the Quick Edit option
*   Fixed: Data sorting option was not working in the Analytics reports
*   Fixed: Editor was crashing at the time of searching for a Singular post in the Schema Template Display Condition option
*   Fixed: Term selection option was not working in the Schema Template Display condition option
*   Fixed: Missing Analytics header options after selecting the Post type

**v3.0.18.1 August 12, 2022**

*   Fixed: Conflict between Rank Math PRO & Elementor PRO, which was breaking the editor

CVE-2022-36376: The Official Rank Math SEO Changelog & Release Notes

A zero-day flaw in a WordPress plugin called BackupBuddy is being actively exploited, WordPress security company Wordfence has disclosed.
"This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information," it said.
BackupBuddy allows users to back up their entire WordPress installation from within the

A zero-day flaw in a WordPress plugin called BackupBuddy is being actively exploited, WordPress security company Wordfence has disclosed.

"This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information," it said.

BackupBuddy allows users to back up their entire WordPress installation from within the dashboard, including theme files, pages, posts, widgets, users, and media files, among others.

The plugin is estimated to have around 140,000 active installations, with the flaw (CVE-2022-31474, CVSS score: 7.5) affecting versions 8.5.8.0 to 8.7.4.1. It's been addressed in version 8.7.5 released on September 2, 2022.

The issue is rooted in the function called "Local Directory Copy" that's designed to store a local copy of the backups. According to Wordfence, the vulnerability is the result of the insecure implementation, which enables an unauthenticated threat actor to download any arbitrary file on the server.

Additional details about the flaw have been withheld in light of active in-the-wild abuse and its ease of exploitation.

"This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation," the plugin's developer, iThemes, said. "This could include the WordPress wp-config.php file and, depending on your server setup, sensitive files like /etc/passwd."

Wordfence noted that the targeting of CVE-2022-31474 commenced on August 26, 2022, and that it has blocked nearly five million attacks in the intervening time period. Most of the intrusions have attempted to read the below files -

*   /etc/passwd
*   /wp-config.php
*   .my.cnf
*   .accesshash

Users of the BackupBuddy plugin are advised to upgrade to the latest version. Should users determine that they may have been compromised, it's recommended to reset the database password, change WordPress Salts, and rotate API keys stored in wp-config.php.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Exploit Zero-Day in WordPress BackupBuddy Plugin in ~5 Million Attempts

Site backup plugin developer issues patch following reports of millions of exploit attempts

Adam Bannister 08 September 2022 at 13:57 UTC  
Updated: 08 September 2022 at 16:32 UTC

Site backup plugin developer issues patch following reports of millions of exploit attempts

UPDATED WordPress websites running BackupBuddy have been urged to update the plugin amid reports of active exploitation of a high severity arbitrary file download/read vulnerability.

BackupBuddy, which is used to backup WordPress sites, and has around 140,000 active installations.

WordPress security firm Wordfence has revealed that its firewall has blocked more than 4.9 million exploit attempts related to the flaw since abuse was first detected on August 26.

The issue – tracked as CVE-2022-31474 with a CVSS score of 7.5 – enables unauthenticated attackers to download sensitive files from vulnerable sites.

Read more of the latest WordPress security news

A majority of observed attacks apparently attempted to read /etc/passwd, /wp-config.php, .my.cnf, or .accesshash files, which could be leveraged to further compromise victims, said Wordfence.

The vulnerability affects versions between 8.5.8.0 and 8.7.4.1, and was patched in version 8.7.5. 

iThemes, the plugin developer, told The Daily Swig that the bug was patched on September 2, not on September 6 as Wordfence (and therefore this article too) initially stated, within hours of being “notified of suspicious activity related to a BackupBuddy installation”.

It continued: “We have made this security update available to all vulnerable BackupBuddy versions (8.5.8 – 8.7.4.1), regardless of licensing status, so no one continues to run a vulnerable version of the BackupBuddy plugin.

“We recommend that customers follow the steps outlined in the disclosure post to detect if their site was attacked. Our support team is standing by to help if anyone needs help or assistance from the iThemes Help Desk.”

**Local root cause**

The vulnerability arose from an insecure implementation of the mechanism used to download locally stored files, meaning unauthenticated attackers could download any file stored on the server.

“More specifically the plugin registers an hook for the function intended to download local back-up files and the function itself did not have any capability checks nor any nonce validation,” according to a Wordfence blog post published on September 6.

“This means that the function could be triggered via any administrative page, including those that can be called without authentication (), making it possible for unauthenticated users to call the function. The back-up path is not validated and therefore an arbitrary file could be supplied and subsequently downloaded.”

