Broken Authentication vulnerability in JumpDEMAND Inc. ActiveDEMAND plugin <= 0.2.27 at WordPress allows unauthenticated post update/create/delete.

**Solution**

Update the WordPress ActiveDEMAND plugin to the latest available version (at least 0.2.28).

Nguyen Anh Tien discovered and reported this Broken Authentication vulnerability in WordPress ActiveDEMAND Plugin. This can be abused by a malicious actor to perform action which normally should only be able to be executed by higher privileged users. These actions might allow the malicious actor to gain admin access to the website. This vulnerability has been fixed in version 0.2.28.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-36296: WordPress ActiveDEMAND plugin <= 0.2.27 - Broken Authentication vulnerability - Patchstack

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of August 2, 2022 and is not available for download. This closure is temporary, pending a full review.

This plugin provides 3 blocks.

*   ActiveDEMAND - Story board
*   ActiveDEMAND - Dynamic Content Block
*   ActiveDEMAND - Web Form

Active Demand plugin works great. Easy to insert short codes and tracks prospects really great. Support is very good too. Quick response time and very helpful.

I spent months researching providers and only one fit all of our requirements, ActiveDemand. We signed up and found the system to be pleasantly usable compared to the alternatives. On top of that, every time I have reached out with a question, they have been incredibly responsive and informative. I can't say enough good things about the software, but the service is what really makes their company world-class. Thanks ActiveDemand!

This give full control over the form styling and is very easy to use as a short code! Integration was painless!

I love how easy this was. Implementation was simple. The short code makes adding forms unbelievably easy.

I'd been using ActiveDEMAND before the WordPress plugin became available and it's a great marketing automation platform. The integration into WordPress was "okay". It worked and was manageable. However, with the ActiveDEMAND WordPress plugin it is simply awesome. Really easy to use. I can drop in forms easily with a shortcode and everything automatically ties into my ActiveDEMAND lead database as well as all my dashboard reporting.

Read all 6 reviews

“ActiveDEMAND” is open source software. The following people have contributed to this plugin.

Contributors

*    jumpdemand

CVE-2022-36296: ActiveDEMAND

WordPress Ecwid Ecommerce Shopping Cart plugin versions 6.10.23 and below suffer from a cross site request forgery vulnerability.

Description: Cross-Site Request Forgery to Settings/Options Update

Affected Plugin: Ecwid Ecommerce Shopping Cart

Plugin Slug: ecwid-shopping-cart

Affected Versions: <= 6.10.23

CVE ID: CVE-2022-2432

CVSS Score: 8.8 (High)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Researcher/s: Marco Wotschka

Fully Patched Version: 6.10.24

Ecwid Ecommerce Shopping Cart is a plugin offered by Lightspeed that allows site owners to set up an eCommerce store on a WordPress website and then sync it across various services such as Amazon and social media. It also offers ad integration and access to marketing tools. As part of the plugin’s functionality, there were some more advanced settings that could be managed. Unfortunately, this was implemented insecurely making it possible for attackers to update these settings via a forged request.

More specifically, the plugin provides the following admin_post action hooked to the ‘ecwid_update_plugin_params‘ function for that purpose:

[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVHxgx1rX_sqW1H4wDd41pXybW1PHNH54NjWySN4jRWbD5js6JV3Zsc37CgGRrW4wJp7s4LR8_8W5GZxc55cBM_qW8hSV9n7QFM8MW16sCxG5h4mMrW8RWrLm7fnSqrW70Vz_q4PPYx1W6cGQ985xBh94W4KV7Yy3dzXV8W8bTSFR1sB2J5N60tSb8sMfWmW3Qhxq480ZZDvW6qNFsM4YqZm2W47Fl6f537-gRW8G9Mq25QpGZZW2B_hWM7ZNSZrW8jJ9gf8MSG0pW3c2FG27vDxqyW24KmsZ1HxD3TW6BS5rM4h9TL_W4My4sZ2R5dngW7nrf8C81zMWXW1bBRCq4lYLdfW5Wd9gF2rjpt7W2b9RlV7CGYQ8W4sgGCX98nMgqW1FPwLN10ndByW6yw5YW7rm4RLW1l8_qC5kZvHYW5kyvmH8qjwnbW6cS_Sd2f9WPjM-RF9H50XrYW6d-cP13xx9gWW8Jr_cw26btsNW30S0Xr6gZ41G36ft1 )

An initial check in the ‘ecwid_update_plugin_params‘ function ensures that the current user is allowed to manage site options, which is a capability that belongs to administrators. However, the nonce check performed shortly after is only executed if a nonce is set due to how the function uses && to combine the checks to validate that a nonce is present in the request and to verify that the nonce is valid. This means that if the wp-nonce parameter is not supplied in the request, the verification step is skipped. This makes the functionality susceptible to Cross-Site Request Forgery attacks in vulnerable versions.

