In non-standard configurations, a JPEG image created by JavaScript could have caused an internal variable to overflow, resulting in an out of bounds write, memory corruption, and a potentially exploitable crash. This vulnerability affects Firefox < 78.

**Mozilla Foundation Security Advisory 2020-24**

Announced

June 30, 2020

Impact

high

Products

Firefox

Fixed in

*   Firefox 78

**#CVE-2020-12415: AppCache manifest poisoning due to url encoded character processing**

Reporter

Kevin Higgs

Impact

high

**Description**

When %2F was present in a manifest URL, Firefox's AppCache behavior may have become confused and allowed a manifest to be served from a subdirectory. This could cause the appcache to be used to service requests for the top level directory.

**References**

*   Bug 1586630

**#CVE-2020-12416: Use-after-free in WebRTC VideoBroadcaster**

Reporter

Alex Mayorga

Impact

high

**Description**

A VideoStreamEncoder may have been freed in a race condition with VideoBroadcaster::AddOrUpdateSink, resulting in a use-after-free, memory corruption, and a potentially exploitable crash.

**References**

*   Bug 1639734

**#CVE-2020-12417: Memory corruption due to missing sign-extension for ValueTags on ARM64**

Reporter

Deian Stefan

Impact

high

**Description**

Due to confusion about ValueTags on JavaScript Objects, an object may pass through the type barrier, resulting in memory corruption and a potentially exploitable crash.  
_Note: this issue only affects Firefox on ARM64 platforms._

**References**

*   Bug 1640737

**#CVE-2020-12418: Information disclosure due to manipulated URL object**

Reporter

Marcin 'Icewall' Noga of Cisco Talos

Impact

high

**Description**

Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process memory to malicious JavaScript.

**References**

*   Bug 1641303

**#CVE-2020-12419: Use-after-free in nsGlobalWindowInner**

Reporter

worcester12345

Impact

high

**Description**

When processing callbacks that occurred during window flushing in the parent process, the associated window may die; causing a use-after-free condition. This could have led to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1643874

**#CVE-2020-12420: Use-After-Free when trying to connect to a STUN server**

Reporter

Byron Campen

Impact

high

**Description**

When trying to connect to a STUN server, a race condition could have caused a use-after-free of a pointer, leading to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1643437

**#CVE-2020-12402: RSA Key Generation vulnerable to side-channel attack**

Reporter

Sohaib ul Hassan, Iaroslav Gridin, Ignacio M. Delgado-Lozano, Cesar Pereida García, Jesús-Javier Chi-Domínguez, Alejandro Cabrera Aldaya, and Billy Bob Brumley, Network and Information Security (NISEC) Group, Tampere University, Finland

Impact

moderate

**Description**

During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.  
We would like to thank Sohaib ul Hassan for contributing a fix for this issue as well.  
_Note:_ An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might.

**References**

*   Bug 1631597

**#CVE-2020-12421: Add-On updates did not respect the same certificate trust rules as software updates**

Reporter

Chuck Harmston, Robert Hardy

Impact

moderate

**Description**

When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user.

**References**

*   Bug 1308251

**#CVE-2020-12422: Integer overflow in nsJPEGEncoder::emptyOutputBuffer**

Reporter

Ronald Crane

Impact

moderate

**Description**

In non-standard configurations, a JPEG image created by JavaScript could have caused an internal variable to overflow, resulting in an out of bounds write, memory corruption, and a potentially exploitable crash.

**References**

*   Bug 1450353

**#CVE-2020-12423: DLL Hijacking due to searching %PATH% for a library**

Reporter

Riccardo Ancarani

Impact

moderate

**Description**

When the Windows DLL "webauthn.dll" was missing from the Operating System, and a malicious one was placed in a folder in the user's %PATH%, Firefox may have loaded the DLL, leading to arbitrary code execution.  
_Note: This issue only affects the Windows operating system; other operating systems are unaffected._

**References**

*   Bug 1642400

**#CVE-2020-12424: WebRTC permission prompt could have been bypassed by a compromised content process**

Reporter

Paul Theriault

Impact

low

**Description**

When constructing a permission prompt for WebRTC, a URI was supplied from the content process. This URI was untrusted, and could have been the URI of an origin that was previously granted permission; bypassing the prompt.

