The WPQA Builder WordPress plugin before 5.9 does not have CSRF check when following and unfollowing users, which could allow attackers to make logged in users perform such actions via CSRF attacks

CVE-2022-3688

The Event Monster WordPress plugin before 1.2.0 does not have CSRF check when deleting visitors, which could allow attackers to make logged in admin delete arbitrary visitors via a CSRF attack

CVE-2022-3336

The My wpdb WordPress plugin before 2.5 is missing CSRF check when running SQL queries, which could allow attacker to make a logged in admin run arbitrary SQL query via a CSRF attack

CVE-2022-1578

The Booster for WooCommerce WordPress plugin before 5.6.7, Booster Plus for WooCommerce WordPress plugin before 5.6.5, Booster Elite for WooCommerce WordPress plugin before 1.1.7 do not have CSRF check in place when deleting files uploaded at the checkout, allowing attackers to make a logged in shop manager or admin delete them via a CSRF attack

CVE-2022-3763

SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization's systems, leading to a long-term compromise that can go unnoticed for an extended period. This affect 16.0.1 and 16.0.2 only. 16.0.0 or lower, and 16.0.3 or higher are not affected

@@ -0,0 +1,178 @@ <?php /\* Copyright (C) 2010 Laurent Destailleur <eldy@users.sourceforge.net> \* \* This program is free software; you can redistribute it and/or modify \* it under the terms of the GNU General Public License as published by \* the Free Software Foundation; either version 3 of the License, or \* (at your option) any later version. \* \* This program is distributed in the hope that it will be useful, \* but WITHOUT ANY WARRANTY; without even the implied warranty of \* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \* GNU General Public License for more details. \* \* You should have received a copy of the GNU General Public License \* along with this program. If not, see <https://www.gnu.org/licenses/>. \* or see https://www.gnu.org/ \*/  
/\*\* \* \\file test/phpunit/WebsiteTest.php \* \\ingroup test \* \\brief PHPUnit test \* \\remarks To run this script as CLI: phpunit filename.php \*/  
global $conf,$user,$langs,$db; //define('TEST\_DB\_FORCE\_TYPE','mysql'); // This is to force using mysql driver //require\_once 'PHPUnit/Autoload.php';  
if (! defined('NOREQUIRESOC')) { define('NOREQUIRESOC', '1'); } if (! defined('NOCSRFCHECK')) { define('NOCSRFCHECK', '1'); } if (! defined('NOTOKENRENEWAL')) { define('NOTOKENRENEWAL', '1'); } if (! defined('NOREQUIREMENU')) { define('NOREQUIREMENU', '1'); // If there is no menu to show } if (! defined('NOREQUIREHTML')) { define('NOREQUIREHTML', '1'); // If we don't need to load the html.form.class.php } if (! defined('NOREQUIREAJAX')) { define('NOREQUIREAJAX', '1'); } if (! defined("NOLOGIN")) { define("NOLOGIN", '1'); // If this page is public (can be called outside logged session) } if (! defined("NOSESSION")) { define("NOSESSION", '1'); }  
require\_once dirname(\_\_FILE\_\_).'/../../htdocs/main.inc.php'; require\_once dirname(\_\_FILE\_\_).'/../../htdocs/core/lib/website.lib.php';  
  
if (empty($user\->id)) { print "Load permissions for admin user nb 1\\n"; $user\->fetch(1); $user\->getrights(); } $conf\->global\->MAIN\_DISABLE\_ALL\_MAILS\=1;  
  
/\*\* \* Class for PHPUnit tests \* \* @backupGlobals disabled \* @backupStaticAttributes enabled \* @remarks backupGlobals must be disabled to have db,conf,user and lang not erased. \*/ class WebsiteTest extends PHPUnit\\Framework\\TestCase { protected $savconf; protected $savuser; protected $savlangs; protected $savdb;  
/\*\* \* Constructor \* We save global variables into local variables \* \* @return SecurityTest \*/ public function \_\_construct() { parent::\_\_construct();  
//$this->sharedFixture global $conf,$user,$langs,$db; $this\->savconf\=$conf; $this\->savuser\=$user; $this\->savlangs\=$langs; $this\->savdb\=$db;  
print \_\_METHOD\_\_." db->type=".$db\->type." user->id=".$user\->id; //print " - db ".$db->db; print "\\n"; }  
/\*\* \* setUpBeforeClass \* \* @return void \*/ public static function setUpBeforeClass() { global $conf,$user,$langs,$db; $db\->begin(); // This is to have all actions inside a transaction even if test launched without suite.  
print \_\_METHOD\_\_."\\n"; }  
/\*\* \* tearDownAfterClass \* \* @return void \*/ public static function tearDownAfterClass() { global $conf,$user,$langs,$db; $db\->rollback();  
print \_\_METHOD\_\_."\\n"; }  
/\*\* \* Init phpunit tests \* \* @return void \*/ protected function setUp() { global $conf,$user,$langs,$db; $conf\=$this\->savconf; $user\=$this\->savuser; $langs\=$this\->savlangs; $db\=$this\->savdb;  
print \_\_METHOD\_\_."\\n"; }  
/\*\* \* End phpunit tests \* \* @return void \*/ protected function tearDown() { print \_\_METHOD\_\_."\\n"; }  
  
