Authenticated (admin or higher user role) Local File Inclusion (LFI) vulnerability in Wow-Company's Herd Effects plugin <= 5.2 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

**Description**

The Herd Effects is the free marketing tool to set and to post popup notifications on the site. The plugin serves to increase the conversion of web resource and motivate users to perform certain actions. It demonstrates the current or fictitious activity of other visitors and creates a “sense of live queue” effect.

The Herd Effects is a simple and effective solution to increase the conversion on the site. Using a WordPress plugin for social proof will allow you to demonstrate the activity of other users to visitors of the resource. The plugin forms a “herd effect”, attracts attention and motivates to commit various actions.

**Main features**

The Herd Effects will allow you to create a simple template and use it for an administrator-defined list of variable values. Notifications are designed to motivate the user to join the actions of others. Among its features:

*   configuring a template with variables to generate popup notification;
*   set the title;
*   more than 1400+ FontAwesome 5 icons ;
*   insert custom icons;
*   specifying the list of values for text variables;
*   set the minimum and maximum numeric values;
*   set the time interval for stable output of notifications;
*   edit the display on the screens less than the specified resolution;
*   insert an alert on the site using a shortcode.

**Quick Start video**

How to use and create a new social proof notification with Herd Effects plugin for WordPress.

**Pro version**

Enhance the “herd effect” of notifications by installing the Pro version of the plugin on your website:

*   unlimited amount of the notification sets;
*   generating an unlimited amount of the notifications in each set;
*   detailed adjustment of the style of the “herd effect” elements;
*   add a border and set the degree of rounding of its corners;
*   select a position to display each notification;
*   selection of colors for the background, borders, text and icons;
*   randomize the time intervals with which the notifications appear to add more realistic effect;
*   disabling a function of notifications closing by the user and setting auto-close;
*   control of the number of notifications;
*   add animation effects when windows appear and close;
*   connect and configure the output of the link via the notification;
*   display only for a specified period of time (from and to);
*   output of “herd effect” elements for all or separate user groups;
*   set the display depending on the language of the page;
*   edit the display of notifications on all or individual pages of the site, output items through the use of exceptions, IDs and categories.
*   And more…

Preview of Pro version

Buy Pro version

**Can be used for**

*   notification about registration on the site;
*   notifications with information on the purchase of goods;
*   informing visitors of the page about the ordering of the service by other users;
*   notifications about the installation of the application or program;
*   demonstration of the activity of users on the web resource;
*   notifications about subscription to the event of the company;
*   notifications about the mention of the resource in social networks;
*   informing users about real activity on the site and much more.

**Use with other plugins to maximize your results**

*   Popup Box – new WordPress popup plugin
*   Counter Box – powerful creator of counters, timers and countdowns
*   Button Generator – easily Button Builder
*   Herd Effects – fake notifications and social proof plugin
*   Floating Button
*   Side Menu Lite – add sticky fixed buttons
*   Sticky Buttons – floating buttons builder
*   Bubble Menu – circle floating menu
*   Float menu – awesome floating side menu
*   Modal Window – create modal window
*   Wow Skype Buttons
*   Border Menu
*   Slide Menu

**Support**

Search for answers and ask your questions at support center

**Screenshots**

**Installation**

*   Installation option 1: Find and install this plugin in the Plugins -> Add new section of your wp-admin
*   Installation option 2: Download the zip file, then upload the plugin via the wp-admin in the Plugins -> Add new section. Or unzip the archive and upload the folder to the plugins directory /wp-content/plugins/ via ftp
*   Press Activate when you have installed the plugin via dashboard or press Activate in the in the Plugins list
*   Go to Wow Herd Effects section that will appear in your main menu on the left
*   Click Add new to create your first set of notifications
*   Enter title that will appear in the notifications
*   Choose the icon that will appear in the notifications.
*   If you want a custom icon, tick Custom, upload your image via Media – Add new, then insert the link to your image. Recommended icon size is 60×60 pixels.
*   Construct your notifications template in the Text field.
*   Enter the values for your \[name\] and \[city\] variables. You can get the list of names and cities here. Note that you can use these variables for any kind of content, not just names and citites. Just enter any values you want and the plugin will randomly pick the values to be displayed in the notifications. Do not create new lines in the list of your variable, or the notifications will not work! Just enter the values, separated by comma.
*   Enter the minimum and maximum values of the Amount, if you are using it.
*   Click Save
*   Copy and paste the shortcode, such as \[Wow-Herd-Effects id=1\] to where you want the notifications to appear.
*   If you want the notifications to appear everywhere on your site, you can insert it in your header.php, like this: <?php echo do_shortcode('[Wow-Herd-Effects id=1]');?>
*   If you want to insert the shortcode into a widget, use this plugin

**Reviews**

Easy to use. No problems so far. Thanks for an amazing plugin.

Didn't work properly for me using the shortcode on one of my templates and it wasn't worth trying to fix it because the plugin is very restricted in the free version. Can't style it at all so you're left with a plain black look which is nothing but a distraction that looks very fake. Scarily I was putting it on my checkout page and recon this would have scared visitors off rather than pushed them towards the sale.

Why take the time and trouble to lie to those visiting your website when you could use a plugin to help? Herd Effects capitalizes on the emotional and brings out the worst in humanity to increase traffic to your website.

Steve August 31, 2020

This plugin works exactly as specified. It's the easiest to use of all plugins like this. The developer is extremely responsive and support is fantastic. I highly recommend using this plugin for your Herd Effects needs.