[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVHxgx1rX_sqW1H4wDd41pXybW1PHNH54NjWySN4jRWbD5js6JV3Zsc37CgK04W67C43l5f9PlsW1vTzZ291zXDyW7lwxqt5S_SqhW8qMCLs5Vs8hTMlVtTSW5m53W8jPcbS3cs9wpW6xWDF_2xbLMZN7RfvGrn4vjHVXqXzJ3XzQ-1W3SsZJk5qWZY5W7tNvtn7z-pFSW2T45NG8qgmVjW4mZN5T8CCQR4W4X-xkp3MRyMBW8bQV2l1QmfF2W1N6yKt2SKNJxV9hRB01Dr8M4N4LKmRgHfRR-N5f00LN8JsxlVQCRGg9b5QQgVm1Wrc2NkSRpN22l9qWLg4rRW20bJdN7F1XgdN36zDyK1TZzNW6Fk9mV1Y1vkJW7zJyHY4w7XrNW6YPJyL4yxX2PW6qVHnh960fF3W8yZq6C8Nfqr_VkfJpP34G9dBW7J4NVS8plYskN1tn7-6tGsPRW3vNTQ14zxQXMW2gFKwm8yhK853nT51 )

This makes it possible for an attacker to change the ecwid_store_id, which uniquely identifies the store and is needed for support requests as well as for embedding the store on other sites. Another site option that could be modified is the site’s ecwid_store_page_id, which is the storefront page in the WordPress installation. Both of these settings may result in a loss of availability of the storefront if changed to an invalid store ID. There are several other settings that could be affected in addition to those two. The plugin does not provide a direct link to the settings page in any of its menus and a warning on the page suggests that modifying these settings may significantly affect the plugin functionality.

The Importance of Properly Implementing Nonces

Nonces are a critical component used to prevent Cross-Site Request Forgery vulnerabilities. As such, it’s important to ensure they are properly implemented throughout plugin and theme code to prevent unauthorized execution of that code. Fortunately, WordPress provides several mechanisms to create and validate proper nonces.

Nonce Creation

The first step to proper nonce implementation is nonce creation.

One option to properly implement nonce creation involves the wp_nonce_url() function. This function expects a target URL as well as an action and an optional nonce name. The nonce will be added to a URL and can be verified by a nonce validation function that is executed in the same or subsequent function. This makes it possible for developers to provide links to perform actions such as deletion of posts with a proper nonce that allows the code to verify that the action was initiated from within the site as opposed to a click on a link elsewhere, such as in an email.

An additional option is adding a nonce to a form to secure any submissions originating from that form. The function wp_nonce_field() is frequently used in these cases and expects an action string. This will add a hidden input field to the form. Upon form submission, the created nonce can be checked and verified.

Finally, a nonce can also be generated using wp_create_nonce(), which accepts an action string argument and returns just a nonce. This can be implemented in a variety of different ways and allows more flexibility as a developer to implement nonce validation. We frequently see this function contained in HTML on setting pages that is later used to validate the origin of the request when saving those settings.

Remember that nonces are specific to individual users and sessions and are invalidated after 24 hours, or on logout.

Nonce Validation

The second step to proper nonce implementation involves nonce verification. A plugin can implement an appropriate nonce on a form or settings update, but without proper validation of that nonce, there won’t be adequate protection.

The first option to properly validate a nonce involves the use of the check_admin_referer() function. This function accepts the protected action as well as the name of the nonce as an argument and checks the nonce as well as the referer, thus helping to ensure that the nonce provided is correct and that the request was initiated from an admin page.

When implementing an AJAX action, the check_ajax_referer() function can be used. This will verify the nonce but will not check the referer like the check_admin_referer() function does although it will validate that the request is an AJAX request.

A final option for validating a nonce is the more general wp_verify_nonce() function. With this function, an action and nonce name will need to be supplied, and it will verify that the proper nonce was set. This provides the most flexible implementation of nonce validation for developers.

In the case of today’s disclosure, the nonce was created on the settings form itself with wp_create_nonce():

[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVHxgx1rX_sqW1H4wDd41pXybW1PHNH54NjWySN4jRWbD5js6JV3Zsc37CgF42W98C5CQ5NDR3nN58bq_96Ch4zW3GRvs_6bwRX5W3tsvrb2ShCghW3x06W68pRQH9W3Dg71b6v1HrYN1qR5fbY2lRlW1k5j_14xFFJHW7X-WLl1rqWk4W2Xtb8w2ZQV1fW60H5QG1l9dtQW4FrrX83gDD31W6PL9cT6F_6LvW370m6b2hcXrhW87SST67k_CFgW5-p6J61CRPtqW41Q3yy1ZncNXW3tf7LN7M0RtnVB_kYq1ywQZZW5nCmTg91v6g7W7d0m-m6FkNhhW7ZJZnp8SNnfqW8slWGB5dKbwfW6hRPqV27VwPwN6VYg76H73KcW5RSHN32P4qKzW87nrK28tmgf3W9kClqb5c9kpxW4sNhxd6ZtC1NW4W6S6N4tX1hSW8VG37Z822PTvW3vQSg86XJbffMW8y1Kj7SkzW8qWmSB1p6tWz33Jt1 )

As you can see, this statement will call wp_verify_nonce() but only if the nonce is set due to the if (isset($_POST['wp-nonce']) check and the use of && in combination with the wp_verify_nonce() function. Therefore, if the nonce is omitted, this check will not take place.

