The MailPress WordPress plugin through 7.2.1 does not have CSRF checks in various places, which could allow attackers to make a logged in admin change the settings, purge log files and more via CSRF attacks

CVE-2022-1843

The OpenBook Book Data WordPress plugin through 3.5.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping as well

CVE-2022-1842

In WordPress Plugin User Photo 0.9.4, when a photo is uploaded, it is only partially validated and it is possible to upload a backdoor on the server hosting WordPress. This backdoor can be called (executed) even if the photo has not been yet approved.

    # Exploit Title: WordPress User Photo Component Remote File Upload Vulnerability
    # Google Dork: inurl:"/wp-content/uploads/userphoto/"
    # Date: 17/FEB/2011
    # Author: ADVtools
    # Software Link: http://wordpress.org/extend/plugins/user-photo/
    # Version: 0.9.4
    # Tested on: *nix , Windows
    
    I. Product Description
    
    User Photo is a WordPress component that allows a user to associate a photo with her account and for this photo to be displayed in  posts and comments.
    
    
    II. Vulnerability description
    
    When a photo is uploaded, it is only partially validated and it is possible to upload a backdoor on the server hosting WordPress. This backdoor can be called (executed) even if the photo has not been yet approved.
    
    
    III. Analysis
    
    1. Image type validation
    
    When a file is uploaded, its type is validated. Only the following types are accepted:
    
           $userphoto_validtypes = array(
                   "image/jpeg" => true,
                   "image/pjpeg" => true,
                   "image/gif" => true,
                   "image/png" => true,
                   "image/x-png" => true
           );
    
    The type is validated by the following code:
    
           if(@!$userphoto_validtypes[$_FILES['userphoto_image_file']['type']])
                   $error = sprintf(__("The uploaded file type &ldquo;%s&rdquo; is not allowed.", 'user-photo'), $_FILES['userphoto_image_file']['type']);
    
    This code verifies the MIME type of the uploaded file. A navigator infers the MIME type from the file itself or from its extension but it is possible to intercept the HTTP request and change it (using a proxy such as WebScarab). This way, any file can be uploaded as if it were an image. The HTTP header to change is Content-type:
    
    Content-type: image/gif
    
    2. Image resizing
    
    When a photo (an image) is uploaded, its size is checked. If it is too big, it is resized. To avoid this resizing, the uploaded file has to look like a small image. The verification of the size of the image is done with code such as:
    
           $imageinfo = getimagesize($tmppath);
    
    In the case of GIF, this PHP function simply looks at the beginning of the GIF header and extracts the size of the image. A GIF header starts with:
    
    Offset   Length   Contents
     0      3 bytes  "GIF"
     3      3 bytes  "87a" or "89a"
     6      2 bytes  <Logical screen width in little-endian byte order>
     8      2 bytes  <Logical screen height in little-endian byte order>
    
    getimagesize ignores the remaining of the binary data. It is thus easy to create a file that looks like a small GIF image but that is in fact something else.
    
    3. PHP file
    
    A PHP file can contain binary data. This data are reflected on the output steam without interpretation. Only data between <?php and ?> are interpreted as PHP code (see http://www.php.net/manual/en/language.basic-syntax.phpmode.php). Using this characteristic and the previous point, it is thus possible to construct a file that looks like a small GIF image but that is in fact a PHP file. For example (in hexadecimal):
    
           47 49 46 38 39 61 14 00 14 00 3C 3F 70 68 70 20 70 68 70 69 6E 66 6F 28 29 3B 20 3F 3E
    
    This file is recognized as a GIF image with a width and a height of 20 pixels and also as a PHP file containing a call to phpinfo(). Using the same technic, it is possible to upload a backdoor.
    
    4. Uploading
    
    Once uploaded, the PHP file is always located at the same place:
    
           wp-content/uploads/userphoto/alice.php
    
    where alice is the login name (nickname) of the user uploading the file.
    
    Important: This file is present even if it has not yet been approved by the moderator.
    
