The Simple Payment Donations & Subscriptions WordPress plugin before 4.2.1 does not sanitise and escape user input given in its forms, which could allow unauthenticated attackers to perform Cross-Site Scripting attacks against admins

CVE-2022-2565

The Visual Portfolio, Photo Gallery & Post Grid WordPress plugin before 2.18.0 does not have proper authorisation checks in some of its REST endpoints, allowing unauthenticated users to call them and inject arbitrary CSS in arbitrary saved layouts

CVE-2022-2543

The Directorist WordPress plugin before 7.3.1 discloses the email address of all users in an AJAX action available to both unauthenticated and any authenticated users

CVE-2022-2376

The WP Database Backup WordPress plugin before 5.9 does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2022-2271

WordPress Netroics Blog Posts Grid plugin version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Stored XSS in post_title parameter in WordPress Plugin "Netroics Blog Posts Grid" v1.0# Date: 08/08/2022# Exploit Author: saitamang, syad, yunaranyancat# Vendor Homepage: wordpress.org# Software Link: https://downloads.wordpress.org/plugin/netroics-blog-posts-grid.zip# Version: 1.0# Tested on: Centos 7 apache2 + MySQLWordPress Plugin "Netroics Blog Posts Grid" is prone to a stored cross-site scripting (XSS) vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. WordPress Plugin "Netroics Blog Posts Grid" version 1.0 is vulnerable; prior versions may also be affected.Login as Editor > Add testimonial > Under Title inject payload below ; parameter (post_title parameter) > Save Draft > Preview the postpayload --> user s1"><img src=x onerror=alert(document.cookie)>.gifThe draft post can be viewed using other Editor or Admin account and Stored XSS will be triggered.Further information can be preview from github below:https://github.com/saitamang/POC-DUMP/blob/main/wordpress/Netroics%20Blog%20Posts%20Grid%20v1.0%20Stored%20XSS.md

WordPress Netroics Blog Posts Grid 1.0 Cross Site Scripting

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Simon Ward MP3 jPlayer plugin <= 2.7.3 at WordPress.

CVE-2022-36373: MP3-jPlayer

Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) in CallRail, Inc. CallRail Phone Call Tracking plugin <= 0.4.9 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

CallRail is here to bring complete visibility to the marketers who rely on quality inbound leads to measure success. Our customers live in a results-driven world, and giving them a clear view into their digital marketing efforts is a first priority for CallRail. We see the opportunities in surfacing and connecting data from calls, forms, chat and beyond — helping our customers get to better outcomes.

Our WordPress plugin allows you to learn detailed information about the source and web session of every caller from your website using a process called Dynamic Number Insertion. It also powers our form tracking tool, which gives you the power to attribute form submissions back to their source and learn about what the user did on your site before submitting the form.

*   Learn more about CallRail.
*   Check out our WP plugin support documentation.

1.  Sign in to your CallRail account and click the **Settings tab**.
2.  Select the company you want from the dropdown menu.
3.  Find the WordPress plugin in the list of integrations and click **Instructions**.
4.  Download the plugin and follow the instructions listed.

Full documentation can be found here.

Constant integration issues with Adwords make our conversion data mostly useless. In Adwords this is a huge problem. They recently lost 2/3 of our all time call recordings!!!!! This data was priceless and is unrecoverable. Callrail's support is some of the worst I have encountered and even during emergency situations they are not in a hurry to help. Calls to support go unanswered and if we get a callback it is often the next day by someone who has little knowledge. We are finding a new company to work with and I would suggest others to do the same. I will update this post with a full breakdown of all our callrail issues once we have migrated to a new provider. Too many to list at the current moment 🙁

Read all 4 reviews

“CallRail Phone Call Tracking” is open source software. The following people have contributed to this plugin.

Contributors

*    apowellgt

**0.2**

*   Initial public release.

**0.3**

*   Update to version 2 of the javascript tracking script (swap.js)
*   Prompt the user to add an API key after installation.
*   Don’t insert the CallRail script if no API key is present.
*   Trim whitespace surrounding the API key before saving.

**0.3.1**

*   Update to version 3 of the javascript tracking script (swap.js)

**0.3.2**

*   Update to version 4 of the javascript tracking script (swap.js) which supports more advanced number replacement.

**0.3.3**

*   Update to version 5 of the javascript tracking script (swap.js)

**0.3.4**

*   Update to version 7 of the javascript tracking script (swap.js) and serve the script via the MaxCDN network (cdn.callrail.com).

