Headline
CVE-2022-1912: settings.php in smartsoftbutton-widget-de-botones-de-chat/trunk/admin/pages – WordPress Plugin Repository
The Button Widget Smartsoft plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.1. This is due to missing nonce validation on the smartsoftbutton_settings page. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
1<?php23/**4 * @package SmartsoftButton\Admin5 */67/** 8 * -------------------------------------9 * CLASES Y VARIABLES USADAS POR LA PAGINA10 * -------------------------------------11 */1213// Instancia de la clase que maneja la logica (hereda de SmartsoftButton_Options)14global $smartsoftbutton_admin;1516//Options de los links de la canales17$channels_data = $smartsoftbutton_admin->get_links_data_channels();1819//Option con los valores para configuracion desde agentechat20$config_agentechat_value = $smartsoftbutton_admin->get_config_agentechat_value();21$config_agentechat_info = SmartsoftButton_Utils::convert_array_to_json_string($config_agentechat_value);2223//Otros Options con informacion adicional24$additional_info = $smartsoftbutton_admin->get_additional_info_values();2526?>27<?php28//Header para la pagina de administracion29echo $smartsoftbutton_admin->content_head();3031?>3233<?php34// ***PRINTS DE PRUEBAS: (comentar cuando el plugin esté listo)***35echo “<div>";36//echo “<p>HELLO I am the page settings.php</p>";37/*38echo “<p>” . “INIT OPTIONS” . “</p>";39echo “<p>” . print_r($smartsoftbutton_admin->get_options_custom()) . “</p>";4041echo “<p>” . “INIT OPTIONS VARS” . “</p>";42echo “<p>” . print_r($channels_data) . “</p>";43echo “<p>” . print_r($config_agentechat_value) . “</p>";44echo “<p>” . print_r($config_agentechat_info) . “</p>";45echo “<p>” . print_r($additional_info) . “</p>";*/4647/*48 echo “<p>” . “SERVER” . “</p>";49 echo “<p>” . var_dump($_SERVER) . “</p>"; */50/*51 echo “<p>” . “REQUEST” . “</p>";52 echo “<p>” . var_dump(filter_input(INPUT_SERVER, ‘REQUEST_METHOD’)) . “</p>"; */53/*54 echo “<p>” . “ACTION FILTER POST” . “</p>";55 echo “<p>” . var_dump(filter_input(INPUT_POST, ‘action’)) . “</p>"; */5657echo “</div>";58?>5960<?php61/** 62 * -------------------------------------63 * PROCESAR Acciones POST (Antes de renderizar la pagina)64 * -------------------------------------65 */6667$method = filter_input(INPUT_SERVER, ‘REQUEST_METHOD’);6869if ($method == ‘POST’ && is_admin()) {70 /*71 echo “<p>” . “POST VALUES” . “</p>";72 echo “<p>” . var_dump(filter_input_array(INPUT_POST)) . “</p>"; */7374 $action_clicked = filter_input(INPUT_POST, ‘action’);75 $form_name = filter_input(INPUT_POST, ‘form-name’);7677 switch ($action_clicked) {78 case “salvaropciones1":7980 $params_prefix = array('param-link-‘, ‘param-label-‘, ‘param-message-‘, ‘param-display-');81 $new_channels_data = array();8283 foreach (SmartsoftButton_Constants::$KEYS_CHANNELS as $key_value) {84 $new_channels_data[$key_value][‘id’] = filter_input(INPUT_POST, $params_prefix[0] . $key_value);85 $new_channels_data[$key_value][‘name’]= filter_input(INPUT_POST, $params_prefix[1] . $key_value);86 $new_channels_data[$key_value][‘message’] = filter_input(INPUT_POST, $params_prefix[2] . $key_value);87 $new_channels_data[$key_value][‘display’] = filter_input(INPUT_POST, $params_prefix[3] . $key_value);88 }89 $rta = $smartsoftbutton_admin->validate_params_structure($new_channels_data, SmartsoftButton_Constants::$KEYS_CHANNELS);9091 if ($rta[‘todo_ok’]) {92 /*93 echo “<p>” . ‘NEW CHANNELS DATA’ . "</p>";94 echo “<p>” . print_r($new_channels_data) . "</p>"; */9596 $guardar = $smartsoftbutton_admin->set_links_data_channels($new_channels_data);97 if ($guardar[‘todo_ok’]) {98 //Recarga datos de las opciones guardadas99 $channels_data = $smartsoftbutton_admin->get_links_data_channels();100101 echo ("<div class=’updated notice is-dismissible’ style=’padding: 10px’>Opciones para <strong>"102 . $form_name . “</strong> guardadas exitosamente.