Authenticated (high role user) WordPress Options Change vulnerability in Biplob Adhikari's Tabs plugin <= 3.6.0 at WordPress.

 Verified

 Fixed

**7.2**

CVSS 3.1 score High severity

Monitoring Coming soon

PSID 

1c4cb2efc607

Classification 

Other Vulnerability Type

OWASP Top 10 

A5: Broken Access Control

Required privilege 

Requires high role user authentication.

Publicly disclosed

2022-07-25

**Details**

Authenticated WordPress Options Change vulnerability discovered by m0ze (Patchstack) in WordPress Tabs plugin (versions <= 3.6.0).

**Solution**

Update the WordPress Tabs plugin to the latest available version (at least 3.7.0).

**References**

Changeset

CVE-2022-36375: WordPress Tabs plugin <= 3.6.0 - Authenticated WordPress Options Change vulnerability - Patchstack

Authenticated WordPress Options Change vulnerability in Biplob Adhikari's Flipbox plugin <= 2.6.0 at WordPress.

CVE-2022-33969: Changeset 2648808 – WordPress Plugin Repository

A vulnerability in the component process.php of QR Code Generator v5.2.7 allows attackers to perform directory traversal.

This post is about CVE-2022–24992 which refers to vulnerability in QRCDR widely used QR-Code generator script.

****About QRCDR:****

> QRCDR is a popular PHP — JavaScript QR-Code Generator, which is widely used for creating customized QR-Code in easy steps.  
> also, it’s used by a few WordPress QR Code Generator Plugins and Mobile applications Which is not covered in this article.

Hello dear readers, it’s @n0lsec, Today I going to share with you details of the ZeroDay vulnerability which I was found in QRCDR (reported to the vendor and patched).

QRCDR— responsive QR Code generator

**Core finding**

*   QRCDR(5.2.7 and all prior versions are vulnerable ) to Directory Path Traversal Vulnerability.
*   POST parameters with _optionlogo=[payload]_ which is malicious payload sent to leads to path traversal
*   According to server security configurations, the attacker can read arbitrary sensitive server files, configurations, etc
*   An attacker can escalate path-traversal to RCE in some cases

**Mitigation**

*   Just update to the latest version, At the time i wrote this post it is Version 5.2.9

How find?  
Meanwhile working on a specific Bug Bounty program, which is called REDACTED.COM because of the information disclosure policy, I was found quite an interesting endpoint which leads customers to create customized QR-Code with extra options, I was opened browser inspector and watched to Request/Responses, so I realized part of script leads users to add a custom logo to our QR-Code which was so interesting to me,  
here I opened the browser inspector and look at what we had, there was the main file of script process.php which is in the path: /ajax/process.php intercept POST request and body parameters, optionlogo looks like below:

the script provided some predefined logos and we can select one of them and load it into our QR-Code, The key part of vulnerability is hear which maybe let us find some interesting things like Path Traversal — LFI or maybe SSRF so I decided to check.

After some work I tried Path-Traversal, I have tried the first payload without encoding or any bypass method, and I had received /etc/passwd file content with base64-encoded. So that’s it.

Because of the severity, I was sent a report immediately to the vendor and I got rewarded!

REDACTED.COM’s Base64-Decoded contents of /etc/passwd

**Report to Dev-Team**

After checking the code, found out that the script is part of the QRCDR script, so I found the Dev-Team email and sent the details of a vulnerability, they responded quickly and fixed the vulnerability after a few hours. Considering that the script is popular and widely used, I decided to write this post.

**what happened?**

I searched the internet for the QRCDR script and found the null version, so I checked the code and found that the script does not completely clear the POST value of the optionlogo parameter and uses the code directly in the QR-Code.

part of process.php file, look at line 17 which is no any kind of sanitization

as you see mergeImage() function just create image with our injected payload and when it comes to SVG format we have some Directory-Path-Traversal magic like this:

<image xlink:href=”/etc/passwd(base64-encode)” > which is brings content of any files to us! :)

**Mitigation**

The vulnerability now fixed but if you want to fix it manually should know to remove any malicious content which can help attacker to change directory in file name and directory name.

*   removing any special characters in file | directory name [. / \ ]
*   thinking about cross-platform directory traversal characters
*   after all maybe configuring server with chroot-jail, cloudflare like functionality to prevent escalation maybe good choices.even i think hackers always find their ways:)

Feel free to contact me on twitter , i would appreciate it if you send me any problem , feedback and opinion.