/\*\* \* testGetPagesFromSearchCriterias \* \* @return void \*/ public function testGetPagesFromSearchCriterias() { global $db;  
$s = "123') OR 1=1-- \\' xxx"; /\* var\_dump($s); var\_dump($db->escapeforlike($s)); var\_dump($db->escape($db->escapeforlike($s))); \*/  
$res = getPagesFromSearchCriterias('page,blogpost', 'meta,content', $s, 2, 'date\_creation', 'DESC', 'en'); //var\_dump($res); print \_\_METHOD\_\_." message=".$res\['code'\]."\\n"; // We must found no line (so code should be KO). If we found somethiing, it means there is a SQL injection of the 1=1 $this\->assertEquals($res\['code'\], 'KO'); } }

CVE-2022-4093: Fix sqli ->escape after ->escapeforlike · Dolibarr/dolibarr@7c1eac9

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Creative Mail plugin <= 1.5.4 on WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Creative Mail was designed specifically for WordPress and WooCommerce.

Our intelligent (and super fun) email editor simplifies email marketing campaign creation and pulls your WordPress blog posts, website images and WooCommerce products right into your email content. Leads from your WordPress website, ecommerce store and contact forms are automatically captured and routed into our included Contacts CRM and synced with your email marketing lists.

It’s perfect for automatic blog post syndication, newsletters and announcements, event promotion, WooCommerce product specials, retargeting ecommerce shoppers, sending postcards, providing updates and more.

Create awesome email marketing campaigns right from your WordPress Admin Dashboard that are all powered by the award-winning & rock-solid reliability of Constant Contact.

**CREATIVE MAIL IS:**

1.  Incredibly easy WordPress email marketing
2.  Deeply connected to your website & WooCommerce store
3.  Accessed from within your WP Admin Dashboard
4.  Automatically syncing your contacts and building your marketing lists
5.  Powered by the reliability superior deliverability of Constant Contact
6.  Fun, which makes life way better

**VIEW OUR DETAILED FEATURES****WOOCOMMERCE & WORDPRESS INTEGRATION:**

Turn your WooCommerce store and your WordPress site into efficient marketing engines. All ecommerce contacts and form entries are all captured in our included CRM and synced automatically with Creative Mail.

*   **Enhanced Ecommerce:** WooCommerce store customers and ecommerce interactions are all captured automatically within your email marketing list. Retarget and re-engage your customers. Sell more stuff.
*   **Beautiful Transactional Emails:** Standard WooCommerce triggered emails can be replaced to match your branding and style. Build one, and then all your other WooCommerce emails managed by Creative will inherit the same branded look. Hey, style matters.
*   **Jetpack Forms Integration:** Collect, sync, and manage opt-in subscribers directly from Jetpack forms into Creative Mail.
*   **Build Better Branding:** Creative Mail includes our free LogoBuilder and image editing suite to enhance your brand.
*   **Amazing Stock Images:** You get free access to the completely integrated photo library (in addition to your own WordPress media library) to make amazing email marketing campaigns with award-winning images.
*   **Get Better Deliverability:** Other email marketing solutions require complex SMTP solutions, external gateways or have you sending from their less than stellar IPs. As a result, your emails can get bounced or never delivered. Creative Mail is an all-in-one solution that uses Constant Contact’s rock solid infrastructure, for superior deliverability. Boom! ‘nuff said.
*   **Live Support:** With our paid plans (Awesome & Ultimate) you get access to phone and chat support to help you get answers from real live, helpful humans. Imagine that!