**0.3.5**

*   Update to version 8 of the javascript tracking script (swap.js).

**0.3.6**

*   Update to version 10 of the javascript tracking script (swap.js).

**0.3.7**

*   Add a HTML comment so the CallRail support team can see when swap.js is installed via WordPress.

**0.3.8**

*   Update to version 11 of the javascript tracking script (swap.js).

**0.3.11**

*   Set Callrail cookies via HTTP using xhr request from swap.js script.

**0.4.0**

*   Added an optional feature to load required scripts as first-party through WordPress.

**0.4.1**

*   Various bug fixes.
*   Default first-party swap.js to on after testing if it is supported or not.

**0.4.2**

*   Fix bug where forms were not rendering for first-party enabled sites.

**0.4.3**

*   update the readme.

**0.4.4**

*   Change the default value for the “Enable As First Party Script” flag to false for initial Installations.

**0.4.5**

*   Add the newly required parameter “permission\_callback” to all custom REST endpoint definitions

**0.4.6**

*   Updating tested up to version.

**0.4.7**

*   Updating tested up to version. redeploy.

**0.4.8**

*   Updating tested up to version. redeploy.

**0.4.9**

*   Fixed End User IP Address detection

CVE-2022-36796: CallRail Phone Call Tracking

Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in PluginlySpeaking Easy Org Chart plugin <= 3.1 at WordPress.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of July 29, 2022 and is not available for download. This closure is temporary, pending a full review.

No support anymore, pro Version not available, pure garbage. I don't know why this Plugin is still live.

This plugin seems perfect, unfortunately it itsn't up to date and is unusable on last versions of WordPress (impossibility to add several people on a chart).

Nice Plugin for creating multiple org chart.

Read all 3 reviews

“Easy Org Chart” is open source software. The following people have contributed to this plugin.

Contributors

*    PluginlySpeaking

CVE-2022-36355: Easy Org Chart

The WordPress Core version 6.0.2 release addresses cross site scripting and remote SQL injection vulnerabilities.

    Description: SQL Injection via Links LIMIT clauseAffected Versions: WordPress Core < 6.0.2Researcher: FVDCVE ID: PendingCVSS Score: 8.0 (High)CVSS Vector:CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:HFully Patched Version: 6.0.2The WordPress Link functionality, previously known as “Bookmarks”, is no longer enabled by default on new WordPress installations. Older sites may still have the functionality enabled, which means that millions of legacy sites are potentially vulnerable, even if they are running newer versions of WordPress. Fortunately, we found that the vulnerability requires administrative privileges and is difficult to exploit in a default configuration. It is possible that 3rd party plugins or themes might allow this vulnerability to be used by editor-level users or below, and in these cases the Wordfence firewall will block any such exploit attempts.Vulnerable versions of WordPress failed to successfully sanitize the limit argument of the link retrieval query in the get_bookmarks function, used to ensure that only a certain number of links were returned. In a default configuration, only the Links legacy widget calls the get_bookmarks function in a way that allows this argument to be set by a user. Legacy widgets involve additional safeguards, and the injection point of the query itself poses additional difficulties, making this vulnerability nontrivial to exploit.Description: Contributor+ Stored Cross-Site Scripting via use of the_meta functionAffected Versions: WordPress Core < 6.0.2Researcher: John BlackbournCVE ID: PendingCVSS Score: 4.9 (Medium)CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:NFully Patched Version: 6.0.2WordPress content creators, such as Contributors, Editors, Authors, and Administrators, have the ability to add custom fields to any page and post created. The purpose of this is to make it possible for site content creators to add and associate additional data to posts and pages.WordPress has several functions available to site owners to display custom fields created and associated with posts and pages. One of these functions is the the_meta function which retrieves the supplied post’s or page’s custom field data, which is stored as post meta data, through the get_post_custom_keys and get_post_custom_values functions. Once the custom fields for a post/page are retrieved, the function outputs the post meta keys and values data as a list. Unfortunately, in versions older than 6.0.2 this data was unescaped on output making it possible for any injected scripts in post meta keys and values to be executed.Due to the fact that any user with access to the post editor can add custom meta fields, users with access to the editor such as contributors could inject malicious JavaScript that executes on any page or post where this function is called.WordPress core does not call the_meta anywhere in its codebase by default. As such this vulnerability does require a plugin or theme that calls the the_meta function, or for this function to have been programmatically added to a PHP file for execution, so the vast majority of site owners are not vulnerable to this issue. The the_meta function is considered deprecated as of 6.0.2 and get_post_meta is the recommended alternative.The Wordfence Threat Intelligence Team deployed a firewall rule to help protect Wordfence Premium, Care & Response customers today. Wordfence Free users will receive the same protection in 30 days on September 29, 2022.Description: Stored Cross-Site Scripting via Plugin Deactivation and Deletion errorsAffected Versions: WordPress Core < 6.0.2Researcher: Khalilov MoeCVE ID: PendingCVSS Score: 4.7 (Medium)CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:NFully Patched Version: 6.0.2The final vulnerability involves the error messages displayed when a plugin has been deactivated due to an error, or when a plugin can not be deleted due to an error. As these error messages were not escaped, any JavaScript present in these error messages would execute in the browser session of an administrator visiting the plugins page. This vulnerability would require a separate malicious or vulnerable plugin or other code to be installed on the site, which would typically require an administrator to install it themselves. In almost all cases where this vulnerability might be exploitable an attacker would already have a firm foothold on the vulnerable site.Our built-in XSS rule should block any attempts to generate crafted error messages based on user input to a vulnerable plugin, and the Wordfence scanner will detect any malicious plugins uploaded by an administrator.ConclusionIn today’s article, we covered three vulnerabilities patched in the WordPress 6.0.2 Security and Maintenance Release. Most actively used WordPress sites should be patched via automatic updates within the next 24 hours, and any sites that remain vulnerable would only be exploitable under very specific circumstances.We have released a firewall rule to Wordfence Premium, Care, and Response users to protect against any exploits targeting the the_meta function and this rule should become available to Wordfence free users after 30 days, on on September 29, 2022.As always, we strongly recommend updating your site to a patched version of WordPress if it hasn’t been updated automatically. As long as you are running a version of WordPress greater than 3.7, an update is available to patch these vulnerabilities while keeping you on the same major version, so you will not need to worry about compatibility issues.Props to Khalilov Moe, John Blackbourn, & FVD for discovering and responsibly disclosing these vulnerabilities. Special thanks to Wordfence Threat Intelligence Lead Chloe Chamberland for collaborating on this post.