    5. Limitation
    
    Since the PHP file begins with a fake GIF header, this header will be output for every response. In practice, this is not really a problem: it can be simply ignored (in the case of a backdoor outputting HTML) or manually removed (in the case of the downloading of file). In some cases (for example when images are dynamically returned), a backdoor has to be slightly modified to avoid outputting two GIF headers.
    
    6. Special case
    
    In some installations, PHP files are interpreted as Unicode (16 bits). Since the beginning of the GIF header is 16-bit aligned, it is not an issue. The PHP code has to be written in Unicode.
    
    7. Other concerns
    
    This component contains also a XSS vulnerability located in the same lines of code.
    
    
    IV. Versions affected
    
    Version 0.9.4 (latest version as of January 2011).
    
    Other versions were not tested.
    
    
    V. Impact
    
    The exact impact depends of the configuration of the web server and of the operating system:
    
    - In the worst case, if Apache is running as root or as an Administrator, the server is compromised (owned).
    
    - If the Apache server is running as a dedicated low privilege user, the backdoor will have limited access. Most of the time, the backdoor will have read access but no write access except in very specific places. To compromise the server, another vulnerability is necessary (escalation).
    
    
    VI. Proof of concept / Exploit
    
    See part III and attachment.
    
    
    VII. Mitigation, Workaround and fix
    
    The hardening of the web server will limit the impact.
    
    
    VIII. Disclosure time-line
    
    2010.07      First researches, vulnerability discovered
    2011.01.24   Proof of concept
    2011.01.27   Vendor notified
    2011.02.17   Public disclosure
    
    
    IX. References
    
    Graphics Interchange Format
    http://en.wikipedia.org/wiki/Graphics_Interchange_Format
    
    GIF specification
    http://www.w3.org/Graphics/GIF/spec-gif89a.txt
    
    PHP Escaping from HTML
    http://www.php.net/manual/en/language.basic-syntax.phpmode.php
    
    Passing Malicious PHP Through getimagesize()
    http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/
    
    PHP Exploit Code in a GIF
    http://isc2.sans.org/diary.html?storyid=2997

CVE-2013-1916: Offensive Security’s Exploit Database Archive

A vulnerability classified as problematic has been found in WP-SpamFree Anti-Spam Plugin 2.1.1.4. This affects an unknown part. The manipulation leads to basic cross site scripting. It is possible to initiate the attack remotely.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: Summer of Pwnage <lists () securify nl>  
_Date_: Wed, 1 Mar 2017 07:02:45 +0100  

\------------------------------------------------------------------------
Cross-Site Scripting vulnerability in WP-SpamFree Anti-Spam WordPress
Plugin
------------------------------------------------------------------------
Radjnies Bhansingh, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A reflected Cross-Site Scripting vulnerability exists in the WP-SpamFree
Anti-Spam WordPress plugin. This vulnerability allows an attacker to
perform any action with the privileges of the target user. The affected
code is not protected with an anti-Cross-Site Request Forgery token.
Consequently, it can be exploited by luring the target user into
clicking a specially crafted link or visiting a malicious website (or
advertisement).

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0026

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was succesfully tested on the WP-SpamFree Anti-Spam WordPress
Plugin version 2.1.1.4.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross\_site\_scripting\_vulnerability\_in\_wp\_spamfree\_anti\_spam\_wordpress\_plugin.html

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Cross-Site Scripting vulnerability in WP-SpamFree Anti-Spam WordPress Plugin** _Summer of Pwnage (Feb 28)_

CVE-2017-20096: Cross-Site Scripting vulnerability in WP-SpamFree Anti-Spam WordPress Plugin

A vulnerability classified as critical was found in Simple Ads Manager Plugin. This vulnerability affects unknown code. The manipulation leads to code injection. The attack can be initiated remotely.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: Summer of Pwnage <lists () securify nl>  
_Date_: Wed, 1 Mar 2017 07:04:52 +0100  