</div>”);103 } else {104 //Mantiene los datos del post en la pagina de respuesta para que sean corregidos105 $channels_data = $new_channels_data;106107 echo ("<div class=’error notice is-dismissible’ style=’padding: 10px’>"108 . “Error en formato salvando <strong>” . $form_name . "</strong>"109 . “<br>” . $guardar[‘error’]110 . “</div>”);111 }112 } else {113 echo ("<div class=’error notice is-dismissible’ style=’padding: 10px’>"114 . “Error de estructura salvando <strong>” . $form_name . "</strong> "115 . “<br>” . $rta[‘error’]116 . “</div>”);117 }118119120 break;121122 case "salvaropciones2":123124 $param_prefix = ‘param-info-‘;125 $config_agentechat_key = $smartsoftbutton_admin->get_config_agentechat_key();126 $new_config_agentechat_info = ‘’;127 $new_config_agentechat_value = array();128129 if ($config_agentechat_key) {130 $new_config_agentechat_info = filter_input(INPUT_POST, $param_prefix . $config_agentechat_key);131 }132133 /*echo "<pre>";134 echo “<p>” . ‘NEW CONFIG AGENTECHAT TEXT’ . "</p>";135 echo “<p>Type=” . gettype($new_config_agentechat_info) . "</p>";136 echo “<p>” . print_r($new_config_agentechat_info) . "</p>";137 echo "</pre>";*/138139 $new_config_agentechat_value = SmartsoftButton_Utils::convert_json_string_to_array($new_config_agentechat_info);140141 /*echo "<pre>";142 echo “<p>” . ‘NEW CONFIG AGENTECHAT ARRAY’ . "</p>";143 echo “<p>Type=” . gettype($new_config_agentechat_value) . "</p>";144 print_r($new_config_agentechat_value);145 echo "</pre>";*/146147 $guardar = $smartsoftbutton_admin->set_config_agentechat_value($new_config_agentechat_info);148 if ($guardar[‘todo_ok’]) {149 //Recarga datos de las opcion guardada150 $config_agentechat_value = $smartsoftbutton_admin->get_config_agentechat_value();151 $config_agentechat_info = SmartsoftButton_Utils::convert_array_to_json_string($config_agentechat_value);152153154 echo ("<div class=’updated notice is-dismissible’ style=’padding: 10px’>Opciones para <strong>"155 . $form_name . “</strong> guardadas exitosamente.</div>”);156157 } else {158 //Mantiene los datos del post en la pagina de respuesta para que sean corregidos159 $config_agentechat_value = $new_config_agentechat_value;160 $config_agentechat_info = $new_config_agentechat_info;161162 echo ("<div class=’error notice is-dismissible’ style=’padding: 10px’>"163 . “Error en formato salvando <strong>” . $form_name . "</strong>"164 . “<br>” . $guardar[‘error’]165 . “</div>”);166 }167168 break;169170 default:171 break;172 }173174 //Recarga valores luego de cualquier POST/UPDATE175 //Re-carga Options de los links de la canales176 $channels_data = $smartsoftbutton_admin->get_links_data_channels();177178 //Re-carga Otros Options con informacion adicional179 $additional_info = $smartsoftbutton_admin->get_additional_info_values();180181 // ***PRINTS DE PRUEBAS: (comentar cuando el plugin esté listo)***182 /*echo “<p>” . “RELOADED OPTIONS” . "</p>";183 echo “<p>” . print_r($smartsoftbutton_admin->get_options_custom()) . "</p>";184185 echo “<p>” . “RELOADED OPTIONS VARS” . “</p>";186 echo “<p>” . print_r($channels_data) . “</p>";187 echo “<p>” . print_r($additional_info) . “</p>";*/188}189190?>191<?php192/** 193 * -------------------------------------194 * SCRIPTS para componentes visuales195 * -------------------------------------196 */197/**198 * Script para agregar jquery ui layouts a las vistas (accordion, tabs, etc)199 * Notas: 200 * - Es importante que la declaracion los accordions quede antes de la del tabs. 201 * - El parametro “beforeActivate” en los tabs es para actualizar el hash en la url (luego del post)202 * - El parametro “activate” en los tabs es para actualizar el hash en la url al cambiar entre ellos203 */204?