**OPT-IN EMAIL FORMS:**

*   **Jetpack Newsletter Form:** Jetpack has a JMML (join my mailing list) Newsletter Signup form. When activated, contacts who sign up for your Newsletter through the Jetpack form are brought right into your Newsletter email marketing list. Easy-peasy.
*   **Other WordPress Website Forms:** Creative Mail detects the current website forms used on your site, and automatically adds contacts to your email marketing lists. Automagically awesome!
*   **Creative Mail Form:** If you are not using a form on your site, you can easily add your Creative Mail Gutenberg form to start collecting email addresses of your site visitors

**EMAIL AUTOMATIONS:**

*   **Scheduled Sends:** Schedule the time and date of outgoing email marketing campaigns based on your business or organization’s preferences.
*   **Single-Step Triggered Emails:** Replace your non-branded WooCommerce order notification triggered emails with on-brand Creative Mail emails for deeper customer engagement.
*   **Abandoned Cart:** With Creative Mail and a WooCommerce store you can send emails to customers who abandon their WooCommerce shopping cart. They’ll get an email that reminds them of the items they were considering before they left.
*   **Multi-Step Marketing Journeys:** Develop sophisticated CLM (that’s marketing speak for – customer lifecycle marketing) campaigns by leveraging our “if this, then that” campaign automation engine that responds to a customer’s actions, birthdays or purchases. Welcome your customers with email automation.

**ANALYTICS & INSIGHTS:**

*   **Realtime Email Marketing Statistics:** Bounces, opens, clicks, forwards, complaints, unsubscribes and more are easily tracked and managed. Be a control freak, it’s OK.
*   **Marketing Campaign Mapview:** With our mapview you can see who’s opening your emails on what devices on an awesome, interactive visual map.

**CONTACTS CRM:**

*   **Contact Lists:** Within the Creative Mail Contacts CRM you can quickly and easily manage all your Contacts, Subscribers and Unsubscribes.
*   **Contact Activity:** Drill into the purchases and behaviors of your contacts.
*   **List Sources:** You’ll know where your contacts come from whether it’s a manual entry, your Jetpack forms, WooCommerce Store, or another defined source.
*   **Custom Labels:** Further refine your marketing by adding custom labels to subscribers or customers (ex. Truck Buyers, Concert Attendee, Dog Owners, etc.).

**IMPORT & EXPORT:**

*   **Contacts Sync & Import:** No need anymore for complex integrations between your WordPress site and your email marketing provider. With Creative Mail it all simply works with WordPress out of the box. We do the heavy lifting to sync and import your Jetpack, WordPress, WooCommerce and most used Contact form plugins contacts automatically.
*   **Import & Export Via CSV:** Import bulk email marketing lists (limits may apply), add subscribers one by one, or export your contacts into a CSV file.

**CAMPAIGNS:**

*   **AI Emails:** Forget templates, let our A.I. build your email marketing campaigns for you. Pull in WordPress posts or WooCommerce products for sale, and you’re good to go. Let our robots do your bidding!
*   **Email Campaign Creation:** Build your email marketing campaigns in seconds from your WordPress admin dashboard.
*   **Awesome Deliverability:** All email marketing campaigns are sent and delivered by the award-winning power of Constant Contact technology. We got you.
*   **Automated Email Marketing:** Send multistep email campaigns automatically, with triggers you define, whether that’s based on time, a customer birthday or behavioral actions. Create a flow to welcome your customers and send a special discount and reminder on their birthday.

**EMAIL LIST MANAGEMENT:**

*   **Contact List Growth:** Creative Mail collects leads from Jetpack forms or the top WordPress lead capture forms and adds them directly to your email lists.
*   **Automate Emails:** With our “Welcome” email trigger you can send a Creative Mail welcome email series to new subscribers and blog readers.
*   **Auto List Updater:** Creative Mail automatically updates your contact lists for unsubscribes.

**ADD ONS**

*   **Social Campaigns:** Connect your social media accounts with your Creative Mail account to share your newsletters with your followers on social.
*   **Marketing Calendar:** With your socials connected we give you an overview of all the newsletters and posts that you’ve sent and scheduled. An easy overview to engage with your audience.
*   **Booking:** Set up Bookings for your business with the Bookings tool. Give clients and customers an easy, quick way to set up appointments with you.
*   **LogoBuilder:** Create an amazing logo for your business or social with LogoBuilder and add it to your email campaigns.

**TERMS OF SERVICE & PRIVACY NOTICE**

On behalf of our lawyers (seriously, they’re nice people), please feel free to review our:

Creative Mail by Constant Contact Terms of Service  
Creative Mail by Constant Contact Privacy Notice

This plugin provides 1 block.

*   Creative Mail Let your contact subscribe to a mailing list for creative mail.

*   Go to your admin dashboard
*   Click the “Plugins” menu on the left side navigation bar
*   Click on “Add New”
*   Search for “Creative”
*   Click “Install Now”
*   Click “Activate”
*   You will be redirected to Creative Mail where you can set up your account

**Requirements**

*   Your website or blog must be using WordPress.org version 4.6 or higher on your server.
*   The plugin can be installed on regular WordPress environments and also on WordPress.com sites.

