Authenticated (contributor or higher user role) Cross-Site Scripting (XSS) vulnerability in Nico Amarilla's BxSlider WP plugin <= 2.0.0 at WordPress.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of July 27, 2022 and is not available for download. This closure is temporary, pending a full review.

If you can not write in code, this plugin does not help you!

I was using the plain bxslider script on my site. When I wrote my blog in wordpress, I tried various plugins, but none exposes all the options of bxslider like this plugin. The pro version is worth it. Nico, the plugin author help me set up my site in no time.

Pretty much 90% of functionality is locked to premium version which author "forgot" to mention.

i know this is simple but not working for me..pls help me

Read all 8 reviews

“BxSlider WP” is open source software. The following people have contributed to this plugin.

Contributors

*    kosinix

CVE-2022-33943: BxSlider WP

As many as 207 websites have been infected with malicious code designed to launch a cryptocurrency miner by leveraging WebAssembly (Wasm) on the browser.
Web security company Sucuri, which published details of the campaign, said it launched an investigation after one of its clients had their computer slowed down significantly every time upon navigating to their own WordPress portal.
This

As many as 207 websites have been infected with malicious code designed to launch a cryptocurrency miner by leveraging WebAssembly (Wasm) on the browser.

Web security company Sucuri, which published details of the campaign, said it launched an investigation after one of its clients had their computer slowed down significantly every time upon navigating to their own WordPress portal.

This uncovered a compromise of a theme file to inject malicious JavaScript code from a remote server -- hxxps://wm.bmwebm\[.\]org/auto.js -- that's loaded whenever the website's page is accessed.

"Once decoded, the contents of auto.js immediately reveal the functionality of a cryptominer which starts mining when a visitor lands on the compromised site," Sucuri malware researcher Cesar Anjos said.

What's more, the deobfuscated auto.js code makes use of WebAssembly to run low-level binary code directly on the browser.

WebAssembly, which is supported by all major browsers, is a binary instruction format that offers performance improvements over JavaScript, allowing applications written in languages like C, C++, and Rust to be compiled into a low-level assembly-like language that can be directly run on the browser.

"When used in a web browser, Wasm runs in its own sandboxed execution environment," Anjos said. "As it is already compiled into an assembly format, the browser can read and execute its operations at a speed JavaScript itself can't match."

The actor-controlled domain, wm.bmwebm\[.\]org, is said to have been registered in January 2021, implying the infrastructure continued to remain active for more than 1.5 years without attracting any attention.

On top of that, the domain also comes with the ability to automatically generate JavaScript files that masquerade as seemingly harmless files or legitimate services like that of Google Ads (e.g., adservicegoogle.js, wordpresscore.js, and facebook-sdk.js) to conceal its malicious behavior.

"This functionality also makes it possible for the bad actor to inject the scripts in multiple locations on the compromised website and still maintain the appearance that injections 'belong' within the environment," Anjos noted.

This is not the first time WebAssembly's ability to run high-performance applications on web pages has raised potential security red flags.

Setting aside the fact that Wasm's binary format makes detection and analysis by conventional antivirus engines more challenging, the technique could open the door to more sophisticated browser-based attacks such as e-skimming that can fly under the radar for extended periods of time.

Complicating matters further is the lack of integrity checks for Wasm modules, effectively making it impossible to determine if an application has been tampered with.

To help illustrate the security weaknesses of WebAssembly, a 2020 study by a group of academics from the University of Stuttgart and Bundeswehr University Munich unearthed security issues that could be used to write to arbitrary memory, overwrite sensitive data, and hijack control flow.

Subsequent research published in November 2021 based on a translation of 4,469 C programs with known buffer overflow vulnerabilities to Wasm found that "compiling an existing C program to WebAssembly without additional precautions may hamper its security."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Increasingly Using WebAssembly Coded Cryptominers to Evade Detection

Authenticated (high role user) WordPress Options Change vulnerability in Biplob Adhikari's Tabs plugin <= 3.6.0 at WordPress.

 Verified

 Fixed

**7.2**

CVSS 3.1 score High severity

Monitoring Coming soon

PSID 

1c4cb2efc607

Classification 

Other Vulnerability Type

OWASP Top 10 

A5: Broken Access Control

Required privilege 

Requires high role user authentication.