>205<script type="text/javascript">206 jQuery(document).ready(function($) {207 208 //Acordeones209 $(“#accordion-one”).accordion();210 $(“#accordion-two”).accordion();211212 //Agrega tabs213 $(“#tabs”).tabs({214 beforeActivate: function(event, ui) {215 window.location.hash = ui.newPanel.selector;216 },217 activate: function(event, ui) {218 var scrollTop = $(window).scrollTop(); // save current scroll position219 window.location.hash = ui.newPanel.attr(‘id’); // add hash to url220 $(window).scrollTop(scrollTop); // keep scroll at current position221 },222 });223 // Checkboxes224 draw_checkboxs_and_select_edition_mode();225 });226</script>227228<?php229/** 230 * -------------------------------------231 * RENDERIZAR pagina232 * -------------------------------------233 */234235//Seleccionar el tipo de configuracion a usar: Manual o AgenteChat236echo $smartsoftbutton_admin->content_config_selector();237// Renderizar titulo del sub-menu238echo (“<div class=’wrap’><h3>Configurar botones</h3></div>”);239240?>241<h4>Según la configuración seleccionada, puede personalizar las siguientes opciones: </h4>242<?php243// Renderizar contenido de la pagina/sub-smenu244?>245<div id="tabs">246 <ul>247 <li><a href="#tabs-1">Configurar Manualmente</a></li>248 <li><a href="#tabs-2">Configurar con AgenteChat</a></li>249 </ul>250 <div id="tabs-1">251 <h4> Configure aquí manualmente las opciones para los canales que desea visualizar en el botón de contacto </h4>252253 <form method="post” name="settings_form_1” id="settings_form_1” action="admin.php?page=smartsoftbutton_settings#tabs-1">254 <input type=’hidden’ name=’action’ value=’salvaropciones1’>255 <input type=’hidden’ name=’form-name’ value=’Configuración Manual’>256 <div id="accordion-one">257258 <?php259 foreach ($channels_data as $key => $value) {260 $channel_placeholders = SmartsoftButton_Constants::get_channel_placeholders($key);261 ?>262263 <h3>Botón de <?php echo SmartsoftButton_Constants::get_display_name_channel($key) ?> <?php echo SmartsoftButton_Constants::$DEGUB_ACTIVE? “, Metodo=” . $method :"” ?> </h3>264 <!–Campos que se repiten (se usa un accordion para deplegar cada set de datos) -->265 <div>266267 <dl>268 <dt>269 <label for="label-label">Título del Botón</label>270 </dt>271 <dd><input type="text” id="id-label-link-<?php echo $key ?>” placeholder="<?php echo $channel_placeholders[‘name’]?>” size="40” name="param-label-<?php echo $key ?>” value="<?php echo $channels_data[$key][‘name’]?>” />272 <br><small>Texto que sale al pasar el mouse sobre el botón de contacto</small><br>273 </dd>274 </dl>275 <dl>276 <dt>277 <?php $forma_id_canal = SmartsoftButton_Constants::get_format_id_channel($key) ?>278 <label for="label-link">Identificador del Canal (<?php echo $forma_id_canal?>)</label>279 </dt>280 <dd><input type="text” id="id-link-id-<?php echo $key ?>” placeholder="<?php echo $channel_placeholders[‘id’]?>” size="40” name="param-link-<?php echo $key ?>” value="<?php echo $channels_data[$key][‘id’] ?>” />281 <?php echo $key==SMARTSOFT_BUTTON_WHATSAPP_WEB ? ‘<br><small>Formato: Extensión País + Número celular (Sin espacios, ni puntos). Ej: 57##########</small><br>’:’’ ?>282 <?php echo $key==SMARTSOFT_BUTTON_WHATSAPP_WEB ? ‘<small>La extensión para Colombia es 57</small><br>’:’’ ?>283 <?php echo $key==SMARTSOFT_BUTTON_FB_MESSENGER ? ‘<br><small>Formato: id de perfil de facebook (Sin espacios). Ej: AgenteChatSmart </small><br>’:’’ ?>284 </dd>285 286 </dl>287 <dl>288 <dt>289 <label for="label-link">Mensaje inicial de contacto</label>290 </dt>291 <dd><input type="text” id="id-message-link-<?php echo $key ?>” placeholder="<?php echo $channel_placeholders[‘message’]?