**References**

*   Bug 1562600

**#CVE-2020-12425: Out of bound read in Date.parse()**

Reporter

Bruno Keith

Impact

low

**Description**

Due to confusion processing a hyphen character in Date.parse(), a one-byte out of bounds read could have occurred, leading to potential information disclosure.

**References**

*   Bug 1634738

**#CVE-2020-12426: Memory safety bugs fixed in Firefox 78**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and community members Bob Clary, Benjamin Bouvier, Calixte Denizet, Christian Holler reported memory safety bugs present in Firefox 77. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 78

CVE-2020-12422: Security Vulnerabilities fixed in Firefox 78

The SeedProd coming-soon plugin before 5.1.1 for WordPress allows XSS.

Coming Soon Page, Under Construction & Maintenance Mode by SeedProd plugin for WordPress version 5.1.0 and below were found to be vulnerable to stored XSS while I was auditing the plugin. Plugin version 5.1.2 with improved data sanitization was released on June 24, 2020.

**CVE ID:** CVE-2020-15038

****Summary****

Coming Soon Page, Under Construction & Maintenance Mode by SeedProd is a popular WordPress Plugin with over 1 million active installations. It was found to be vulnerable to stored Cross-Site Scripting (XSS) vulnerability. XSS is a type of vulnerability that can be exploited by attackers to perform various malicious actions such as stealing the victim’s session cookies or login credentials, performing arbitrary actions on the victim’s behalf, logging their keystrokes and more.

**Impact**

While there are multiple ways in which an attacker can perform malicious actions exploiting this vulnerability, let’s take a look at two.

*   **Redirection**:
    
    If an attacker were to exploit the vulnerability, they would be able to use an XSS payload to cause redirection such that any time the developer enables maintenance mode, a user visiting the site would be redirected to a domain under the attacker’s control, which could be made to look exactly like the original website with a login form for the user to submit their credentials. If the user submits their credentials without noticing the changed domain, their account gets compromised.
    
  
*   **Phishing**:
    
    Similarly, an attacker can also use a payload to create a login form on the Coming Soon/Maintenance Mode page itself, trying to bait unsuspecting users into entering their credentials.
    

**Vulnerability**

The Headline field under the Page Settings section along with other fields in the plugin settings were found to be vulnerable to stored XSS, which gets triggered when the Coming Soon page is displayed (both in preview mode and live).

    POST /wp-admin/options.php HTTP/1.1
    Host: localhost:10004
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://localhost:10004/wp-admin/admin.php?page=seed_csp4
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 636
    Origin: http://localhost:10004
    Connection: close
    Cookie: ...
    
    option_page=seed_csp4_settings_content&action=update&_wpnonce=faced0b8ff&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dseed_csp4&seed_csp4_settings_content%5Bstatus%5D=1&seed_csp4_settings_content%5Blogo%5D=&seed_csp4_settings_content%5Bheadline%5D=%3Cscript%3Ealert%28%22Stored+XSS+in+Page+Headline%22%29%3C%2Fscript%3E&seed_csp4_settings_content%5Bdescription%5D=Proof+of+Concept&seed_csp4_settings_content%5Bfooter_credit%5D=0&submit=Save+All+Changes&seed_csp4_settings_content%5Bfavicon%5D=&seed_csp4_settings_content%5Bseo_title%5D=&seed_csp4_settings_content%5Bseo_description%5D=&seed_csp4_settings_content%5Bga_analytics%5D=

****Timeline****

Vulnerability reported to the SeedProd team on June 22, 2020.  
Version 5.1.2 containing the fix to the vulnerability was released on June 24, 2020.

****Recommendation****

It is highly recommended to update the plugin to the latest version.

**Reference**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15038
*   https://nvd.nist.gov/vuln/detail/CVE-2020-15038
*   https://wordpress.org/plugins/coming-soon/#developers
*   https://wpvulndb.com/vulnerabilities/10283

For best security practices, you can follow the below guides:

*   WordPress Security Guide
*   WordPress Hack and Malware Removal

Tags: coming soon page, Cross Site Scripting, maintenance mode, seedprod, stored xss, under construction, vulnerability, WordPress, WordPress Maintenance, Wordpress Plugin Vulnerability, wordpress security, XSS

**Jinson Varghese**

Jinson Varghese Behanan is an Information Security Analyst at Astra. Passionate about Cybersecurity from a young age, Jinson completed his Bachelor's degree in Computer Security from Northumbria University. When he isn’t glued to a computer screen, he spends his time reading InfoSec materials, playing basketball, learning French and traveling. You can follow him on Medium or visit his Website for more stories about the various Security Audits he does and the crazy vulnerabilities he finds.