I installed and configured the plugin and it unconfigured all the banners on my homepage both on the desktop and on the mobile. Beautiful crap.

Read all 15 reviews

**Contributors & Developers**

“Herd Effects – fake notifications and social proof plugin” is open source software. The following people have contributed to this plugin.

Contributors

*    Wow-Company

**Changelog****5.2.1**

*   Fixed: security issue

**5.2**

*   Added: Export/Import functions
*   Fixed: minor bug

**5.1.3**

*   Fixed: minor bug

**5.1.2**

*   Fixed: minor bug

**5.1.1**

*   Fixed: script download queue

**5.1**

*   Updated: Font Awesome Icons to version 5.14
*   Fixed: minor bugs

**5.0.2**

*   Fixed: include script in footer

**5.0.1**

*   Fixed: custom image

**5.0**

*   Added: Live preview
*   Added: test mode option
*   Added: Unit for location
*   Updated: Admin style
*   Update: Font Awesome Icon to v. 5.12

**4.1**

*   Fixed: display of notification

**4.0.1**

*   Fixed: option ‘Show every (sec)’

**4.0**

*   Added: option for disabling FontAwesome 5 from front-end
*   Added: Content style options
*   Added: Title style options
*   Added: Icon style options
*   Added: Close button size option
*   Changed: Admin Style
*   Optimized: Styles and Scripts (minification and response time reduction)
*   Updated: FontAwesome 5
*   Fixed: Control on the devices

**3.1.3**

*   Fixed: Insert the shortcode

**3.1.2**

*   Fixed: Rounding the amount

**3.1.1**

*   Fixed: minor bugs
*   Fixed: main class

**3.1**

*   Fixed: minor bugs
*   Added: Support page
*   Added: Discount page

**3.0**

*   Added: function hiding menu on mobile
*   Changed: admin style
*   Changed: Up to 3 notifications

**2.3**

*   Fixed: minor bugs.
*   Change: Admin style.

**2.2**

*   Add: Interval display option.
*   Change: Admin style.

**2.1**

*   Fix: Can enter ‘Name’ and ‘City’ in new line.
*   Fix: Verifying access to the folder ‘asset’.
*   Fix: Optimized code.

**2.0**

*   Fixed code
*   Change style

**1.0**

*   Initial release

CVE-2022-29448: Herd Effects – fake notifications and social proof plugin

Authenticated (admin or higher user role) Reflected Cross-Site Scripting (XSS) vulnerability in Biplob Adhikari's Image Hover Effects Ultimate plugin <= 9.7.1 at WordPress.

**image-hover-effects-ultimate**

**Software**

**Image Hover Effects Ultimate**

**Vulnerable Versions**

**<= 9.7.1**

**Fixed in version**

**9.7.2**

**CVE**

**CVE-2022-29424**

**References**

**Credits**

**Classification**

**Cross Site Scripting (XSS)**

**OWASP Top 10**

**A7: Cross-Site Scripting (XSS)**

**Disclosure Date**

**2022-05-04**

**CVSS 3.0 score**

**Requires high role user authentication like admin.**

**Are your websites subject to this vulnerability?**

**Details**

**Authenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered by Nguy Minh Tuan (Patchstack Alliance) in WordPress Image Hover Effects Ultimate plugin (versions <= 9.7.1).**

**Solution**

**Update the WordPress Image Hover Effects Ultimate plugin to the latest available version (at least 9.7.2).**

**Found a vulnerability that puts your sites at risk?**

**Found a vulnerability? Help us secure the web and join our community of ethical hackers.**

**Are you the developer of this software? Hire our researchers for a thorough security audit.**

CVE-2022-29424: WordPress Image Hover Effects Ultimate plugin <= 9.7.1 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability - Patchstack

Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in ibericode's MC4WP plugin <= 4.8.6 at WordPress.

CVE-2021-36833: MC4WP: Mailchimp for WordPress

Cross-Site Scripting (XSS) vulnerability in WP Wham's Checkout Files Upload for WooCommerce plugin <= 2.1.2 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Checkout Files Upload for WooCommerce plugin lets your customers upload files on (or after) WooCommerce checkout.

**Features**

Set field’s **position** on WooCommerce checkout page:

*   Before checkout form.
*   After checkout form.
*   Do not add on checkout.

Set if file upload **is required**.

If you need files to be uploaded after order is created, you can optionally add field to:

*   WooCommerce **Thank You** (i.e. **Order Received**) page.
*   WooCommerce **My Account** page.

Add custom **label** to the field.

Set **accepted file types**.

Set custom Upload and Remove **button labels**.

Set **custom messages**:

*   “Wrong file type”.
*   “Wrong image dimensions” and “Couldn’t get image dimensions”.
*   “File is required”.
*   “File was successfully uploaded”.
*   “No file selected”.
*   “File was successfully removed”.

Optionally set field to show up only if in cart there are selected:

*   **Products**.
*   **Product categories**.
*   **Product tags**.

Add uploaded files to admin and customers **emails**.

Send **additional emails** if user uploads or removes files on “Thank You” or “My Account” pages.

**Customize** the frontend files upload form.

Optionally enable **AJAX form** for file uploads.

Set **max file size** option.

Optionally **validate image dimensions**.

**Feedback**

*   We are open to your suggestions and feedback. Thank you for using or trying out one of our plugins!
*   Drop us a line at www.wpwham.com.

**More**

*   Visit the Checkout Files Upload for WooCommerce plugin page.