>” size="80” name="param-message-<?php echo $key ?>” value="<?php echo $channels_data[$key][‘message’] ?>” />292 <br><small>Primer mensaje que por defecto envian sus contactos para comunicarse con usted. Ej: Hola, requiero más información</small><br>293 </dd>294 </dl>295 <dl>296 <dt>297 <label for="label-display">Desplegar botón de contacto para este canal en el smartsoftbutton?</label>298 </dt>299 <dd>300 <ul>301 <li><input type="radio" id="id-desplegar-link-si-<?php echo $key ?>" name="param-display-<?php echo $key ?>" value="1" <?php echo ($channels_data[$key][‘display’] == 1 ? “checked=’checked’” : “”); ?> />302 <label>Si</label>303 </li>304 <li><input type="radio" id="id-desplegar-link-no-<?php echo $key ?>" name="param-display-<?php echo $key ?>" value="0" <?php echo ($channels_data[$key][‘display’] == 0 ? “checked=’checked’” : “”); ?> />305 <label>No</label>306 </li>307 </ul>308 <small><strong>Seleccione: ‘Si’</strong> para mostrar este canal en el botón de contacto de su sitio web;<br> <strong>’No’</strong> para ocultarlo </small>309 </dd>310 </dl>311312 </div>313314 <?php315 } //End for each316 ?>317318319 </div>320 <div id="submit_buttons" style="margin-top: 20px">321 <button type="reset" class="button button-cancel">Limpiar Cambios</button>322 <button type="submit" class="button button-primary">Salvar Cambios</button>323 </div>324325 </form>326 </div>327328 <div id="tabs-2">329 <h4> Pegue aquí la configuración generada por AgenteChat </h4>330 331 <div id="accordion-two">332333 <!–Otras Opciones editables en el plugin–>334335 <h3>Configuración AgenteChat</h3>336337 <div>338339 <form method="post" name="settings_form_2" id="settings_form_2" action="admin.php?page=smartsoftbutton_settings#tabs-2">340 <input type=’hidden’ name=’action’ value=’salvaropciones2’>341 <input type=’hidden’ name=’form-name’ value=’Configuración AgenteChat’>342343 <?php344 $config_agentechat_key = $smartsoftbutton_admin->get_config_agentechat_key() ;345 $config_agentechat_label = $smartsoftbutton_admin->get_config_agentechat_label();346 $config_empty = empty($config_agentechat_value)347 //if configuracion archivo348 ?>349350 <dl>351 <dt>352 <label for="label-info"><?php echo $config_agentechat_label ?></label>353 </dt>354 <dd><textarea id="id-configuracion-agentechat" rows="30" cols="70" placeholder="Pegue la configuración dada por agentechat aquí…"355 name="param-info-<?php echo $config_agentechat_key ?>"><?php if ( !$config_empty ) { echo $config_agentechat_info; } ?></textarea></dd>356 </dl>357358 <?php359 //} //End if360 ?>361362 <div id="submit_buttons" style="margin-top: 20px">363 <button type="reset" class="button button-cancel">Limpiar Cambios</button>364 <button type="submit" class="button button-primary">Salvar Cambios</button>365 </div>366 </form>367368 </div>369370 371372 </div>373374 </div>375</div>376377<?php378// ***PRINTS DE PRUEBAS: (comentar cuando el plugin esté listo)***379echo "<div>";380/*381echo “<p>” . “END OPTIONS” . "</p>";382echo “<p>” . print_r($smartsoftbutton_admin->get_options_custom()) . "</p>";383384echo “<p>” . “END OPTIONS VARS” . "</p>";385echo “<p>” . print_r($channels_data) . "</p>";386echo “<p>” . print_r($additional_info) . "</p>";*/387388echo "</div>";389?>390391<div>392 <?php echo $smartsoftbutton_admin->content_footer(); ?>393</div>394395<?php396
Related news
The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title & Description values that can be added to an Image Hover in versions up to, and including, 9.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, the plugin only allows administrators access to edit Image Hovers, however, if a site admin makes the plugin's features available to lower privileged users through the 'Who Can Edit?' setting then this can be exploited by those users.