Sysadmins can find signs of exploitation by “checking for the ‘’ and/or the ‘’ parameter value when reviewing requests in your access logs,” said Wordfence.

“Presence of these parameters along with a full path to a file or the presence of to a file indicates the site may have been targeted for exploitation by this vulnerability. If the site is compromised, this can suggest that the BackupBuddy plugin was likely the source of compromise.”

iThemes concluded: “This incident, like many others experienced by other vendors in the past, underscores how security-aware WordPress users have become. WordPress as a whole has become a much more secure platform thanks to the commitment of vendors, users, and security researchers to make security easier for everyone, and iThemes is proud to be an integral part of that.”

This article was updated on September 8 with comment from iThemes

YOU MIGHT ALSO LIKE A rough guide to launching a career in cybersecurity

WordPress warning: 140k BackupBuddy installations on alert over file-read exploitation

WordPress BackupBuddy plugin versions 8.5.8.0 through 8.7.4.1 suffer from an arbitrary file read and download vulnerability.

    Description: Arbitrary File Download/ReadAffected Plugin: BackupBuddyPlugin Slug: backupbuddyPlugin Developer: iThemesAffected Versions: 8.5.8.0 – 8.7.4.1CVE ID: CVE-2022-31474CVSS Score: 7.5 (High)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NFully Patched Version: 8.7.5The BackupBuddy plugin for WordPress is designed to make back-up management easy for WordPress site owners. One of the features in the plugin is to store back-up files in multiple different locations, known as Destinations, which includes Google Drive, OneDrive, and AWS just to name a few. There is also the ability to store back-up downloads locally via the ‘Local Directory Copy’ option. Unfortunately, the method to download these locally stored files was insecurely implemented making it possible for unauthenticated users to download any file stored on the server.More specifically the plugin registers an admin_init hook for the function intended to download local back-up files and the function itself did not have any capability checks nor any nonce validation. This means that the function could be triggered via any administrative page, including those that can be called without authentication (admin-post.php), making it possible for unauthenticated users to call the function. The back-up path is not validated and therefore an arbitrary file could be supplied and subsequently downloaded.Due to this vulnerability being actively exploited, and its ease of exploitation, we are sharing minimal details about this vulnerability.Indicators of CompromiseThe Wordfence firewall has blocked over 4.9 million exploit attempts targeting this vulnerability since August 26, 2022, which is the first indication we have that this vulnerability was being exploited. We are seeing attackers attempting to retrieve sensitive files such as the /wp-config.php and /etc/passwd file which can be used to further compromise a victim.The top 10 Attacking IP Addresses are as follows:- 195.178.120.89 with 1,960,065 attacks blocked- 51.142.90.255 with 482,604 attacks blocked- 51.142.185.212 with 366770 attacks blocked- 52.229.102.181 with 344604 attacks blocked- 20.10.168.93 with 341,309 attacks blocked- 20.91.192.253 with 320,187 attacks blocked- 23.100.57.101 with 303,844 attacks blocked- 20.38.8.68 with 302,136 attacks blocked- 20.229.10.195 with 277,545 attacks blocked- 20.108.248.76 with 211,924 attacks blockedA majority of the attacks we have observed are attempting to read the following files:- /etc/passwd- /wp-config.php- .my.cnf- .accesshashWe recommend checking for the ‘local-download’ and/or the ‘local-destination-id’ parameter value when reviewing requests in your access logs. Presence of these parameters along with a full path to a file or the presence of ../../ to a file indicates the site may have been targeted for exploitation by this vulnerability. If the site is compromised, this can suggest that the BackupBuddy plugin was likely the source of compromise.ConclusionIn today’s post, we detailed a zero-day vulnerability being actively exploited in the BackupBuddy plugin that makes it possible for unauthenticated attackers to steal sensitive files from an affected site and use the information obtained in those files to further infect a victim. This vulnerability was patched yesterday and we strongly recommend updating to the latest version of the plugin, currently version 8.7.5, right now since this is an actively exploited vulnerability.All Wordfence customers, including Wordfence Premium, Wordfence Care, Wordfence Response, and Wordfence Free users, have been, and will continue to be, protected against any attackers trying to exploit this vulnerability due to the Wordfence firewall’s built-in directory traversal and file inclusion firewall rules.If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that is actively being exploited in the wild.We will continue to monitor the situation and follow up as more information becomes available.

WordPress BackupBuddy 8.7.4.1 Arbitrary File Read

Missing Access Control vulnerability in PHP Crafts Accommodation System plugin <= 1.0.1 at WordPress.

Tag

#wordpress