1.  Upload the entire plugin folder to the /wp-content/plugins/ directory.
2.  Activate the plugin through the “Plugins” menu in WordPress.
3.  Start by visiting plugin settings at “WooCommerce > Settings > Checkout Files Upload”.

This plugin it might be very helpful if, for some reason, you have to let customers upload files during the checkout.

The free version of this plugin is just brilliant! The UI is very easy to understand, making it pretty straightforward to configure. We needed to have an upload field on the Checkout so customers could attach a PDF file. The file can be included as an actual email attachment, and not just a link. It also has the ability to include the upload field conditionally, meaning you can link it to a specific product on the backend, and it will just show if that product is in cart. I have tested multiple checkout upload plugins over the last few months. This is HANDS DOWN the BEST plugin of its kind on the market.

The free version of the plugin does much more than other paid plugins do. So many possibilities for customisation.

I have been facing a problem from three days on order at checkout file upload attachment not showing in mail .it was working fine before. kindly help me . https://fastprintamman.com/ palce a order and on check out there is file upload that attachment not showing in admin mail

Is it possible to set MINIMUM dimensions for both height and width? Also, the progress meter doesn't seem to actually reflect the upload progress... It just jumps to 100% almost immediately...

Read all 10 reviews

“Checkout Files Upload for WooCommerce” is open source software. The following people have contributed to this plugin.

Contributors

*    WP Wham

**2.1.3 – 2022-05-10**

*   FIX: escape filenames on order confirmation/thank you pages.

**2.1.2 – 2021-12-23**

*   FIX: potential XSS vulnerability (thanks to Vlad at Patchstack).
*   FIX: minor display bug in settings due to WooCommerce update.

**2.1.1 – 2021-09-16**

*   UPDATE: PHP 8 now officially supported.
*   UPDATE: updated .pot file for translations.

**2.1.0 – 2021-04-15**

*   NEW: added more options to “validate image dimensions” setting: “greater than or equal”, and “less than or equal”.
*   NEW: added button to delete file attachments on admin “edit order” page. (If you don’t want the ability to delete files, you can use the filter wpwham_checkout_files_upload_allow_admin_delete_files to disable it).
*   FIX: check if server’s temporary directory is writeable. If not, display an error message. (Solves an issue with 0-byte files being uploaded).
*   FIX: bug where sometimes 0-byte files were attached to order emails.
*   UPDATE: for text labels/notices, made it possible for a translated string to take precedence over stored settings. (Previously it was the other way around. This should now make things easier if you use a translation plugin like LocoTranslate, Polylang, etc).
*   UPDATE: performance improvement — load our admin assets only when needed.
*   UPDATE: updated .pot file for translations.

**2.0.4 – 2021-01-12**

*   FIX: clean output buffer before downloads (solves conflict with some 3rd-party plugins which interfere with the output buffer, causing downloads to appear as empty or corrupt).

**2.0.3 – 2020-09-17**

*   UPDATE: display our settings in WC status report.

**2.0.2 – 2020-08-21**

*   FIX: upload button translation issue (removed old label settings, added new ones).
*   UPDATE: updated .pot file for translations.

**2.0.1 – 2020-06-17**

*   FIX: issue with upload button not working in certain themes.
*   FIX: user permissions issue incorrectly preventing downloading of images from the WP admin side.
*   FIX: JS typo.

**2.0.0 – 2020-06-11**

*   NEW: **Breaking Change** the Form (simple) template has been removed, and Form (AJAX) is now the standard template. Form (AJAX) has been the default since v1.4.0 (2018-08-25), so for most people this change will have no effect. However, if you were using Form (simple), or if you had customized either template, please double check your settings to make sure things look correct. Or, you can reset the settings to get a fresh start.
*   NEW: **Breaking Change** in template settings, the variable %field_html% which previously contained BOTH the field html AND the upload button itself, has been split into separate variables %field_html% and %button_html%. Your template settings will be updated automatically to reflect this.
*   NEW: image thumbnails will be shown by default. The image feature has existed since v1.4.0 (2018-08-25), but some people didn’t realize this and/or didn’t know they needed to add %image% into the template to enable it. Now %image% is included in the template by default. If you don’t want this, simply edit your template settings and remove the %image% variable.
*   NEW: show spinner when processing, and prevent checkout form submission before upload is completed.
*   UPDATE: change the way we handle sessions — only start them when needed, not on every page load.
*   UPDATE: extensive code refactoring.
*   UPDATE: updated some styling and text. For example, progress bars (if enabled) are now green.
*   UPDATE: updated .pot file for translations.

**1.5.4 – 2020-01-14**

*   UPDATE: add new filters ‘wpw\_checkout\_files\_upload\_form\_html’ and ‘wpw\_checkout\_files\_upload\_form\_ajax\_html’.
*   UPDATE: wrap checkout page file upload controls in

<

div>.

**1.5.3 – 2019-11-22**

*   UPDATE: bump tested versions

**1.5.2 – 2019-11-15**

*   UPDATE: bump tested versions

**1.5.1 – 2019-09-12**

*   UPDATE: bump tested upto versions

**1.5.0 – 2018-10-08**

*   FIX: php notice
*   UPDATE: updated .pot file for translations

**1.4.5 – 2018-10-01**

*   Dev – [alg_wc_cfu_translate] shortcode added and do_shortcode() is now applied to each file’s “Labels”.

**1.4.4 – 2018-09-13**

*   Dev – Emails – “Additional Emails Options” subsection added.
*   Dev – “Raw” input is now allowed in all textarea admin settings fields.
*   Dev – Code refactoring – “Reset” function re-written.
*   Dev – Code refactoring – custom_number_checkout_files_upload settings type removed.
*   Dev – “Your settings have been saved” admin notice added.