Publicly disclosed

2022-07-25

**Details**

Authenticated WordPress Options Change vulnerability discovered by m0ze (Patchstack) in WordPress Tabs plugin (versions <= 3.6.0).

**Solution**

Update the WordPress Tabs plugin to the latest available version (at least 3.7.0).

**References**

Changeset

CVE-2022-36375: WordPress Tabs plugin <= 3.6.0 - Authenticated WordPress Options Change vulnerability - Patchstack

Authenticated WordPress Options Change vulnerability in Biplob Adhikari's Flipbox plugin <= 2.6.0 at WordPress.

CVE-2022-33969: Changeset 2648808 – WordPress Plugin Repository

A vulnerability in the component process.php of QR Code Generator v5.2.7 allows attackers to perform directory traversal.

This post is about CVE-2022–24992 which refers to vulnerability in QRCDR widely used QR-Code generator script.

****About QRCDR:****

> QRCDR is a popular PHP — JavaScript QR-Code Generator, which is widely used for creating customized QR-Code in easy steps.  
> also, it’s used by a few WordPress QR Code Generator Plugins and Mobile applications Which is not covered in this article.

Hello dear readers, it’s @n0lsec, Today I going to share with you details of the ZeroDay vulnerability which I was found in QRCDR (reported to the vendor and patched).

QRCDR— responsive QR Code generator

**Core finding**

*   QRCDR(5.2.7 and all prior versions are vulnerable ) to Directory Path Traversal Vulnerability.
*   POST parameters with _optionlogo=[payload]_ which is malicious payload sent to leads to path traversal
*   According to server security configurations, the attacker can read arbitrary sensitive server files, configurations, etc
*   An attacker can escalate path-traversal to RCE in some cases

**Mitigation**

*   Just update to the latest version, At the time i wrote this post it is Version 5.2.9

How find?  
Meanwhile working on a specific Bug Bounty program, which is called REDACTED.COM because of the information disclosure policy, I was found quite an interesting endpoint which leads customers to create customized QR-Code with extra options, I was opened browser inspector and watched to Request/Responses, so I realized part of script leads users to add a custom logo to our QR-Code which was so interesting to me,  
here I opened the browser inspector and look at what we had, there was the main file of script process.php which is in the path: /ajax/process.php intercept POST request and body parameters, optionlogo looks like below:

the script provided some predefined logos and we can select one of them and load it into our QR-Code, The key part of vulnerability is hear which maybe let us find some interesting things like Path Traversal — LFI or maybe SSRF so I decided to check.

After some work I tried Path-Traversal, I have tried the first payload without encoding or any bypass method, and I had received /etc/passwd file content with base64-encoded. So that’s it.

Because of the severity, I was sent a report immediately to the vendor and I got rewarded!

REDACTED.COM’s Base64-Decoded contents of /etc/passwd

**Report to Dev-Team**

After checking the code, found out that the script is part of the QRCDR script, so I found the Dev-Team email and sent the details of a vulnerability, they responded quickly and fixed the vulnerability after a few hours. Considering that the script is popular and widely used, I decided to write this post.

**what happened?**

I searched the internet for the QRCDR script and found the null version, so I checked the code and found that the script does not completely clear the POST value of the optionlogo parameter and uses the code directly in the QR-Code.

part of process.php file, look at line 17 which is no any kind of sanitization

as you see mergeImage() function just create image with our injected payload and when it comes to SVG format we have some Directory-Path-Traversal magic like this:

<image xlink:href=”/etc/passwd(base64-encode)” > which is brings content of any files to us! :)

**Mitigation**

The vulnerability now fixed but if you want to fix it manually should know to remove any malicious content which can help attacker to change directory in file name and directory name.

*   removing any special characters in file | directory name [. / \ ]
*   thinking about cross-platform directory traversal characters
*   after all maybe configuring server with chroot-jail, cloudflare like functionality to prevent escalation maybe good choices.even i think hackers always find their ways:)

Feel free to contact me on twitter , i would appreciate it if you send me any problem , feedback and opinion.