CVE-2022-24992: CVE-2022–24992: QRCDR ZeroDay Path Traversal Vulnerability

Multiple Unauthenticated SQL Injection (SQLi) vulnerabilities in Osamaesh WP Visitor Statistics plugin <= 5.7 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

A comprehensive plugin for your WordPress visitor statistics, Track statistics for your WordPress site without depending on external services. Enable you to display how many users are online on your WordPress blog with detailed statistics, easy to install and working fine (Thousands of WordPress sites are already using it)  
When it comes to ease of use, WordPress visitor statistics comes in first, You will have a real counter and statistics plugin for your WordPress website..  
This plugin will help you to track your visitors, browsers, operating systems, visits and much more in one dashboard page..

**Basic Features**

✅ Real time statistics  
✅ visits, visitors location.  
✅ Comprehensive overview page & User-friendly interface  
✅ GeoIP location by Country  
✅ Search Engines queries from popular search engines like Google  
✅ Support for hashing IP addresses (Full GDPR)  
✅ Automatically prune the databases of old data  
✅ Automatic updates to the GeoIP database.  
✅ Fully compliant with the European GDPR guidelines.  
✅ and more

**Pro features**

✅ Online counter  
✅ Widgets to provide information to your users  
✅ Shortcodes for many different types of data.  
✅ E-mail reports of statistics  
✅ Interactive map of visitors location  
✅ GEO locations (country and city)  
✅ Recent visitors by IP  
✅ and more

**Requirements**

*   WordPress 3.8+
*   PHP 5.2+ (or 5.5+ if you use the Browscap data file)
*   MySQL 5.0.3+
*   At least 20 MB of free web space
*   At least 5 MB of free DB space
*   At least 32 Mb of free PHP memory for the tracker (peak memory usage)
*   IE9+ or any browser supporting HTML5, to access the reports

**Premium Add-ons**

Visit our website for a list of available extensions.

**Translations**

*   English
*   French
*   Russian
*   German (Formal)

**Contributing and Reporting Bugs**

WordPress visitor statistics (Histats) is being developed on GitHub, If you’re interested in contributing to plugin, Please look at Github page

**Support**

We’re happy to help. Here are a few things to do before contacting us:  
\* Have you read the \[FAQs\] (http://plugins-market.com/documentation/)  
\* Have you search the support forum for a similar issue?  
\* You can also contact us at support@plugins-market.com if you have any enquiry.

1.  Download the package.
2.  Upload the package using your plugins page > add new > upload or Extract the contents of .zip folder to wp-content/plugins/ folder
3.  Activate the Plugin via plugins page
4.  Clear your site cache (if you have any caching plugin enabled)  
    Thanks!

I am hugely disappointed at their support and the Plugins. Firstly, the Counts shown on Graphic Chart increased, for example, from 100 counts to 170 from Mexico. It is an increment of 70 visitors. However, there are No visitor logs shown on Google Analytics or Analtify. the Same thing with WordFence Traffic Logs, there's no Traffic log shows 70 visitors from Mexico. The overall count visit logs including the \* Hacking Attempt \* Search Engine Bots(from Bing, Google. etc) \* Human Visit I have tried to get help on this matter by contacting the support, but No Replies for over 10 days.

It is very accurate with its statistics, which is good because you know what to do and what not to do to keep improving your site

I don't recommend this plugin. If you try to delete it, it leaves lots of unused tables that are impossible to delete automatically contrary to what the designer says. I had to go through the cPanel to delete them. And those who are not familiar with this kind of manipulation, they can break the website.

We find the Visitor Statistics plug-in very useful, and the developers are highly responsive and efficient when it comes to technical support.

this plugin is useful and easy to use

Read all 105 reviews

“WP Visitor Statistics (Real Time Traffic)” is open source software. The following people have contributed to this plugin.