**1.4.3 – 2018-09-10**

*   Dev – “Author URI” updated.

**1.4.2 – 2018-09-10**

*   Dev – “Contributors” updated.

**1.4.1 – 2018-08-27**

*   Fix – %image% in AJAX form fixed on “Thank you” and “My Account” pages.
*   Dev – “Validate image dimensions” options added for each file.
*   Dev – Minor code refactoring.
*   Dev – Minor admin settings restyling.

**1.4.0 – 2018-08-25**

*   Fix – User file download fixed on “Thank you” and “My Account” pages.
*   Dev – %image% replaced value added.
*   Dev – “AJAX form” now is enabled (yes) in settings by default.
*   Dev – Code refactoring.
*   Dev – Minor admin settings restyling.
*   Dev – Plugin URI updated.

**1.3.0 – 2018-06-09**

*   Fix – Case insensitive comparison of the “Accepted file types” options.
*   Fix – Default values fixed for all get_option() calls.
*   Dev – “AJAX form” options added.
*   Dev – “Max file size” options added.
*   Dev – Filter rewritten.
*   Dev – Admin settings – “Reset settings” section added.
*   Dev – Admin settings – Files settings added as separate sections.
*   Dev – Admin settings – Minor changes: restyling; select option type changed to wc-enhanced-select; settings array saved as main class property.

**1.2.0 – 2017-05-10**

*   Fix – Call to undefined function is_shop_manager() error fixed.
*   Dev – WooCommerce v3.x.x compatibility – Order ID – using function instead of accessing property directly.
*   Dev – load_plugin_textdomain moved to constructor from init hook.
*   Dev – Plugin link changed from http://coder.fm to https://wpcodefactory.com.

**1.1.1 – 2016-12-07**

*   Dev – alg_current_filter_priority() modified for compatibility with WordPress since v4.7.
*   Dev – Language (POT) file updated.
*   Dev – Checking for Pro modified.

**1.1.0 – 2016-11-28**

*   Dev – “Form Template Options” settings section added.
*   Dev – Language (POT) file added.
*   Dev – “Emails Options” settings moved to separate section.

**1.0.0 – 2016-09-05**

*   Initial Release.

CVE-2022-29425: Checkout Files Upload for WooCommerce

Users urged to update systems amid reports of active exploitation

Users urged to update systems amid reports of active exploitation

A critical vulnerability present among 90,000-plus active installations of the Jupiter WordPress theme allows for the takeover of target websites.

Although attackers must be authenticated to exploit the privilege escalation flaw, which has a CVSS score of 9.9, they only need to do so as a subscriber or customer. For websites that allow users to self-register, this offers little protection against potential attacks.

The bug, along with another, high severity vulnerability and a trio of medium severity flaws, has been patched by the theme’s developer, ArtBees, according to a blog post published on Wednesday (May 18) by Wordfence.

Read more of the latest WordPress security news

In a blog post published on Wednesday, ‘Plugin Vulnerabilities’ claimed to have seen evidence that hackers were already probing for vulnerable installations, and that some websites had likely already been hacked. 

**Bug breakdown**

The privilege escalation bug (CVE-2022-1654), which affects the Jupiter theme and JupiterX Core plugin, resides in the function.

Because vulnerable versions register AJAX actions but fail to perform capability or (cryptographic) nonce checks, “any logged-in user can elevate their privileges to those of an administrator by sending an AJAX request with the action parameter set to ,” explained Wordfence researcher Ram Gall, who uncovered the flaws.

“This calls the function, which calls the resetWordpressDatabase function, where the site is effectively reinstalled with the currently logged-in user as the new site owner”.

Moreover, “the same functionality can also be accessed by sending an AJAX request with the action parameter set to ”.

The high severity issue (CVSS score 8.1), an authenticated path traversal and local file inclusion issue, “could allow an attacker to obtain privileged information, such as nonce values, or perform restricted actions, by including and executing files from any location on the site”.

Tracked as CVE-2022-1657, the vulnerability affects the JupiterX and Jupiter themes.

The medium severity trio includes a pair of insufficient access control issues leading to authenticated arbitrary plugin deactivation, with one also leading to settings modification (CVE-2022-1656) and the other tracked as CVE-2022-1658. The third poses an information disclosure and modification, plus Denial of Service (DoS), issue (CVE-2022-1659).

**Updates**

Wordfence notified ArtBees of all but one of the flaws on April 5, 2022, and partially patched versions were released on April 28.

ArtBees was alerted to the final vulnerability on May 3 and released comprehensively patched versions on May 10.

The issues have been addressed in Jupiter Theme version 6.10.2, JupiterX theme version 2.0.7, and JupiterX Core version 2.0.8.

RECOMMENDED WordPress sites getting hacked ‘within seconds’ of TLS certificates being issued

WordPress theme Jupiter patches critical privilege escalation flaw

Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Opal Hotel Room Booking plugin <= 1.2.7 at WordPress.