CVE-2020-15038: XSS Found In Coming Soon Page and Maintenance Mode Plugin

An issue was discovered in Navigate CMS 2.8 and 2.9 r1433. The query parameter fid on the resource navigate.php does not perform sufficient data validation and/or encoding, making it vulnerable to reflected XSS.

I recently took part in a live bug hunting event:

> — OnSecurity - We're Hiring! (@HackersOnDemand) June 9, 2020

As part of these event, we reviewed the product Navigate CMS. In order to perform this review I setup a local instance of this tool, using version v2.9 r1433 (2020/06).

While taking part of this event, I managed to help identify several findings:

*   User enumeration
*   Session information leakage
*   User password reset vulnerability
*   Store Cross-Site Scripting (XSS)
*   Reflected Cross-Site Scripting (XSS)

**User Enumeration - CVE-2020-14016**

Navigate CMS has a _Forgot password?_ feature, which allows a user to reset their password if they forgot what their current password is.

Navigate CMS login page with _Forgot password?_ link.

In order to use this feature the user supplies either their username associated with their account, or the email address which is associate with their account.

Forgot password feature.

When entering the username or email address of a non-existent user, it produces and error stating that the user couldn't be found:

Result of providing details of non-existent user.

When reviewing the HTTP response it can clearly be seen that the HTTP response responds with the message _not\_found_ in the response body:

**HTTP request:**

    POST /navigate/login.php HTTP/1.1
    Host: 192.168.0.130
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
    Accept: */*
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Csrf-Token: 236c7e771d9d104865dd84a095910bdeef4434443f7c55be1cdff82bb6037b7f
    X-Requested-With: XMLHttpRequest
    Content-Length: 36
    Origin: http://192.168.0.130
    Connection: close
    Referer: http://192.168.0.130/navigate/login.php
    Cookie: PHPSESSID=6ls0ko8kgh9fikeqt0a78cmp0t; navigate-tinymce-scroll=%7B%7D; NVSID_ff0d48a629500e15=6ls0ko8kgh9fikeqt0a78cmp0t
    
    action=forgot-password&value=invalid
    

**HTTP Response**

    HTTP/1.1 200 OK
    Date: Wed, 10 Jun 2020 16:55:33 GMT
    Server: Apache/2.4.41 (Ubuntu)
    Set-Cookie: NVSID_ff0d48a629500e15=6ls0ko8kgh9fikeqt0a78cmp0t; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Set-Cookie: NVSID_ff0d48a629500e15=6ls0ko8kgh9fikeqt0a78cmp0t; expires=Wed, 10-Jun-2020 17:55:33 GMT; Max-Age=3600; path=/; domain=192.168.0.130; HttpOnly; SameSite=Lax
    Set-Cookie: PHPSESSID=6ls0ko8kgh9fikeqt0a78cmp0t; expires=Wed, 10-Jun-2020 17:55:33 GMT; Max-Age=3600; path=/; domain=192.168.0.130; HttpOnly; SameSite=Lax
    X-Csrf-Token: 236c7e771d9d104865dd84a095910bdeef4434443f7c55be1cdff82bb6037b7f
    Vary: Accept-Encoding
    Connection: close
    Content-Type: text/html; charset=utf-8
    Content-Length: 9
    
    not_found
    

Using this one can either use something such as a wordlist to try enumeration which users exist on the system:

User enumeration of the _Forgot password?_ feature.

**Session Information Leakage - CVE-2020-14017**

Navigate CMS stores session information in plaintext files on the server in the webroot. These files are then publicly available to un-authenticated users. As part of the setup, there is an option to copy/install the appropriate _.htaccess_ files used to prevent access to this directory and files. However it appears that this doesn't prevent access with later versions of Apache HTTPD.

Depending how the server has been configured, it could be possible to view the contents of the directory:

Directory list of the directory private/sessions which contains all session files.

Upon navigating to one of the session files (most preferably the most recent), one is able to view details and sensitive information (such as CSRF tokens) which are associated with the session:

Details of session file.