**What does the Creative Mail plugin do?**

The Creative mail plugin allows you to create awesome email marketing campaigns right from your WordPress Admin Dashboard that are all powered by the award-winning & rock-solid reliability of Constant Contact.  
Our intelligent (and super fun) email editor simplifies email marketing campaign creation and pulls your WordPress blog posts, website images and WooCommerce products right into your email content. Leads from your WordPress website, ecommerce store and contact forms are automatically captured and routed into our included Contacts CRM and synced with your email marketing lists.  
It’s perfect for automatic blog post syndication, newsletters and announcements, event promotion, WooCommerce product specials, retargeting ecommerce shoppers, sending postcards, providing updates and more.

**Are coding skills needed to use Creative Mail?**

Creative Mail is built for non-developers, you don’t even need to fill in API keys. If you know how to install a plugin on your website, you are good to go! You will have your images, blog posts and products from your WordPress site available to make campaigns without having to lift a finger.

**What is available for free with CreativeMail?**

With Creative Mail you can send campaigns to your contacts for free. Promote your blog articles, WooCommerce products, events and much more with your followers. Advanced functionality like sending Welcome series Automations and WooCommerce order notifications are part of a paid plan.  
You can see the overview of all the features per plan on our plans page.

**What forms can I use in combination with Creative mail?**

You can add the Creative Mail Form to your site to gather contacts and add contacts automatically to a specific list.  
Creative Mail also integrated with one of the form builders below. For those you can easily activate Contact Synchronization:  
– Jetpack forms  
– Contact form 7  
– WPForms lite and WPForms  
– Newsletter  
– Gravity forms  
– Elementor  
– Ninja forms  
– Caldera Forms  
– Formidable

**Does Creative Mail support ecommerce stores?**

Creative mail is fully integrated with WooCommerce, which enables you to share your WooCommerce products via email campaigns. You can also replace your non-branded WooCommerce order notification triggered emails with on-brand Creative Mail emails for deeper customer engagement. Build one, and then all your other WooCommerce emails managed by Creative Mail will inherit the same branded look. Hey, style matters.

I built a new website on WordPress for a new business. I'm starting with free plugins until I get the ball rolling. Creative Mail by Constant Contact was already in my dashboard with a free subscription option. It is the only newsletter email option available if you use the included WPForms contact forms (also included in initial install). Unlike any other plugin I've used, Creative Mail functions outside your dashboard. It doesn't link to WPForms even after telling it that's what you're using. In addition to creating a Constant Contact account & adding WP Forms to your settings, you have to go back to your dashboard & click a button in WP Forms that then asks you to log in to Creative Mail to give it permission to connect with WP Forms. This permission doesn't exist on the Creative Mail account. I couldn't get past this, because I couldn't log in (even though I was already logged in having just signed up). When signing up, it wanted my name, address, email address, & then to create a password (no user name selection). I tried every variation of my name or email address with my password (I have a generator & only have to copy the password, so no typos). It couldn't find me. I clicked that I forgot my username & got an email saying my user name was... ce- & a string of 26 alpha-numeric characters. That also didn't work. Their support page offers number for 2 issues: account suspension & enabling debugging. I got a support number from the chat bot. When you call, they want your phone number associated with the account. That was never included, so it didn't find me but put me on hold for the "next available" agent. After 15 minutes, it hung up on me. I waited a while & tried again. This time, I waited on hold for over 40 minutes before hanging up. WordPress should remove this from the plugins. WP Forms should allow you to use some other plugin (there's a long list available with paid subscriptions). This is a most disreputable business practice & has all the ear-markings of a scam. Don't take just my word for it. Read some of the other 1 star reviews.

Excellent produit, avec un système très simple à comprendre.

I love it.its very easy to use.that helps a lot.thsnk u

It is a very good program

This is an awesome plugin!

Haven't had a chance to use it

Read all 315 reviews

“Creative Mail – Easier WordPress & WooCommerce Email Marketing” is open source software. The following people have contributed to this plugin.