**opal-hotel-room-booking**

**Software**

**Opal Hotel Room Booking**

**Vulnerable Versions**

**<= 1.2.7**

**Fixed in version**

**CVE**

**CVE-2022-29449**

**References**

**Credits**

**Classification**

**Cross Site Scripting (XSS)**

**OWASP Top 10**

**A7: Cross-Site Scripting (XSS)**

**Disclosure Date**

**2022-05-17**

**CVSS 3.0 score**

**Requires contributor or higher role user authentication.**

**Plugin does not exist, is not supported or discontinued.**

**Are your websites subject to this vulnerability?**

**Details**

**Stored Cross-Site Scripting (XSS) vulnerability discovered by Ngo Van Thien (Patchstack Alliance) in WordPress Opal Hotel Room Booking plugin (versions <= 1.2.7).**

**Solution**

**Deactivate and delete. No reply from the vendor.**

**Found a vulnerability that puts your sites at risk?**

**Found a vulnerability? Help us secure the web and join our community of ethical hackers.**

**Are you the developer of this software? Hire our researchers for a thorough security audit.**

CVE-2022-29449: WordPress Opal Hotel Room Booking plugin <= 1.2.7 - Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

Authenticated (administrator or higher role) Local File Inclusion (LFI) vulnerability in Wow-Company's Counter Box plugin <= 1.1.1 at WordPress.

**counter-box**

**Software**

**Counter Box**

**Vulnerable Versions**

**<= 1.1.1**

**Fixed in version**

**1.2**

**CVE**

**CVE-2022-29446**

**References**

**Credits**

**Classification**

**Local File Inclusion**

**OWASP Top 10**

**A1: Injection**

**Disclosure Date**

**2022-05-16**

**CVSS 3.0 score**

**Requires high role user authentication like admin.**

**Are your websites subject to this vulnerability?**

**Details**

**Authenticated Local File Inclusion (LFI) vulnerability discovered by 0xB9 (Patchstack Alliance) in WordPress Counter Box plugin (versions <= 1.1.1).**

**Solution**

**Update the WordPress Counter Box plugin to the latest available version (at least 1.2).**

**Found a vulnerability that puts your sites at risk?**

**Found a vulnerability? Help us secure the web and join our community of ethical hackers.**

**Are you the developer of this software? Hire our researchers for a thorough security audit.**

CVE-2022-29446: WordPress Counter Box plugin <= 1.1.1 - Authenticated Local File Inclusion (LFI) vulnerability - Patchstack

Privilege escalation flaw discovered in the Jupiter and JupiterX Core Plugin affects more than 90,000 sites.

Privilege escalation flaw discovered in the Jupiter and JupiterX Core Plugin affects more than 90,000 sites.

A critical privilege escalation flaw found in two themes used by more than 90,000 WordPress sites can allow threat actors to take over the sites completely, researchers have found.

WordFence Threat Intelligence Team researcher Ramuel Gall discovered the flaw, one of five vulnerabilities he found between early April and early May in the Jupiter and JupiterX Premium WordPress themes, he revealed in a blog post published Wednesday.

One of the flaws—tracked as CVE-2022-1654 and rated as 9.9, or critical on the CVSS–allows for “any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges and completely take over any site running either the Jupiter Theme or JupiterX Core Plugin,” he wrote. The plugin is required to run the JupiterX theme.  

Affected versions of the themes are: Jupiter Theme 6.10.1 or earlier, and JupiterX Core Plugin 2.0.7 or earlier.

WordFence finished their investigation of most of flaws on April 5 and reported them to the Jupiter and JupiterX theme developer ArtBees on the same day; on May 3 they notified the developer of an additional Jupiter theme flaw. By May 10, the developed had released updated versions of both the Jupiter and JupiterX themes that had patched all the flaws.

****Critical Vulnerability****

The critical flaw found resides in a function, uninstallTemplate, which is intended to reset a site after a template is uninstalled. However, it “has the additional effect of elevating the user calling the function to an administrator role,” Gall wrote. In the Jupiter theme, the function is found in the theme itself; in JupiterX, it’s present in the JupiterX Core plugin.

“Vulnerable versions register AJAX actions but do not perform any capability checks or nonce checks,” he wrote.

On a site with a vulnerable version of the Jupiter Theme installed, any logged-in user can elevate their privileges to those of an administrator by sending an AJAX request with the action parameter set to abb\_uninstall\_template. This calls the uninstallTemplate function, which calls the resetWordpressDatabase function, which effectively reinstalls the site with the currently logged-in user as the new site owner, Gall explained.

On a site where a vulnerable version of the JupiterX Core plugin is installed, someone can access the same functionality by sending an AJAX request with the action parameter set to jupiterx\_core\_cp\_uninstall\_template, he said.

****Other Vulnerabilities****

WordPress plugins, often developed by third-party developers, are notoriously buggy. Previous flaws found in plugins for the popular website-creation and -hosting platform also have allowed for site takeover, as well as enabled WordPress subscribers to totally wipe sites not belonging to them, or attackers to forge emails to subscribers.

Of the other flaws that Gall discovered, three—tracked as CVE-2022-1656, CVE-2022-1658 and CVE-2022-1659–are rated as medium risk and one, CVE-2022-1657 is rated as high risk.

The high-risk flaw, which affects JupiterX Theme 2.0.6 or earlier and Jupiter Theme 6.10.1 or earlier, can allow an attacker to obtain privileged information, such as nonce values, or perform restricted actions, Gall explained. This can be done by including and executing files from any location on the site.

“Vulnerable versions of the Jupiter and JupiterX Themes allow logged-in users, including subscriber-level users, to perform Path Traversal and Local File inclusion,” Gall explained.

In the JupiterX theme, this can be done by using the jupiterx\_cp\_load\_pane\_action AJAX action present in the lib/admin/control-panel/control-panel.php file to call the load\_control\_panel\_pane function. “It is possible to use this action to include any local PHP file via the slug parameter,” Gall wrote.

