Headline
CVE-2022-0191: Changeset 2705068 – WordPress Plugin Repository
The Ad Invalid Click Protector (AICP) WordPress plugin before 1.2.7 does not have CSRF check deleting banned users, which could allow attackers to make a logged in admin remove arbitrary bans
Timestamp:
04/05/2022 12:27:06 PM (4 weeks ago)
isaumya
Message:
Adding nonce support for deletion of banned users
Location:
ad-invalid-click-protector/trunk/inc
Files:
- admin_setup.php (1 diff)
- banned_user_table.php (1 diff)
Legend:
Unmodified
Added
Removed
ad-invalid-click-protector/trunk/inc/admin_setup.php
r2656496
r2705068
523
523
$bannedUserTableOBJ = new AICP\_BANNED\_USER\_TABLE();
524
524
$aicpOBJ = new AICP();
525
if( 'delete'=== $bannedUserTableOBJ->current\_action() ) {
526
global $wpdb;
527
$fetchedID = $\_REQUEST\['id'\];
528
if( is\_array( $fetchedID ) ) { // for bulk operation arry will return
529
$selectedID = implode( ',', array\_fill( 0, count( $fetchedID ), '%d' ) );
530
} else { //for singel delete just the id will return
531
$selectedID = '%d';
532
}
533
if( empty( $selectedID ) ) {
534
$this->delete\_notice( false );
535
} else {
536
$query = $wpdb->prepare(
537
"DELETE FROM {$aicpOBJ->table\_name} WHERE {$aicpOBJ->table\_name}.id IN ($selectedID)",
538
$fetchedID
539
);
540
$wpdb->query( $query );
541
$this->delete\_notice( true );
542
}
543
}
544
/\* End of handelling the deletion process \*/
545
/\* Now it's time to show our data \*/
525
if( ( 'delete'=== $bannedUserTableOBJ->current\_action() ) && isset( $\_REQUEST\['nonce'\] ) && wp\_verify\_nonce( $\_REQUEST\['nonce'\], 'delete\_banned\_user' ) ) {
526
global $wpdb;
527
$fetchedID = $\_REQUEST\['id'\];
528
if( is\_array( $fetchedID ) ) { // for bulk operation arry will return
529
$selectedID = implode( ',', array\_fill( 0, count( $fetchedID ), '%d' ) );
530
} else { //for singel delete just the id will return
531
$selectedID = '%d';
532
}
533
if( empty( $selectedID ) ) {
534
$this->delete\_notice( false );
535
} else {
536
$query = $wpdb->prepare(
537
"DELETE FROM {$aicpOBJ->table\_name} WHERE {$aicpOBJ->table\_name}.id IN ($selectedID)",
538
$fetchedID
539
);
540
$wpdb->query( $query );
541
$this->delete\_notice( true );
542
}
543
}
544
/\* End of handelling the deletion process \*/
545
/\* Now it's time to show our data \*/
546
546
?>
547
547
<div class="wrap">
ad-invalid-click-protector/trunk/inc/banned_user_table.php
r1565011
r2705068
34
34
public function column\_ip( $item ) {
35
35
$actions = array(
36
'delete' => sprintf( '<a class="aicp\_delete" href="?page=%s&action=%s&id=%s">Delete</a>', $\_REQUEST\['page'\], 'delete', $item->id ),
36
'delete' => sprintf( '<a class="aicp\_delete" href="?page=%s&action=%s&id=%s&nonce=%s">Delete</a>', $\_REQUEST\['page'\], 'delete', $item->id, wp\_create\_nonce( 'delete\_banned\_user' ) ),
37
37
);
38
38
Note: See TracChangeset for help on using the changeset viewer.
Related news
libxmljs provides libxml bindings for v8 javascript engine. This affects all versions of package libxmljs. When invoking the libxmljs.parseXml function with a non-buffer argument the V8 code will attempt invoking the .toString method of the argument. If the argument's toString value is not a Function object V8 will crash.
All versions of package materialize-css are vulnerable to Cross-site Scripting (XSS) due to improper escape of user input (such as <not-a-tag />) that is being parsed as HTML/JavaScript, and inserted into the Document Object Model (DOM). This vulnerability can be exploited when the user-input is provided to the autocomplete component.
ProxyScotch is a simple proxy server created for hoppscotch.io. The package github.com/hoppscotch/proxyscotch before 1.0.0 are vulnerable to Server-side Request Forgery (SSRF) when interceptor mode is set to proxy. It occurs when an HTTP request is made by a backend server to an untrusted URL submitted by a user. It leads to a leakage of sensitive information from the server.
AngularJS lets users write client-side web applications. The package angular after 1.7.0 is vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1. This package has been deprecated and is no longer maintained. 2. The vulnerable versions are 1.7.0 and higher.
Plugin Settings Change leading to Cross-Site Scripting (XSS) vulnerability in Cloudways Breeze plugin <= 2.0.2 on WordPress allows users with a subscriber or higher user role to execute any of the wp_ajax_* actions in the class Breeze_Configuration which includes the ability to change any of the plugin's settings including CDN setting which could be further used for XSS attack.
WordPress Stafflist plugin version 3.1.2 suffers from a cross site request forgery vulnerability.