[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVHxgx1rX_sqW1H4wDd41pXybW1PHNH54NjWySN4jRWbD5js6JV3Zsc37CgYDJW4r9V7C4zvxxJW8nbMdr8F-cRDW2rwyLJ1CP2WHW4J-5Pl31WzP1W6DVyjb8Z3jqdN4stQLdG_ZkNW4mglnq1G8sRNW5mXcDc3VtGGNW4FY3bS3VJv8bW81wTgx9bFbTPV1C4Hj2mqjn2W34wsp890BqJ4W3mYsyR7j1ZmkW3N5y145YdY3JW1y9Jw7794yXvN8-B_JcFVNZ3W7qmWfy4_SYqlW8phV2n20Y2n1VY28TM2d1DnBVmThSG3kLmm9W3w1Qb8274pyfW3DMgQT1d69drW1Z_vwR8tNJ00W5VhJ9W1WWjw5V21_7j12XCNfW4nmmL65HjtPhW6bzWt73Vyc5XW49_SzN8D05kRW1p_M0l1RcrzgN5kXSx6thPmgW6kq5wb8y9lv7W2wb9d72F0qKFW6RJdQV89RNSpN1_lhTsk65Q51P1 )

This serves as an important reminder to not only properly implement nonces and validation checks but also to ensure that the check fails when the nonce value is empty or otherwise not present.

As a final important note: never rely on nonce checks alone. Developers should always remember to include a capability check using a function like current_user_can() in order to ensure the user initiating the action is indeed allowed to perform it. Nonces should never be used for authentication, authorization or any form of access control as they are simply intended to verify the origin of the request, and do not perform any authorization.

Timeline

June 24, 2022 – Initial outreach to the plugin developer.

July 11, 2022 – We escalate the issue to the WordPress.org plugins team and send them the full disclosure details.

July 13, 2022 – The vulnerability is patched in version 6.10.24.

Conclusion

In today’s post, we covered a vulnerability in the Ecwid Ecommerce Shopping Cart plugin that could be used to trick site administrators into updating plugin settings due to improper nonce verification. The vulnerability was patched by ensuring that a proper nonce was set and by verifying it.

Please remember that due to the nature of Cross-Site Request Forgery vulnerabilities, it is not possible to provide adequate protection via the Wordfence firewall without blocking legitimate requests. As such, we highly recommend updating to version 6.10.24 or higher of Ecwid Ecommerce Shopping Cart to ensure that your site is protected against any exploits targeting this vulnerability.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance.

If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of Ecwid Ecommerce Shopping Cart as soon as possible.

WordPress Ecwid Ecommerce Shopping Cart 6.10.23 Cross Site Request Forgery

WordPress Testimonial Slider and Showcase plugin version 2.2.6 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Stored XSS in post_title parameter in WordPress Plugin "Testimonial Slider and Showcase" 2.2.6# Date: 05/08/2022# Exploit Author: saitamang , yunaranyancat , amd_syad# Vendor Homepage: wordpress# Software Link: https://wordpress.org/plugins/testimonial-slider-and-showcase/# Version: 2.2.6# Tested on: Centos 7 apache2 + MySQLWordPress Plugin "Testimonial Slider and Showcase" is prone to a cross-site scripting (XSS) vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. WordPress Plugin "Testimonial Slider and Showcase" version 2.2.6 is vulnerable; prior versions may also be affected.Login as Editor > Add testimonial > Under Title inject payload below ; parameter (post_title parameter) > Save Draft > Preview the postpayload --> test"/><img/src=""/onerror=alert(document.cookie)>The draft post can be viewed using Admin account and XSS will be triggered.

WordPress Testimonial Slider And Showcase 2.2.6 Cross Site Scripting

WordPress Duplicator plugin versions 1.4.6 and below suffer from a backup disclosure vulnerability.