The Jupiter theme has a nearly identical vulnerability, which an attacker can exploit via the mka\_cp\_load\_pane\_action AJAX action present in the framework/admin/control-panel/logic/functions.php file, which calls the mka\_cp\_load\_pane\_action function, he said.

Wordfence researchers recommend that anyone using the affected themes updated to the patched versions immediately. The company released a firewall rule to protect Wordfence Premium, Wordfence Care and Wordfence Response customers on April 5, and free Wordfence users on May 4.

Critical Vulnerability in Premium WordPress Themes Allows for Site Takeover

Reflected Cross-Site Scripting (XSS) vulnerability in Code Snippets plugin <= 2.14.3 at WordPress via &orderby vulnerable parameter.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Code Snippets is an easy, clean and simple way to run code snippets on your site. It removes the need to add custom snippets to your theme’s functions.php file.

A snippet is a small chunk of PHP code that you can use to extend the functionality of a WordPress-powered website; essentially a mini-plugin with less load on your site.  
Most snippet-hosting sites tell you to add snippet code to your active theme’s functions.php file, which can get rather long and messy after a while.  
Code Snippets changes that by providing a GUI interface for adding snippets and **actually running them on your site** just as if they were in your theme’s functions.php file.

Code Snippets provides graphical interface, similar to the Plugins menu, for managing snippets. Snippets can be activated and deactivated, just like plugins. The snippet editor includes fields for a name, a visual editor-enabled description, tags to allow you to categorize snippets, and a full-featured code editor. Snippets can be exported for transfer to another site, either in JSON for later importing by the Code Snippets plugin, or in PHP for creating your own plugin or theme.

If you have any feedback, issues, or suggestions for improvements please leave a topic in the Support Forum, or join the community on Facebook.

If you like this plugin, or it is useful to you in some way, please consider reviewing it on WordPress.org.

If you’d like to contribute to the plugin’s code or translate it into another language, you can fork the plugin on GitHub.

**Translations**

Code Snippets can be used in these different languages thanks to the following translators:

*   Belarusian – Hrank.com
*   Brazilian Portuguese – Bruno Borges
*   Chinese – Jincheng Shan and 诗语
*   Chinese (Taiwan) – Alex Lion and Chun-Chih Cheng
*   Croatian – Borisa Djuraskovic from Web Hosting Hub
*   Czech – Lukáš Tesař and Jakub Humpolec
*   Danish – Finn Sommer Jensen
*   Dutch – Sander Spies, Peter Smits and mother.of.code.a11n
*   English (New Zealand) and English (UK) – webaware
*   English (South Africa) – webaware and Ian Barnes
*   French – momo-fr, Didier Demory, Cyrille Sanson and Shea Bunge
*   French (Canada) – Dominic Desbiens
*   German – Mario Siegmann, Joerg Knoerchen, David Decker and Andreas
*   Greek – Konstantinos Megas and Toni Bishop from Jrop
*   Indonesian – Jordan Silaen from ChameleonJohn.com
*   Italian – Usman Wagan, Luisa Ravelli and ElectricFeet
*   Japanese – mt8, Takakazu Nagaya, Naoko Takano and melvas
*   Persian – Mohammad Novintanon
*   Russian – Alexander Samsonov, Yui, Denis Yanchevskiy and krioteh
*   Slovak – Ján Fajčák
*   Spanish (Colombia) and Spanish (Ecuador) – Javier Esteban
*   Spanish (Spain) – Ibidem Group, Javier Esteban, Fernando Tellado and Juanma Aranda
*   Spanish (Venezuela) – Yordan Soares
*   Swedish – Argentum, Fredrik and Tor-Bjorn Fjellner
*   Urdu – Samuel Badree
*   Vietnamese – Tuan Phan

**Automatic installation**

1.  Log into your WordPress admin
2.  Click **Plugins**
3.  Click **Add New**
4.  Search for **Code Snippets**
5.  Click **Install Now** under “Code Snippets”
6.  Activate the plugin

**Manual installation**

1.  Download the plugin
2.  Extract the contents of the zip file
3.  Upload the contents of the zip file to the wp-content/plugins/ folder of your WordPress installation
4.  Activate the Code Snippets plugin from ‘Plugins’ page.

Network Activating Code Snippets through the Network Dashboard will enable a special interface for running snippets across the entire network.

A full list of our Frequently Asked Questions can be found at help.codesnippets.pro.

**How can I recover my site if it is crashed by a buggy snippet?**

You can recover your site by enabling the Code Snippets safe mode feature. Instructions for how to turn it on are available here: https://help.codesnippets.pro/article/12-safe-mode.

**Will I lose my snippets if I change the theme or upgrade WordPress?**

No, the snippets are stored in the WordPress database, independent of the theme and unaffected by WordPress upgrades.

**Can the plugin be completely uninstalled?**

If you enable the ‘Complete Uninstall’ option on the plugin settings page, Code Snippets will clean up all of its data when deleted through the WordPress ‘Plugins’ menu. This includes all stored snippets. If you would like to preserve the snippets, ensure they are exported first.

**Can I copy snippets that I have created to another WordPress site?**

Yes! You can individually export a single snippet using the link below the snippet name on the ‘Manage Snippets’ page or bulk export multiple snippets using the ‘Bulk Actions’ feature. Snippets can later be imported using the ‘Import Snippets’ page by uploading the export file.

**Can I export my snippets to PHP for a site where I’m not using the Code Snippets plugin?**

Yes. Click the checkboxes next to the snippets you want to export, and then choose **Export to PHP** from the Bulk Actions menu and click Apply. The generated PHP file will contain the exported snippets’ code, as well as their name and description in comments.