If directory listing has been disabled on the webserver (such as via Apache configuration), an attacker is still able to access these files without authentication, however they would need to bruteforce the session IDs to find existing sessions and thus the existing session files:

Bruteforcing of session files.

**User Password Reset Vulnerability - CVE-2020-14015**

The _Forgot password?_ feature allows a user to reset their password. When a user successfully enters their username or email address in the forgot password feature, an email is sent the user which contains a password reset link. This link contains an _activation code_, which allows the user to then reset the password associated with their account.

When providing an invalid code, the user is presented with the login screen:

Login screen with invalid password activation code.

However a flaw exists when no code is presented, the user is prompted for a new password:

Password reset for now password activation code.

And setting the password results in success:

Password reset successful.

Upon further investigation, the reason is that when a user is created, their account is created without an activation code:

Database after user created.

When no code is supplied in the password reset process flow, the first user without an activation key will be matched and thus have their password reset.

**Stored Cross-Site Scripting - CVE-2020-14018**

While there is HTML encoding on _User_ field in the Users / Edit page, there is not sufficient encoding on the _E-Mail_ field, these leaves it vulnerable to a store XSS vulnerability:

Stored XSS from E-Mail field on the Users / Edit page.

As stated the _User_ field is appropriate HTML encoded, preventing any XSS vulnerability from this field on this page:

HTML encoding of the _User_ field.

However the E-Mail field is does not have sufficient HTML encoding, resulting in a stored XSS vulnerability:

XSS vulnerability in the _E-Mail_ field.

This stored XSS vulnerability is persisted and present from both the _User_ as well as the _E-Mail_ fields when viewing users on the _Users_ page:

Stored XSS from the _User_ field.

Stored XSS from the _E-Mail_ field.

**Reflected Cross-Site Scripting - CVE-2020-14014**

On the landing page once the user authenticates, there is a resource _/nagivate.php_ which can take the query parameter _fid_. The value from this parameter is reflected back on the page, without having appropriate validation or HTML encoding. This makes the page vulnerable to reflected XSS:

Reflected XSS from the vulnerable _fid_ query parameter.

This is since the value is reflected to a link in the top right corner of the page:

Reflected link contain the reflected XSS.

**Resolution**

Fixed as of version v2.9.1 r1487 (2020/06).

**Vendor Notification**

*   10 June 2020 - Initial contact with the vendor, indicating wish to share findings with vendor before disclosing publicly.
*   11 June 2020 - Received response from vendor expressing wish to obtain information about findings.
*   11 June 2020 - Forwarded findings to vendor.
*   17 June 2020 - Vendor shared fixes with myself and asked me to review the fixes.
*   21 June 2020 - Reviewed fixes and confirmed with vendor.
*   22 June 2020 - Vendor confirmed new version and approved public disclosure of findings.

CVE-2020-14014: Navigate CMS

Incomplete cleanup from specific special register read operations in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Special Register Buffer Data Sampling Advisory**

**Summary: **

A potential security vulnerability in some Intel® Processors may allow information disclosure.  Intel is releasing firmware updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2020-0543

Description: Incomplete cleanup from specific special register read operations in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score:  6.5 Medium

CVSS Vector:  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

**Affected Products:**

A list of impacted products can be found here. 

**Recommendations:**

Intel recommends that users of affected Intel® Processors update to the latest version firmware provided by the system manufacturer that addresses this issue. 

Intel has released microcode updates for the affected Intel® Processors that are currently supported on the public github repository. Please see details below on access to the microcode:  

GitHub\*: Public Github: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files

The microcode updates also provide an opt-out mechanism (RNGDS\_MITG\_DIS) to disable the mitigation for RDRAND and RDSEED instructions executed outside of Intel® Software Guard Extensions (Intel® SGX) enclaves. Please refer to technical details to find additional information on the opt-out mechanism here.  

Note that inside of an Intel SGX enclave, the mitigation is applied regardless of the value of RNGDS\_MITG\_DIS.

Additional technical details about SRBDS can be found here.

To address this issue, an SGX TCB recovery will be required in Q3 2020. Refer to Intel® SGX Attestation Technical Details for more information on the SGX TCB recovery process.

**Acknowledgements:**

Intel would like to thank Alyssa Milburn, Hany Ragab, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida from the VUSec group at VU Amsterdam for reporting this issue. 