\------------------------------------------------------------------------
Simple Ads Manager WordPress plugin unauthenticated PHP Object injection
vulnerability
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A PHP Object injection vulnerability was found in the Simple Ads Manager
WordPress plugin. The unauthenticated PHP Object injection vulnerability
can be used by an unautenthicated user to instantiate arbitrary PHP
Objects. This issue can potentially result in arbitrary code execution,
but this has not been confirmed.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0041

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was succesfully tested on the Simple Ads Manager WordPress
plugin version 2.9.8.125.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/simple\_ads\_manager\_wordpress\_plugin\_unauthenticated\_php\_object\_injection\_vulnerability.html

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Simple Ads Manager WordPress plugin unauthenticated PHP Object injection vulnerability** _Summer of Pwnage (Feb 28)_

CVE-2017-20095: Simple Ads Manager WordPress plugin unauthenticated PHP Object injection vulnerability

A vulnerability, which was classified as problematic, has been found in NewStatPress Plugin 1.2.4. This issue affects some unknown processing. The manipulation leads to basic cross site scripting (Persistent). The attack may be initiated remotely. Upgrading to version 1.2.5 is able to address this issue. It is recommended to upgrade the affected component.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: Summer of Pwnage <lists () securify nl>  
_Date_: Wed, 1 Mar 2017 07:05:22 +0100  

\------------------------------------------------------------------------
Persistent Cross-Site Scripting in the WordPress NewStatPress plugin
------------------------------------------------------------------------
Han Sahin, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A persistent Cross-Site Scripting (XSS) vulnerability has been found in
the WordPress NewStatPress plugin. By using this vulnerability an
attacker can inject malicious JavaScript code into the application,
which will execute within the browser of any user who views the relevant
application content.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0030

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on WordPress NewStatPress plugin
version 1.2.4.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been addressed in NewStatPress version 1.2.5. This
version can be download from the NewStatPress GitHub account:
https://github.com/lechab/newstatpress#125

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/persistent\_cross\_site\_scripting\_in\_the\_wordpress\_newstatpress\_plugin.html

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Persistent Cross-Site Scripting in the WordPress NewStatPress plugin** _Summer of Pwnage (Feb 28)_

CVE-2017-20094: Persistent Cross-Site Scripting in the WordPress NewStatPress plugin

A vulnerability, which was classified as problematic, was found in Download Manager Plugin 2.8.99. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: Summer of Pwnage <lists () securify nl>  
_Date_: Wed, 1 Mar 2017 07:07:14 +0100  

\------------------------------------------------------------------------
Cross-Site Request Forgery in WordPress Download Manager Plugin
------------------------------------------------------------------------
Burak Kelebek, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Request Forgery vulnerability has been found in the
WordPress Download Manager Plugin. By using this vulnerability an
attacker can change confidential settings of the plugin.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160722-0005

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on WordPress Download Manager version
2.8.99.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross\_site\_request\_forgery\_in\_wordpress\_download\_manager\_plugin.html

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Cross-Site Request Forgery in WordPress Download Manager Plugin** _Summer of Pwnage (Feb 28)_

CVE-2017-20093: Cross-Site Request Forgery in WordPress Download Manager Plugin

A vulnerability was found in WP-Filebase Download Manager Plugin 3.4.4. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to basic cross site scripting. The attack may be launched remotely.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: Summer of Pwnage <lists () securify nl>  
_Date_: Wed, 1 Mar 2017 07:01:18 +0100  

\------------------------------------------------------------------------
Cross-Site Scripting vulnerability in WP-Filebase Download Manager
WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the WP-Filebase
Download Manager WordPress Plugin. This issue allows an attacker to
perform a wide variety of actions, such as stealing Administrators'
session tokens, or performing arbitrary actions on their behalf. In
order to exploit this issue, the attacker has to lure/force a logged on
WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0019

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on WP-Filebase Download Manager
WordPress Plugin version 3.4.4.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross\_site\_scripting\_vulnerability\_in\_wp\_filebase\_download\_manager\_wordpress\_plugin.html

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Cross-Site Scripting vulnerability in WP-Filebase Download Manager WordPress Plugin** _Summer of Pwnage (Feb 28)_

CVE-2017-20097: Cross-Site Scripting vulnerability in WP-Filebase Download Manager WordPress Plugin

Algo Communication Products Ltd. 8373 IP Zone Paging Adapter Firmware 1.7.6 allows attackers to perform a directory traversal via a web request sent to /fm-data.lua.