CVE-2022-24992: CVE-2022–24992: QRCDR ZeroDay Path Traversal Vulnerability

Multiple Unauthenticated SQL Injection (SQLi) vulnerabilities in Osamaesh WP Visitor Statistics plugin <= 5.7 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

A comprehensive plugin for your WordPress visitor statistics, Track statistics for your WordPress site without depending on external services. Enable you to display how many users are online on your WordPress blog with detailed statistics, easy to install and working fine (Thousands of WordPress sites are already using it)  
When it comes to ease of use, WordPress visitor statistics comes in first, You will have a real counter and statistics plugin for your WordPress website..  
This plugin will help you to track your visitors, browsers, operating systems, visits and much more in one dashboard page..

**Basic Features**

✅ Real time statistics  
✅ visits, visitors location.  
✅ Comprehensive overview page & User-friendly interface  
✅ GeoIP location by Country  
✅ Search Engines queries from popular search engines like Google  
✅ Support for hashing IP addresses (Full GDPR)  
✅ Automatically prune the databases of old data  
✅ Automatic updates to the GeoIP database.  
✅ Fully compliant with the European GDPR guidelines.  
✅ and more

**Pro features**

✅ Online counter  
✅ Widgets to provide information to your users  
✅ Shortcodes for many different types of data.  
✅ E-mail reports of statistics  
✅ Interactive map of visitors location  
✅ GEO locations (country and city)  
✅ Recent visitors by IP  
✅ and more

**Requirements**

*   WordPress 3.8+
*   PHP 5.2+ (or 5.5+ if you use the Browscap data file)
*   MySQL 5.0.3+
*   At least 20 MB of free web space
*   At least 5 MB of free DB space
*   At least 32 Mb of free PHP memory for the tracker (peak memory usage)
*   IE9+ or any browser supporting HTML5, to access the reports

**Premium Add-ons**

Visit our website for a list of available extensions.

**Translations**

*   English
*   French
*   Russian
*   German (Formal)

**Contributing and Reporting Bugs**

WordPress visitor statistics (Histats) is being developed on GitHub, If you’re interested in contributing to plugin, Please look at Github page

**Support**

We’re happy to help. Here are a few things to do before contacting us:  
\* Have you read the \[FAQs\] (http://plugins-market.com/documentation/)  
\* Have you search the support forum for a similar issue?  
\* You can also contact us at support@plugins-market.com if you have any enquiry.

1.  Download the package.
2.  Upload the package using your plugins page > add new > upload or Extract the contents of .zip folder to wp-content/plugins/ folder
3.  Activate the Plugin via plugins page
4.  Clear your site cache (if you have any caching plugin enabled)  
    Thanks!

I am hugely disappointed at their support and the Plugins. Firstly, the Counts shown on Graphic Chart increased, for example, from 100 counts to 170 from Mexico. It is an increment of 70 visitors. However, there are No visitor logs shown on Google Analytics or Analtify. the Same thing with WordFence Traffic Logs, there's no Traffic log shows 70 visitors from Mexico. The overall count visit logs including the \* Hacking Attempt \* Search Engine Bots(from Bing, Google. etc) \* Human Visit I have tried to get help on this matter by contacting the support, but No Replies for over 10 days.

It is very accurate with its statistics, which is good because you know what to do and what not to do to keep improving your site

I don't recommend this plugin. If you try to delete it, it leaves lots of unused tables that are impossible to delete automatically contrary to what the designer says. I had to go through the cPanel to delete them. And those who are not familiar with this kind of manipulation, they can break the website.

We find the Visitor Statistics plug-in very useful, and the developers are highly responsive and efficient when it comes to technical support.

this plugin is useful and easy to use

Read all 105 reviews

“WP Visitor Statistics (Real Time Traffic)” is open source software. The following people have contributed to this plugin.