This issue was also identified by Intel employees.  Intel would like to thank Rodrigo Branco (formerly Intel), Kekai Hu (formerly Intel), Gabriel Negreira Barbosa (Intel), and Ke Sun (Intel).  

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

06/09/2020

Initial Release

1.1

06/12/2020

Updated Acknowledgements

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2020-0543: INTEL-SA-00320

Gila CMS before 1.11.6 has reflected XSS via the admin/content/postcategory id parameter, which is mishandled for g_preview_theme.

**Describe the bug**  
XSS when a admin click on the link bellow, the g\_preview\_theme parameter not encoding the double quotes, an attacker could trick the admin to click on that link..  
https://demo.gilacms.com/cm/edit\_form/postcategory?id=8%22+%3E%3Cscript%3Ealert(1)%3C/script%3E

**To Reproduce**  
Steps to reproduce the behavior:

1.  Go to 'https://demo.gilacms.com/admin/content/postcategory'
2.  Click on 'edit'
3.  With a web proxy like burp intercept that request, and after id= parameter put " "+><script>alert(1)</script>
4.  See the alert on browser..

**Screenshots**  
If applicable, add screenshots to help explain your problem.

**Desktop (please complete the following information):**

*   Browser Firefox
*   Version 70.0 (64-bit)

**Additional context**  
In fact the attacker could trick any admin to click on  
https://demo.gilacms.com/cm/edit\_form/postcategory?id=8%22+%3E%3Cscript%3Ealert(1)%3C/script%3E .. and execute javascript..

CVE-2019-20803: Cross Site Scripting (XSS) -  · Issue #56 · GilaCMS/gila

In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5.



CVE-2019-2388: Ops Manager Server Changelog — MongoDB Ops Manager 6.0

An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message.

This is a service and security update to the stable version 1.4 of Roundcube Webmail.  
It contains four fixes for recently reported security vulnerabilities as well a number  
of general improvements from our issue tracker. See the full changelog below.

**Security fixes**

*   Cross-Site Scripting (XSS) via malicious HTML content
*   CSRF attack can cause an authenticated user to be logged out
*   Remote code execution via crafted config options
*   Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option

The latter two vulnerabilities are classified minor because they only affect Roundcube installations  
with public access to the Roundcube installer. That's generally a high-risk situation and is expected  
to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done  
in core in order to also prevent from future and yet unknown attack vectors.

This version is considered stable and we recommend to update all productive installations  
of Roundcube with it. Please do backup your data before updating!

**CHANGELOG**

*   Fix bug where attachments with Content-Id were attached to the message on reply (#7122)
*   Fix identity selection on reply when both sender and recipient addresses are included in identities (#7211)
*   Elastic: Fix text selection with Shift+PageUp and Shift+PageDown in plain text editor when using Chrome (#7230)
*   Elastic: Fix recipient input bug when using click to select a contact from autocomplete list (#7231)
*   Elastic: Fix color of a folder with recent messages (#7281)
*   Elastic: Restrict logo size in print view (#7275)
*   Fix invalid Content-Type for messages with only html part and inline images - Mail\_Mime-1.10.7 (#7261)
*   Fix missing contact display name in QR Code data (#7257)
*   Fix so button label in Select image/media dialogs is "Close" not "Cancel" (#7246)
*   Fix regression in testing database schema on MSSQL (#7227)
*   Fix cursor position after inserting a group to a recipient input using autocompletion (#7267)
*   Fix string literals handling in IMAP STATUS (and various other) responses (#7290)
*   Fix bug where multiple images in a message were replaced by the first one on forward/reply/edit (#7293)
*   Fix handling keyservers configured with protocol prefix (#7295)
*   Markasjunk: Fix marking as spam/ham on moving messages with Move menu (#7189)
*   Markasjunk: Fix bug where moving to Junk was failing on messages selected with Select > All (#7206)
*   Fix so imap error message is displayed to the user on folder create/update (#7245)
*   Fix bug where a special folder couldn't be created if a special-use flag is not supported (#7147)
*   Mailvelope: Fix bug where recipients with name were not handled properly in mail compose (#7312)
*   Fix characters encoding in group rename input after group creation/rename (#7330)
*   Fix bug where some message/rfc822 parts could not be attached on forward (#7323)
*   Make install-jsdeps.sh script working without the file program installed (#7325)
*   Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331)
*   Fix so Print button for PDF attachments works on Firefox >= 75 (#5125)
*   Security: Fix XSS issue in handling of CDATA in HTML messages
*   Security: Fix remote code execution via crafted 'im\_convert\_path' or 'im\_identify\_path' settings
*   Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
*   Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)

CVE-2020-12625: Release Roundcube Webmail 1.4.4 · roundcube/roundcubemail

The mappress-google-maps-for-wordpress plugin before 2.53.9 for WordPress does not correctly implement AJAX functions with nonces (or capability checks), leading to remote code execution.