The Beaver Builder – WordPress Page Builder for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Image URL' value found in the Media block in versions up to, and including, 2.5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the Beaver Builder editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The WP Cerber Security plugin for WordPress is vulnerable to security protection bypass in versions up to, and including 9.0, that makes user enumeration possible. This is due to improper validation on the value supplied through the 'author' parameter found in the ~/cerber-load.php file. In vulnerable versions, the plugin only blocks requests if the value supplied is numeric, making it possible for attackers to supply additional non-numeric characters to bypass the protection. The non-numeric characters are stripped and the user requested is displayed. This can be used by unauthenticated attackers to gather information about users that can targeted in further attacks.
The uContext for Amazon plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword_save.php file that is called via the doAjax() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Beaver Builder – WordPress Page Builder for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Caption - On Hover' value associated with images in versions up to, and including, 2.5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the Beaver Builder editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Beaver Builder – WordPress Page Builder for WordPress is vulnerable to Stored Cross-Site Scripting via the 'caption' parameter added to images via the media uploader in versions up to, and including, 2.5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the Beaver Builder editor and the ability to upload media files to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The uContext for Clickbank plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword_save.php file that is called via the doAjax() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The WP Users Exporter plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.2 via the 'Export Users' functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into profile information like First Names that will embed into the exported CSV file triggered by an administrator and can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
The Banner Cycler plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.4. This is due to missing nonce protection on the pabc_admin_slides_postback() function found in the ~/admin/admin.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site’s administrator into performing an action such as clicking on a link.
The Stockists Manager for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2.1. This is due to missing nonce validation on the stockist_settings_main() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The String Locator plugin for WordPress is vulnerable to deserialization of untrusted input via the 'string-locator-path' parameter in versions up to, and including 2.5.0. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to deserialization of untrusted input via the 'alm_repeaters_export' parameter in versions up to, and including 5.5.3. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
The Visual Composer Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Text Block' feature in versions up to, and including, 45.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the visual composer editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Media Image URL value that can be added to an Image Hover in versions up to, and including, 9.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, the plugin only allows administrators access to edit Image Hovers, however, if a site admin makes the plugin's features available to lower privileged users through the 'Who Can Edit?' setting then this can be exploited by those users.
The Visual Composer Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post/page 'Title' value in versions up to, and including, 45.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the visual composer editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Link Optimizer Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 1.4.5. This is due to missing nonce validation on the admin_page function found in the ~/admin.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Video Link values that can be added to an Image Hover in versions up to, and including, 9.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, the plugin only allows administrators access to edit Image Hovers, however, if a site admin makes the plugin's features available to lower privileged users through the 'Who Can Edit?' setting then this can be exploited by those users.
The plugin WP All Import is vulnerable to arbitrary file uploads due to missing file type validation via the wp_all_import_get_gz.php file in versions up to, and including, 3.6.7. This makes it possible for authenticated attackers, with administrator level permissions and above, to upload arbitrary files on the affected sites server which may make remote code execution possible.
The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to deserialization of untrusted input via the 'remote_data' parameter in versions up to, and including 3.7.9. This makes it possible for authenticated attackers with contributor privileges and above to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
The WordPress plugin Gallery for Social Photo is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.0.0.27 due to failure to properly check for the existence of a nonce in the function gifeed_duplicate_feed. This make it possible for unauthenticated attackers to duplicate existing posts or pages granted they can trick a site administrator into performing an action such as clicking on a link.
The DX Share Selection plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.4. This is due to missing nonce protection on the dxss_admin_page() function found in the ~/dx-share-selection.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site's administrator into performing an action such as clicking on a link.
The Copify plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.0. This is due to missing nonce validation on the CopifySettings page. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Random Banner WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the category parameter found in the ~/include/models/model.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.1.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
The Variation Swatches for WooCommerce WordPress plugin is vulnerable to Stored Cross-Site Scripting via several parameters found in the ~/includes/class-menu-page.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1. Due to missing authorization checks on the tawcvs_save_settings function, low-level authenticated users such as subscribers can exploit this vulnerability.
The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain remote code execution, in versions up to and including 5.3.2.
The LearnPress WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $custom_profile parameter found in the ~/inc/admin/views/backend-user-profile.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.1.3.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. Please note that this is seperate from CVE-2021-24702.
The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible ~/db_backup_log.txt file which grants attackers the full path of the site, in addition to the path of database backup files. This affects versions up to, and including, 5.1.
A vulnerability in the deleteCustomType function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to delete custom extensions added by administrators. This issue affects versions 2.2.3 and prior.