Hey All,

Been awhile, like usual :)

We will be talking about a CVE related to firmware running on one of these devices in this blog. Other devices by Algo running identical firmware seem impacted as well.

I am here today to write about a vulnerability I recently discovered during a security assessment and how it spawned into my first CVE. Getting a CVE to my name is something I’ve wanted to accomplish for several years. I got close a few times, and once I even found what I thought was a “Zero day” in a Fortinet Firewall just to find out it was reported and patched just weeks before I found it. So close!

While I will be transparent in saying that this vulnerability is far from the most mind blowing or exciting vulnerability in recent times. I will also say I’m proud to have reported it through the CVE reporting process and was reserved CVE-2022–31395 by doing so. The final step in locking the CVE in is to point MITRE to a publication about the vulnerability. As you can maybe imagine, that is a large part of why I am writing this article. I did attempt to contact the manufacture to ask if they knew about this vulnerability. They simply told me the firmware in question was outdated and to update it. That however didn’t tell me if this was a known vulnerability so I asked if they had any specific CVE’s known to exist against the outdated firmware version I was working with. They said they did not have that information so I moved on to reporting to MITRE. As I sent the details to MITRE I was like:

I just want a CVE with my name on it!!!

I didn’t hear anything for several days from MITRE so I pinged them for an updated and was told they are experiencing a high volume of reported CVE’s and are working through them in a priority order. A few weeks passed and finally I saw a glorious email arrive. It stated that I should use CVE-2022–31395 to craft a public reference for the vulnerability in question, at which point the CVE should be official and no longer just “reserved”.

Without further ado… I present to you the Directory Traversal vulnerability I found and reported. The vulnerability affects at least: **ALGO COMMUNICATION PRODUCTS LTD 8373 IP Zone Paging Adapter Control Panel, Firmware 1.7.6**. Other ALGO products containing the same firmware likely contain the same vulnerability as I have also confirmed the **1.7.6 Firmware on Algos’ “8201 SIP PoE Intercom Control Panel”** contains the same vulnerability). I have not yet confirmed if other, newer firmwares are vulnerable at this time. In addition, the support team at Algo said the best way to know would be to update to their newest firmware and try the attack again. However, I do not have administrative privileges to this device as it belongs to a client of mine, so I am not able to update it and will have to wait if to see if my client decides to do so. I will report back if I find that newer versions are impacted.

Lets’ get into some of the details about this vulnerability! First, it is worth noting that this is an authenticated attack. The part of the application that is vulnerable is only accessible once authenticated. These devices appear to come pre-configured with a default password of “algo” with no username. In fact, I am saved a Google search for default password when initially analyzing the interface as it’s clearly stated right in the web interface itself.

I know it’s not a secret… but it feels like a bad idea to have the default password printed next to the login feature.

Lucky for me, the device I was analyzing still had its’ default password configured so I was able to access administrative functions of this IP Zone Paging Adapter. A function that quickly stood out to me was called “File Manager” which for obvious reasons (to people in offensive security) is immediately a place I start to analyze deeper as a pentester and bug hunter.

My first move, is to attempt to download any of the files I am presented with here and to see what that HTTP request looks like using BurpSuite Professional… P.S. if you don’t use BurpSuite Pro…. well I am just sad to hear that, it’s an incredibly valuable tool and is priced super well in the lower hundreds per year ($300–400ish if I’m remembering correctly). Anyways… this is what I saw when reviewing the download request.

In this example, I’m downloading the “user.conf” file.