Contributors

*    osama.esh

**5.9**

1.  Bug fixes (notice)

**5.8**

1.  Bug fixes in settings page
2.  Adding new feature in the settings page (Excluding Roles from statistics)

**5.7**

1.  Bug fixes in the GEO location vars

**5.6**

1.  Bug fixes – escape data

**5.5**

1.  Bug fixes in IP execlusion page

**5.4**

1.  Bug fixes – escape data

**5.3**

1.  Bug fixes in IP exclusion ajax request

**5.2**

1.  Bug fixes in timezone

**5.1**

1.  Bug fixes in settings

**4.9**

1.  Security Bug fixes

**4.8**

1.  Security Bug fixing in ajax requests

**4.7**

1.  Bug fixing in multisite (network)

**4.6**

1.  Bug fixing in IP extension

**4.5**

1.  Bug fixing in removing plugin (remove all tables and views)

**4.4**

1.  Bug fixing in dashboard stylesheet (with non admin users)

**4.3**

1.  Bug fixing in storing URLs (Lowercase issue)

**4.2**

1.  Security Bug fixing in ajax requests – part 2

**4.1**

1.  Security Bug fixing in ajax requests reported by Mr. Krzysztof Zając

**3.18**

1.  Security Bug fixing in ajax requests reported by Mr. Krzysztof Zając

**3.18**

1.  Bug fixing in the timezone (part 2)

**3.17**

1.  Bug fixing in the timezone

**3.16**

1.  bug fixing in stylesheet

**3.15**

1.  Adding FR translation (Thanks Maxence RICHARD for your help)
2.  Bug fixing in the main statistics chart
3.  bug fixing in stylesheet

**3.14**

1.  Bug fixing “PHP Notice: Undefined variable” in functions

**3.13**

1.  Bug fixing “PHP Notice: Undefined variable” happend after the latest changes
2.  Reports enhancements

**3.12**

1.  Bug fixing “PHP Notice: Undefined variable” happend after the latest changes

**3.11**

1.  bug fixing (single quote issue) in search engines

**3.10**

1.  Urgent fixing (Database errors)

**3.9**

1.  Top bar icon + bug fixing in the plugin init file

**3.8**

1.  Security bug fixing reported by Mr. “Austin Turecek”, Sanitizing ajax request

**3.7**

1.  Bug fixing in search engines graphs

**3.6**

1.  Bug fixing in prepare statement in the reports

**3.5**

1.  Bug fixing in prepare statement

**3.4**

1.  Bug fixing in search engines query (single quote issue reported by @madmax4ever)

**3.3**

1.  Bug fixing in enqueue scripts

**3.2**

1.  Bug fixing in user roles with different site language

**3.1**

1.  Bug fixing in user roles

**2.9**

1.  Bug fixing in traffic counter after the latest updates

**2.8**

1.  Bug fixing – PHP notice

**2.7**

1.  js compression

**2.6**

1.  Css compression

**2.5**

1.  adding the ability to give access to statistics page for any user type
2.  exclude robots

**2.4**

1.  adding new subscribe message to get latest updates

**2.3**

1.  bug fixing in CSS
2.  enhancement in the plugin performance

**2.2**

1.  removing alert message

**2.1**

1.  IP addresses hashing for last 3 digits
2.  Bug fixing in default data

**1.9**

1.  we used the \[GEOPLUGIN\] web service (http://geoip-db.com) These library give us more help in identifying the city name, here is the privacy page for this service http://geoip-db.com/privacy
2.  improve reports

**1.8**

1.  fixing content reports (Traffic by title and by url)
2.  timezone is now support syncronization
3.  php 7.2 bug fixing
4.  improve reports

**1.7**

1.  Fixing undefined offset issue

**1.6**

1.  New feature, user can setup add-ons
2.  wordpress network (multisite support)

**1.5**

1.  Fix Bounce issue

**1.4**

1.  Fix total page views issue

**1.3**

1.  Fix timezone issue

**1.2**

1.  show alert if another stats plugin is enabled

**1.1**

1.  Fix schedule cron job issue

**1.0**

1.  Initial version

CVE-2022-33965: WP Visitor Statistics (Real Time Traffic)

The WP Video Lightbox WordPress plugin before 1.9.5 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers

CVE-2022-2189

The Request a Quote WordPress plugin through 2.3.7 does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

CVE-2022-2239

The Unyson WordPress plugin before 2.7.27 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting

CVE-2022-2219

The Popup Anything WordPress plugin before 2.1.7 does not sanitise and escape a parameter before outputting it back in a frontend page, leading to a Reflected Cross-Site Scripting

Tag

#wordpress