Contributors

*    osama.esh

**5.9**

1.  Bug fixes (notice)

**5.8**

1.  Bug fixes in settings page
2.  Adding new feature in the settings page (Excluding Roles from statistics)

**5.7**

1.  Bug fixes in the GEO location vars

**5.6**

1.  Bug fixes – escape data

**5.5**

1.  Bug fixes in IP execlusion page

**5.4**

1.  Bug fixes – escape data

**5.3**

1.  Bug fixes in IP exclusion ajax request

**5.2**

1.  Bug fixes in timezone

**5.1**

1.  Bug fixes in settings

**4.9**

1.  Security Bug fixes

**4.8**

1.  Security Bug fixing in ajax requests

**4.7**

1.  Bug fixing in multisite (network)

**4.6**

1.  Bug fixing in IP extension

**4.5**

1.  Bug fixing in removing plugin (remove all tables and views)

**4.4**

1.  Bug fixing in dashboard stylesheet (with non admin users)

**4.3**

1.  Bug fixing in storing URLs (Lowercase issue)

**4.2**

1.  Security Bug fixing in ajax requests – part 2

**4.1**

1.  Security Bug fixing in ajax requests reported by Mr. Krzysztof Zając

**3.18**

1.  Security Bug fixing in ajax requests reported by Mr. Krzysztof Zając

**3.18**

1.  Bug fixing in the timezone (part 2)

**3.17**

1.  Bug fixing in the timezone

**3.16**

1.  bug fixing in stylesheet

**3.15**

1.  Adding FR translation (Thanks Maxence RICHARD for your help)
2.  Bug fixing in the main statistics chart
3.  bug fixing in stylesheet

**3.14**

1.  Bug fixing “PHP Notice: Undefined variable” in functions

**3.13**

1.  Bug fixing “PHP Notice: Undefined variable” happend after the latest changes
2.  Reports enhancements

**3.12**

1.  Bug fixing “PHP Notice: Undefined variable” happend after the latest changes

**3.11**

1.  bug fixing (single quote issue) in search engines

**3.10**

1.  Urgent fixing (Database errors)

**3.9**

1.  Top bar icon + bug fixing in the plugin init file

**3.8**

1.  Security bug fixing reported by Mr. “Austin Turecek”, Sanitizing ajax request

**3.7**

1.  Bug fixing in search engines graphs

**3.6**

1.  Bug fixing in prepare statement in the reports

**3.5**

1.  Bug fixing in prepare statement

**3.4**

1.  Bug fixing in search engines query (single quote issue reported by @madmax4ever)

**3.3**

1.  Bug fixing in enqueue scripts

**3.2**

1.  Bug fixing in user roles with different site language

**3.1**

1.  Bug fixing in user roles

**2.9**

1.  Bug fixing in traffic counter after the latest updates

**2.8**

1.  Bug fixing – PHP notice

**2.7**

1.  js compression

**2.6**

1.  Css compression

**2.5**

1.  adding the ability to give access to statistics page for any user type
2.  exclude robots

**2.4**

1.  adding new subscribe message to get latest updates

**2.3**

1.  bug fixing in CSS
2.  enhancement in the plugin performance

**2.2**

1.  removing alert message

**2.1**

1.  IP addresses hashing for last 3 digits
2.  Bug fixing in default data

**1.9**

1.  we used the \[GEOPLUGIN\] web service (http://geoip-db.com) These library give us more help in identifying the city name, here is the privacy page for this service http://geoip-db.com/privacy
2.  improve reports

**1.8**

1.  fixing content reports (Traffic by title and by url)
2.  timezone is now support syncronization
3.  php 7.2 bug fixing
4.  improve reports

**1.7**

1.  Fixing undefined offset issue

**1.6**

1.  New feature, user can setup add-ons
2.  wordpress network (multisite support)

**1.5**

1.  Fix Bounce issue

**1.4**

1.  Fix total page views issue

**1.3**

1.  Fix timezone issue

**1.2**

1.  show alert if another stats plugin is enabled

**1.1**

1.  Fix schedule cron job issue

**1.0**

1.  Initial version

CVE-2022-33965: WP Visitor Statistics (Real Time Traffic)

The WP Video Lightbox WordPress plugin before 1.9.5 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers

CVE-2022-2189

The Request a Quote WordPress plugin through 2.3.7 does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

CVE-2022-2239

The Unyson WordPress plugin before 2.7.27 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting

CVE-2022-2219

The Popup Anything WordPress plugin before 2.1.7 does not sanitise and escape a parameter before outputting it back in a frontend page, leading to a Reflected Cross-Site Scripting

CVE-2022-2115

The Name Directory WordPress plugin before 1.25.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. Furthermore, as the payload is also saved into the database after the request, it leads to a Stored XSS as well

CVE-2022-2072

The Name Directory WordPress plugin before 1.25.4 does not have CSRF check when importing names, and is also lacking sanitisation as well as escaping in some of the imported data, which could allow attackers to make a logged in admin import arbitrary names with XSS payloads in them.

Tag

#wordpress