**Can I run network-wide snippets on a multisite installation?**

You can run snippets across an entire multisite network by **Network Activating** Code Snippets through the Network Dashboard. You can also activate Code Snippets just on the main site, and then individually on other sites of your choice.

**Where are the snippets stored in my WordPress database?**

Snippets are stored in the wp_snippets table in the WordPress database. The table name may differ depending on what your table prefix is set to.

**Where can I go for help or suggest new features?**

You can get help with Code Snippets, report bugs or errors, and suggest new features and improvements either on the WordPress Support Forums or on GitHub

**How can I help contribute to the development of the Code Snippets plugin?**

The best way to do this is to fork the repository on GitHub and send a pull request.

Works perfectly, and safely

Un plugin sencillo, efectivo y limpio. Gracias.

Hi, Firstly it works very well as it is expected. The only thing I did’nt find is how register a new label. As I write a new label it is not registered Thanks a lot for the job

I've been using this plugin for years and I really like its features. Yes, you can disable your site very easily by injecting PHP code, but that is not the fault of the plugin; with great power comes great responsibility.

Read all 366 reviews

“Code Snippets” is open source software. The following people have contributed to this plugin.

Contributors

**3.1.0 (17 May 2022)**

*   Fixed: Caching inconsistencies preventing snippets and settings from refreshing on sites with persistent object caching.
*   Improved: Simplified database queries.
*   Added: More comprehensive cache coverage, including for active snippets.
*   Added: Icon to ‘Go Pro’ button indicating it opens an external tab.
*   Improved: Allow display styles in snippet descriptions.

**3.0.1 (14 May 2022)**

*   Fixed: Incompatibility issue with earlier versions of PHP.

**3.0.0 (14 May 2022)**

**Added**

*   Added: HTML content snippets for displaying as shortcodes or including in the page head or footer area.
*   Added: Notice reminding users to upgrade unsupported PHP versions.
*   Added: Visual settings to add attributes to shortcodes.
*   Added: Shortcode buttons to the post and page content editors.
*   Added: Basic REST API endpoints.
*   Added: Snippet type column to the snippets table.
*   Added: Snippet type badges to Edit and Add New Snippet pages.
*   Added: Setting to control whether the current line of the code editor is highlighted.
*   Added: Display a warning when saving a snippet with missing title or code.
*   Added: Add suffix to title of cloned snippets.

**Changed**

*   Improved: Updated plugin code to use namespaces, preventing name collisions with other plugins.
*   Improved: Added key for the ‘active’ and ‘scope’ database table columns to speed up queries.
*   Improved: Redirect from edit menu if not editing a valid snippet.
*   Improved: Moved activation switch into its own table column.
*   Improved: Updated code documentation according to WordPress standards.
*   Improved: Added snippet type labels to the tabs on the Snippets page.
*   Improved: Split settings page into tabs.
*   Improved: Use the version of CodeMirror included with WordPress where possible to inherit the additional built-in features.
*   Improved: Added hover effect to priority settings in the snippets table to show that they are editable.
*   Fixed: Snippets table layout on smaller screens.

**Deprecated**

*   Removed: Deprecated functions and compatibility code for unsupported PHP versions.
*   Removed: Option to disable snippet scopes.

**New in Pro**

*   Added: CSS style snippets for the site front-end and admin area.
*   Added: JavaScript snippets for the site head and body area on the front-end.
*   Added: Browser cache versioning for CSS and JavaScript snippets.
*   Added: Support for exporting and downloading CSS and JavaScript snippets.
*   Added: Support for highlighting code on the front-end.
*   Added: Editor syntax highlighting for CSS, JavaScript and HTML snippets.
*   Added: Button to preview full file when editing CSS or JavaScript snippets.
*   Added: Option to minify CSS and JavaScript snippets.
*   Added: Gutenberg editor block for displaying content snippets.
*   Added: Gutenberg editor block for displaying snippet source code.
*   Added: Elementor widget for displaying content snippets.
*   Added: Elementor widget for displaying snippet source code.

**2.14.6 (13 May 2022)**

*   Fixed: Issue with processing uploaded import files.
*   Fixed: Issue with processing tag filters.

**2.14.5 (10 May 2022)**

*   Fixed: Incompatibility issue with older versions of PHP.

**2.14.4 (5 May 2022)**

*   Fixed: Prevent array key errors when loading the snippet table with unknown order values.

**2.14.3 (10 Dec 2021)**

*   Fixed: Potential security issue outputting snippets-safe-mode query variable value as-is. Thanks to Krzysztof Zając for reporting.

**2.14.2 (9 Sep 2021)**

*   Fixed: Prevent network snippets table from being created on single-site installs.
*   Added translations:
    *   Spanish by Ibidem Group
    *   Urdu by Samuel Badree
    *   Greek by Toni Bishop from Jrop
*   Added: Support for :class syntax to the code validator.
*   Added: PHP8 support to the code linter.
*   Added: Color picker feature to the code editor.
*   Added: Failsafe to prevent multiple versions of Code Snippets from running simultaneously.

**2.14.1 (10 Mar 2021)**

*   Added: Czech translation by Lukáš Tesař.
*   Fixed: Code validator now supports function_exists and class_exists checks.
*   Fixed: Code validator now supports anonymous functions.
*   Fixed: Issue with saving the hidden columns setting.
*   Fixed: Replaced the outdated tag-it library with tagger for powering the snippet tags editor.
*   Added: Code direction setting for RTL users.
*   Updated CodeMirror to version 5.59.4.
*   Added: Additional action hooks and search API thanks to @Spreeuw.