    # Exploit Title: WordPress Plugin Duplicator 1.4.6 - Unauthenticated Backup Download# Google Dork: N/A# Date: 07.27.2022# Exploit Author: SecuriTrust# Vendor Homepage: https://snapcreek.com/# Software Link: https://wordpress.org/plugins/duplicator/# Version: < 1.4.7# Tested on: Linux, Windows# CVE : CVE-2022-2551# Reference: https://securitrust.fr# Reference: https://github.com/SecuriTrust/CVEsLab/CVE-2022-2551#Product:WordPress Plugin Duplicator < 1.4.7#Vulnerability:1-It allows an attacker to download the backup file.#Proof-Of-Concept:1-Backup download.The backup file can be downloaded using the "is_daws" parameter.http://[PATH]/backups-dup-lite/dup-installer/main.installer.php

WordPress Duplicator 1.4.6 Backup Disclosure

WordPress Duplicator plugin versions 1.4.7 and below suffer from an information disclosure vulnerability.

    # Exploit Title: WordPress Plugin Duplicator 1.4.7 - Information Disclosure# Google Dork: N/A# Date: 07.27.2022# Exploit Author: SecuriTrust# Vendor Homepage: https://snapcreek.com/# Software Link: https://wordpress.org/plugins/duplicator/# Version: <= 1.4.7# Tested on: Linux, Windows# CVE : CVE-2022-2552# Reference: https://securitrust.fr# Reference: https://github.com/SecuriTrust/CVEsLab/CVE-2022-2552#Product:WordPress Plugin Duplicator <= 1.4.7#Vulnerability:1-Some system information may be disclosure.#Proof-Of-Concept:1-System information.Some system information is obtained using the "view" parameter.http://[PATH]/backups-dup-lite/dup-installer/main.installer.php

WordPress Duplicator 1.4.7 Information Disclosure

WordPress SeatReg plugin version 1.23.0 suffers from an open redirection vulnerability.

    # Exploit Title: WordPress Plugin ‘SeatReg’  - Unauthenticated OpenRedirect# Date: 01-08-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage: https://wordpress.org/plugins/seatreg/# Version: 1.23.0# Tested on: Firefox# Contact me: mariamtariq404@gmail.com*#Description:*An Open Redirection is a vulnerability when a web application or serveruses an unvalidated user-submitted link to redirect the user to a givenwebsite or page.*#Example of Burp Request *```POST /wp-admin/admin-post.php HTTP/1.1Host: website.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0)Gecko/20100101 Firefox/103.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://website.comContent-Type: application/x-www-form-urlencodedContent-Length: 185Origin: https://website.comConnection: closeCookie: {cookies_here}Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: NavigateSec-Fetch-Site: same-originnew-registration-name=dedeed&action=seatreg_create_submit&seatreg-admin-nonce=11b1308e8a&*_wp_http_referer=https://evil.com<https://evil.com>*&submit=Create+new+registration```*#PoC Image:*https://ibb.co/tCZWH0Hhttps://ibb.co/5kh299z

WordPress SeatReg 1.23.0 Open Redirect

Authenticated (author or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in ideasToCode Enable SVG, WebP & ICO Upload plugin <= 1.0.1 at WordPress.

 Verified

 Not fixed

**3.4**

CVSS 3.1 score Low severity

Monitoring Coming soon

Software

Enable SVG, WebP & ICO Upload

PSID 

0a0bab4baa5d

Classification 

Cross Site Scripting (XSS)

OWASP Top 10 

A7: Cross-Site Scripting (XSS)

Required privilege 

Requires author or higher role user authentication.

Publicly disclosed

2022-08-01

**Details**

Authenticated Stored Cross-Site Scripting (XSS) vulnerability via malicious SVG file upload discovered by Kim Jong Min aka Universe (Patchstack Alliance) in WordPress Enable SVG, WebP & ICO Upload plugin (versions <= 1.0.1).

**Solution**

No patched version available.

**References**

CVE-2022-36343: WordPress Enable SVG, WebP & ICO Upload plugin <= 1.0.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

Authenticated (author or higher user role) Arbitrary File Upload vulnerability in ideasToCode Enable SVG, WebP & ICO Upload plugin <= 1.0.1 at WordPress.

 Verified

 Not fixed

**7.2**

CVSS 3.1 score High severity

Monitoring Coming soon

Software

Enable SVG, WebP & ICO Upload

PSID 

9e1794b8627d

Classification 

Arbitrary File Upload

OWASP Top 10 

A1: Injection

Required privilege 

Requires author or higher role user authentication.

Publicly disclosed

2022-08-01

**Details**

Authenticated Arbitrary File Upload vulnerability discovered by Kim Jong Min aka Universe (Patchstack Alliance) in WordPress Enable SVG, WebP & ICO Upload plugin (versions <= 1.0.1).

**Solution**

No patched version available.

**References**

CVE-2022-34154: WordPress Enable SVG, WebP & ICO Upload   plugin <= 1.0.1 - Authenticated Arbitrary File Upload vulnerability - Patchstack

The Login with phone number WordPress plugin through 1.3.7 do not sanitise and escape plugin settings which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Tag

#wordpress