Contributors

*    Constant Contact

*   1.6.3 – Hotfix: Fixed a bug where the plugin was not working on some servers.
*   1.6.2 – Security updates and removal of Unsupported Plugin (Caldera Forms)
*   1.6.1 – Security update
*   1.6.0 – Security update, Bug fixes and Support to sync Address Fields for Contact Form 7
*   1.5.4 – Migration to WordPress version 6.0.2 and Checkout mail templates update
*   1.5.3 – README update
*   1.5.2 – Small bug fix for PHP versions previous to 7.1
*   1.5.1 – Fix outdated PHP classes
*   1.5.0 – Fix WooCommerce product lists, improved WooCommerce order workflows and improved contact management.
*   1.4.9 – Fixes regarding WooCommerce and Contact Sync Updates.
*   1.4.8 – Redirect to main CreativEmail templates page when user has abandoned cart template deactivated. Fix sync error with contact form 7. Added automation trigger for customer buying products.
*   1.4.7 – Fix currency type being shown in “Abandoned Cart” emails for WooCommerce.
*   1.4.6 – Add phone number handling for Jetpack Forms. Bug fixes.
*   1.4.5 – This version contains a fix for Creative mail customers who also use the Bluehost WebsiteBuilder functionality to build their WordPress site.
*   1.4.4 – Add support for ‘return to shop’ urls
*   1.4.3 – Updated brand name.
*   1.4.2 – Fixed a crash that could occur when using the elementor contact sync.
*   1.4.1 – Fixed several bugs
*   1.4.0 – Added gutenberg contact form block CreativeMail
*   1.3.9 – Include notice when you have enabled a password protection plugin.
*   1.3.8 – Fixes an issue with WooCommerce recommendations.
*   1.3.7 – Fixes an issue specific to PHP 7.4
*   1.3.6 – Improved integrations with WooCommerce to support features like Abandoned Cart emails.
*   1.3.5 – Addresses two small issues where some relative URLs would not work for WP installs in subdirectories.
*   1.3.4 – Improved initial contact sync: we can now import all your contacts without any limits!
*   1.3.3 – Direct access to Creative Mail features from the left side nav in WP Admin.
*   1.3.2 – Fixes an issue where the contact sync might cause a critical error.
*   1.3.1 – Add the ability to show the amount of recovered revenue via abandoned carts.
*   1.3.0 – Support for abandoned cart emails
*   1.2.4 – Introduces a ‘Reset’ button on the settings page for accounts that are stuck.
*   1.2.3 – Fixes an issue where the banner would show up again after being dismissed.
*   1.2.2 – Introduction of multistep automations and fixes a couple of small issues in the CreativeMail widgets
*   1.2.1 – Fixes an issue where some users would experience an issue where our UI was blocked by pop-up blockers.
*   1.2.0 – Context aware notifications, add support for Ninja forms, add support for Caldera forms

CVE-2022-44740: Creative Mail – Easier WordPress & WooCommerce Email Marketing

Cross-Site Request Forgery (CSRF) vulnerability in REST API Authentication plugin <= 2.4.0 on WordPress.

 Verified

 Fixed

**5.4**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 2.4.0

PSID 

9a7eb49bf153

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-11-09

**Details**

Cross-Site Request Forgery (CSRF) vulnerability leading to plugin settings change discovered by Lana Codes (Patchstack Alliance) in WordPress REST API Authentication plugin (versions <= 2.4.0).

**Solution**

Update the WordPress WordPress REST API Authentication plugin to the latest available version (at least 2.4.1).

**References**

CVE-2022-45073: WordPress REST API Authentication plugin <= 2.4.0 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Viszt Péter's Integration for Szamlazz.hu & WooCommerce plugin <= 5.6.3.2 and Csomagpontok és szállítási címkék WooCommerce-hez plugin <= 1.9.0.2 on WordPress.

 Verified

 Fixed

**5.4**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 5.6.3.2

PSID 

792f108c7c16

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-10-20

**Details**

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities were discovered by Lana Codes (Patchstack Alliance) in the WordPress Integration for Szamlazz.hu & WooCommerce plugin (versions <= 5.6.3.2).

**Solution**

Update the WordPress Integration for Szamlazz.hu & WooCommerce plugin to the latest available version (at least 5.6.3.3).

**References**

CVE-2022-41685: WordPress Integration for Szamlazz.hu & WooCommerce plugin <= 5.6.3.2 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities - Patchstack

Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability in Store Locator plugin <= 1.4.5 on WordPress.

 Verified

 Fixed

**6.1**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 1.4.5

PSID 

18f5b72d7722

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-09-28

**Details**

Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability was discovered by Nguy Minh Tuan (Patchstack Alliance) in the WordPress Store Locator plugin (versions <= 1.4.5).

**Solution**

Update the WordPress Store Locator WordPress plugin to the latest available version (at least 1.4.6).

**References**

CVE-2022-41615: WordPress Store Locator plugin <= 1.4.5 - Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Media Library Folders plugin <= 7.1.1 on WordPress.

Tag

#csrf