**2.14.0 (26 Jan 2020)**

*   Updated CodeMirror to version 5.50.2.
*   Added: Basic error checking for duplicate functions and classes.
*   Updated Italian translations to fix display issues – thanks to Francesco Marino.
*   Fixed: Ordering snippets in the table by name will now be case-insensitive.
*   Added: Additional API options for retrieving snippets.
*   Fixed: Code editor will now properly highlight embedded HTML, CSS and JavaScript code.
*   Changed the indicator color for inactive snippets from red to grey.
*   Fixed a bug preventing the editor theme from being set to default.
*   Added: Store the time and date when each snippet was last modified.
*   Added: Basic error checking when activating snippets.
*   Fixed: Ensure that imported snippets are always inactive.
*   Fixed: Check the referer on the import menu to prevent CSRF attacks. Thanks to Chloe with the Wordfence Threat Intelligence team for reporting.
*   Fixed: Ensure that individual snippet action links use proper verification.

**2.13.3 (13 Mar 2019)**

*   Added: Hover effect to activation switches.
*   Added: Additional save buttons above snippet editor.
*   Added: List save keyboard shortcuts to the help tooltip.
*   Added: Change “no items found” message when search filters match nothing.
*   Fixed: Calling deprecated code in database upgrade process.
*   Fixed: Include snippet priority in export files.
*   Fixed: Use Unix newlines in code export file.
*   Updated CodeMirror to version 5.44.0.
*   Fixed: Correctly register snippet tables with WordPress to prevent database repair errors \[#\]
*   Fixed: CodeMirror indentation settings being applied incorrectly

**2.13.2 (25 Jan 2019)**

*   Removed potentially problematic cursor position saving feature

**2.13.1 (22 Jan 2019)**

*   Added: Add menu buttons to settings page for compact menu
*   Updated: French translation updated thanks to momo-fr
*   Fixed: Split code editor and tag editor scripts into their own files to prevent dependency errors
*   Fixed: Handling of single-use shared network snippets
*   Fixed: Minor translation template issues
*   Added: Help tooltop to snippet editor for keyboard shortcuts, thanks to Michael DeWitt
*   Improved: Added button for executing single-use snippets to snippets table
*   Added: Sample snippet for ordering snippets table by name by default
*   Updated CodeMirror to version 5.43.0

**2.13.0 (17 Dec 2018)**

*   Added: Search/replace functionality to the snippet editor. See here for a list of keyboard shortcuts. \[#\]
*   Updated CodeMirror to version 5.42.0
*   Added: Option to make admin menu more compact
*   Fixed: Problem clearing recently active snippet list
*   Improved: Integration between plugin and the CodeMirror library, to prevent collisions
*   Improved: Added additional styles to editor settings preview
*   Added: PHP linter to code editor
*   Improved: Use external scripts instead of inline scripts
*   Fixed: Missing functionality for ‘Auto Close Brackets’ and ‘Highlight Selection Matches’ settings

**2.12.1 (15 Nov 2018)**

*   Improved: CodeMirror updated to version 5.41.0
*   Improved: Attempt to create database columns that might be missing after a table upgrade
*   Improved: Streamlined upgrade process
*   Fixed: Interface layout on sites using right-to-left languages
*   Improved: Made search box appear at top of page on mobile \[#\]
*   Updated screenshots

**2.12.0 (23 Sep 2018)**

*   Fixed: Prevented hidden columns setting from reverting to default
*   Improved: Updated import page to improve usability
*   Improved: Added Import button next to page title on manage page
*   Improved: Added coloured banner indicating whether a snippet is active when editing
*   Update CodeMirror to 5.40.0

**2.11.0 (24 Jul 2018)**

*   Added: Ability to assign a priority to snippets, to determine the order in which they are executed
*   Improvement: The editor cursor position will be preserved when saving a snippet
*   Added: Pressing Ctrl/Cmd + S while writing a snippet will save it
*   Added: Shadow opening PHP tag above the code editor
*   Improved: Updated the message shown when there are no snippets
*   Added: Install sample snippets when the plugin is installed
*   Improved: Show all available tags when selecting the tag field
*   Added: Filter hook for controlling the default list table view
*   Added: Action for cloning snippets

**The full changelog is available on GitHub**

CVE-2022-25617: Code Snippets

Authenticated (administrator or higher role) Local File Inclusion (LFI) vulnerability in Wow-Company's Popup Box plugin <= 2.1.2 at WordPress.

**popup-box**

**Software**

**Popup Box**

**Vulnerable Versions**

**<= 2.1.2**

**Fixed in version**

**2.2**

**CVE**

**CVE-2022-29445**

**References**

**Credits**

**Classification**

**Local File Inclusion**

**OWASP Top 10**

**A1: Injection**

**Disclosure Date**

**2022-05-16**

**CVSS 3.0 score**

**Requires high role user authentication like admin.**

**Are your websites subject to this vulnerability?**

**Details**

**Authenticated Local File Inclusion (LFI) vulnerability discovered by 0xB9 (Patchstack Alliance) in WordPress Popup Box plugin (versions <= 2.1.2).**

**Solution**

**Update the WordPress Popup Box plugin to the latest available version (at least 2.2).**

**Found a vulnerability that puts your sites at risk?**

**Found a vulnerability? Help us secure the web and join our community of ethical hackers.**

**Are you the developer of this software? Hire our researchers for a thorough security audit.**

Tag

#wordpress