The Fast Flow WordPress plugin before 1.2.13 does not sanitise and escape some of its Widget settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2022-2775

The Multivendor Marketplace Solution for WooCommerce WordPress plugin before 3.8.12 is lacking authorisation and CSRF in multiple AJAX actions, which could allow any authenticated users, such as subscriber to call them and suspend vendors (reporter by the submitter) or update arbitrary order status (identified by WPScan when verifying the issue) for example. Other unauthenticated attacks are also possible, either directly or via CSRF

CVE-2022-2657

The Visual Portfolio, Photo Gallery & Post Grid WordPress plugin before 2.19.0 does not have proper authorisation checks in some of its REST endpoints, allowing users with a role as low as contributor to call them and inject arbitrary CSS in arbitrary saved layouts

CVE-2022-2597

The Simple Payment Donations & Subscriptions WordPress plugin before 4.2.1 does not sanitise and escape user input given in its forms, which could allow unauthenticated attackers to perform Cross-Site Scripting attacks against admins

CVE-2022-2565

The Visual Portfolio, Photo Gallery & Post Grid WordPress plugin before 2.18.0 does not have proper authorisation checks in some of its REST endpoints, allowing unauthenticated users to call them and inject arbitrary CSS in arbitrary saved layouts

CVE-2022-2543

The Directorist WordPress plugin before 7.3.1 discloses the email address of all users in an AJAX action available to both unauthenticated and any authenticated users

CVE-2022-2376

The WP Database Backup WordPress plugin before 5.9 does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2022-2271

WordPress Netroics Blog Posts Grid plugin version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Stored XSS in post_title parameter in WordPress Plugin "Netroics Blog Posts Grid" v1.0# Date: 08/08/2022# Exploit Author: saitamang, syad, yunaranyancat# Vendor Homepage: wordpress.org# Software Link: https://downloads.wordpress.org/plugin/netroics-blog-posts-grid.zip# Version: 1.0# Tested on: Centos 7 apache2 + MySQLWordPress Plugin "Netroics Blog Posts Grid" is prone to a stored cross-site scripting (XSS) vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. WordPress Plugin "Netroics Blog Posts Grid" version 1.0 is vulnerable; prior versions may also be affected.Login as Editor > Add testimonial > Under Title inject payload below ; parameter (post_title parameter) > Save Draft > Preview the postpayload --> user s1"><img src=x onerror=alert(document.cookie)>.gifThe draft post can be viewed using other Editor or Admin account and Stored XSS will be triggered.Further information can be preview from github below:https://github.com/saitamang/POC-DUMP/blob/main/wordpress/Netroics%20Blog%20Posts%20Grid%20v1.0%20Stored%20XSS.md

WordPress Netroics Blog Posts Grid 1.0 Cross Site Scripting

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Simon Ward MP3 jPlayer plugin <= 2.7.3 at WordPress.

CVE-2022-36373: MP3-jPlayer

Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) in CallRail, Inc. CallRail Phone Call Tracking plugin <= 0.4.9 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

CallRail is here to bring complete visibility to the marketers who rely on quality inbound leads to measure success. Our customers live in a results-driven world, and giving them a clear view into their digital marketing efforts is a first priority for CallRail. We see the opportunities in surfacing and connecting data from calls, forms, chat and beyond — helping our customers get to better outcomes.

Our WordPress plugin allows you to learn detailed information about the source and web session of every caller from your website using a process called Dynamic Number Insertion. It also powers our form tracking tool, which gives you the power to attribute form submissions back to their source and learn about what the user did on your site before submitting the form.

*   Learn more about CallRail.
*   Check out our WP plugin support documentation.

1.  Sign in to your CallRail account and click the **Settings tab**.
2.  Select the company you want from the dropdown menu.
3.  Find the WordPress plugin in the list of integrations and click **Instructions**.
4.  Download the plugin and follow the instructions listed.

Full documentation can be found here.

Constant integration issues with Adwords make our conversion data mostly useless. In Adwords this is a huge problem. They recently lost 2/3 of our all time call recordings!!!!! This data was priceless and is unrecoverable. Callrail's support is some of the worst I have encountered and even during emergency situations they are not in a hurry to help. Calls to support go unanswered and if we get a callback it is often the next day by someone who has little knowledge. We are finding a new company to work with and I would suggest others to do the same. I will update this post with a full breakdown of all our callrail issues once we have migrated to a new provider. Too many to list at the current moment 🙁

Read all 4 reviews

“CallRail Phone Call Tracking” is open source software. The following people have contributed to this plugin.

Contributors

*    apowellgt

**0.2**

*   Initial public release.

**0.3**

*   Update to version 2 of the javascript tracking script (swap.js)
*   Prompt the user to add an API key after installation.
*   Don’t insert the CallRail script if no API key is present.
*   Trim whitespace surrounding the API key before saving.

**0.3.1**

*   Update to version 3 of the javascript tracking script (swap.js)

**0.3.2**

*   Update to version 4 of the javascript tracking script (swap.js) which supports more advanced number replacement.

**0.3.3**

*   Update to version 5 of the javascript tracking script (swap.js)

**0.3.4**

*   Update to version 7 of the javascript tracking script (swap.js) and serve the script via the MaxCDN network (cdn.callrail.com).

**0.3.5**

*   Update to version 8 of the javascript tracking script (swap.js).

**0.3.6**

*   Update to version 10 of the javascript tracking script (swap.js).

**0.3.7**

*   Add a HTML comment so the CallRail support team can see when swap.js is installed via WordPress.

**0.3.8**

*   Update to version 11 of the javascript tracking script (swap.js).

**0.3.11**

*   Set Callrail cookies via HTTP using xhr request from swap.js script.

**0.4.0**

*   Added an optional feature to load required scripts as first-party through WordPress.

**0.4.1**

*   Various bug fixes.
*   Default first-party swap.js to on after testing if it is supported or not.

**0.4.2**

*   Fix bug where forms were not rendering for first-party enabled sites.

**0.4.3**

*   update the readme.

**0.4.4**

*   Change the default value for the “Enable As First Party Script” flag to false for initial Installations.

**0.4.5**

*   Add the newly required parameter “permission\_callback” to all custom REST endpoint definitions

**0.4.6**

*   Updating tested up to version.

**0.4.7**

*   Updating tested up to version. redeploy.

**0.4.8**

*   Updating tested up to version. redeploy.

**0.4.9**

*   Fixed End User IP Address detection

Tag

#wordpress