WordPress Core Cross Site Scripting / SQL Injection

As many as three disparate but related campaigns between March and Jun 2022 have been found to deliver a variety of malware, including ModernLoader, RedLine Stealer, and cryptocurrency miners onto compromised systems.
"The actors use PowerShell, .NET assemblies, and HTA and VBS files to spread across a targeted network, eventually dropping other pieces of malware, such as the SystemBC trojan and

As many as three disparate but related campaigns between March and Jun 2022 have been found to deliver a variety of malware, including ModernLoader, RedLine Stealer, and cryptocurrency miners onto compromised systems.

"The actors use PowerShell, .NET assemblies, and HTA and VBS files to spread across a targeted network, eventually dropping other pieces of malware, such as the SystemBC trojan and DCRat, to enable various stages of their operations," Cisco Talos researcher Vanja Svajcer said in a report shared with The Hacker News.

The malicious implant in question, **ModernLoader**, is designed to provide attackers with remote control over the victim's machine, which enables the adversaries to deploy additional malware, steal sensitive information, or even ensnare the computer in a botnet.

Cisco Talos attributed the infections to a previously undocumented but Russian-speaking threat actor, citing the use of off-the-shelf tools. Potential targets included Eastern European users in Bulgaria, Poland, Hungary, and Russia.

Infection chains discovered by the cybersecurity firm involve attempts to compromise vulnerable web applications like WordPress and CPanel to distribute the malware by means of files that masquerade as fake Amazon gift cards.

The first stage payload is a HTML Application (HTA) file that runs a PowerShell script hosted on the command-and-control (C2) server to initiate the deployment of intertim payloads that ultimately inject the malware using a technique called process hollowing.

Described as a simple .NET remote access trojan, ModernLoader (aka Avatar bot) is equipped with features to gather system information, execute arbitrary commands, or download and run a file from the C2 server, allowing the adversary to alter the modules in real-time.

Cisco's investigation also unearthed two earlier campaigns in March 2022 with similar modus operandi that leverage ModerLoader as the primary malware C2 communications and serve additional malware, including XMRig, RedLine Stealer, SystemBC, DCRat, and a Discord token stealer, among others.

"These campaigns portray an actor experimenting with different technology," Svajcer said. "The usage of ready-made tools shows that the actor understands the TTPs required for a successful malware campaign but their technical skills are not developed enough to fully develop their own tools."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#wordpress