A natural change to attempt to make before resubmitting the request is, of course, to replace the file in the HTTP request that we want to fetch from the server with a directory traversal payload to see if we can “break out” of the file directory the application intends for us to browse and reach the “_passwd_” file in the “_/etc/_” directory of the underlying Linux OS.

Yehaw!

I was thrilled to see the output of the _passwd_ file! Next, I thought to also grab the “_shadow_” file in the same directory (/_etc/_) which should contain hashed passwords for users! It is possible for us to maybe even crack the hash(es) if we can get them from the file.

Well, this is certainly awesome. I have the hashed password for the _root_ account. This means I can possibly “jailbreak” or “root” the device if I can accomplish two things.

1.  Crack the root password with Hashcat (my preferred hash cracking tool) or another password-hash cracking tool.
2.  Find a way to execute code as root. My two theories on how to accomplish this was either to find a way to enable SSH (since it doesn’t seem to be enabled on my target at least), or to leverage the directory traversal vulnerability while UPLOADING (instead of downloading as seen above). Perhaps I could drop a web shell or drop/overwrite a config file to get me further access.

I like Hashtcat for the GPU acceleration and the “Rules” engine that modifies a given wordlist on the fly! One or two of my first blog posts on https://n0ur5blog.wordpress.com/ (my old blog) talked a whole bunch about Hashcat!

Boom — Hash cracked! Now that I see the clear-text password for the root account, I notice it matches the default password we used to log in to the web interface. I wonder if the web interface just uses whatever the root password is set to, and if changing the web interface password would change the root password. Regardless, I now have one last challenge and that is to turn this into some form of code execution via the methods I mentioned above!

As of the time of this writing I have not successfully executed code as the root user, but have confirmed I can upload files to outside the web root directory and even overwrite files already in place on the system! I am left with the following items to continue my research on this vulnerability.

*   What other hardware and/or firmware versions are vulnerable to this? I have come across some other Algo devices containing default passwords for log-in that didn’t even have the “File Manager” feature. The few I came across did have much newer firmware but also were different hardware from those that I’ve confirmed vulnerable so far. So I assume “File Manager” was either removed in newer firmware versions OR some hardware they produce simply doesn’t have or need the File Manager.
*   How can I use unrestricted file upload, combined with directory traversal to enable SSH or achieve some other form of remote code execution via ROOT. The web server seems serve “lua” files, so I assume if I can figure out the file structure/location of the web server root directory, I could possibly drop a web shell on it that would enable the remote code execution I’m looking for via web browser.
*   Testing if changing the web interface password also changes the root password by grabbing the shadow file again after changing the password to see if the hash changed. If not, we can assume a large number of Algo devices ship with the root password of “_algo_”.
*   Create a python or bash script for this exploit once I discover the full extent of the items above!

Well folks, that is all for now! Hopefully my next blog post is about another CVE I get, but if not I’m sure whatever it is will be something fun and interesting! Hope this was a fun read!

Cheers!

N0ur5

CVE-2022-31395: Achievement Unlocked: CVE-2022–31395 - N0ur5 - Medium

A vulnerability was found in File Manager Plugin 3.0.1. It has been classified as problematic. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Bugtraq mailing list archives**

_From_: Summer of Pwnage <lists () securify nl>  
_Date_: Wed, 1 Mar 2017 07:03:30 +0100  

\------------------------------------------------------------------------
Cross-Site Request Forgery in File Manager WordPress plugin
------------------------------------------------------------------------
David Vaartjes, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Request Forgery (CSRF) vulnerability was found in the File
Manager WordPress Plugin. Among others, this issue can be used to upload
arbitrary PHP files to the server.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0029

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was succesfully tested on the File Manager WordPress Plugin
version 3.0.1.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross\_site\_request\_forgery\_in\_file\_manager\_wordpress\_plugin.html

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

**Current thread:**

*   **Cross-Site Request Forgery in File Manager WordPress plugin** _Summer of Pwnage (Feb 28)_

Tag

#wordpress