*   Details
*   Reviews
*   Installation
*   Development

MapPress is the easiest way to add beautiful interactive Google and Leaflet maps to WordPress.

Create **unlimited maps and markers** using Gutenberg blocks or the classic editor. The popup map editor makes creating and editing maps easy!

Upgrade to MapPress Pro for even more features, including custom icons, search and filter, clustering, and much more. See it in action on the MapPress Home Page or test it yourself with a Free Demo Site!

Home Page  
What’s New  
Documentation  
FAQ  
Support

**Upgrade**

1.  Deactivate your old MapPress version
2.  Delete your old MapPress version (don’t worry, the maps are saved in the database)
3.  Follow the installation instructions to install the new version

This plugin provides 2 blocks.

*   MapPress Map
*   MapPress Maps for WordPress

This plugin's free version provides what other map plugins are charging for. I love the backend user interface. I went with the Google API just because that's what I'm familiar with. My client wants to emphasize shipping destinations at points in the USA and around the world. And we needed a responsive map. Check. I'm very happy with this plugin. It works well with BeaverBuilder (but you need to use the Shortcode to embed a map...no big deal) alongside GravityForms. No conflicts, very stable, and so easy to use my clients can update the maps themselves with just a little orientation. Great job!

A great easy to use plugin

I'm still testing/designing the site but so far it's exactly what I wanted.

Great plugin, very flexible and easy to use. It can give a "Obsolete jQuery version" error but usually you can just go into inspector and delete the error, and then you can edit the map anyway.

I have been using MapPress Maps for WordPress for years and it has made a tremendous difference on my website. People often say the best feature of the website is the maps! Whenever I have a question or issue, the developer is right there to help out. It is definitely the best plugin I have!

My first choice map and geo plugin. Support is developer level and really helpful with a production site.

Read all 139 reviews

“MapPress Maps for WordPress” is open source software. The following people have contributed to this plugin.

Contributors

*    chrisvrichardson

**2.84.21**

*   Changed: update version compatibility
*   Changed: add alt tags to template icons

**2.84.20**

*   Fixed: sanitize map name in iframes

**2.84.19**

*   Fixed: geolocate parameter not passed through from shortcode

**2.84.18**

*   Fixed: unable to save settings when sizes are numeric

**2.84.17**

*   Fixed: mashup query bug in 2.84.16

**2.84.16**

*   Added: German translation
*   Changed: internal changes to settings screen
*   Fixed: directions not working for lat/lng POIs

**2.84.15**

*   Added: support for hyphenated poi.props variables
*   Changed: parse shortcodes in poi body (frontend only)
*   Changed: fix for WP async image bug is now applied only for WP version < 6.1.1
*   Fixed: directions tab blocked by popup blocker

**2.84.14**

*   Fixed: directions not rendering properly when POI list is disabled
*   Fixed: popup not always centering when canvas is resized
*   Fixed: directions CSS made form too small

**2.84.13**

*   Fixed: temporary fix for WordPress 6.1 async image issue: https://core.trac.wordpress.org/ticket/56969. Fix prevents modifying image URLs.

**2.84.12**

*   Fixed: readme changelog not showing current version
*   Fixed: script error when using Complianz + Leaflet + marker clustering

**2.84.11**

*   Fixed: for GDPR, default “red-dot” icon now loaded from plugin directory
*   Changed: added partial pl\_PL translation

**2.84.10**

*   Fixed: POI hover effect not triggering if POI isn’t opened on hover

**2.84.9**

*   Added: local leaflet libraries for GDPR
*   Changed: removed obsolete translation files

**2.84.8**

*   Fixed: complianz not working

**2.84.7**

*   Fixed: patch in 2.84.6 caused geocoding to fail when adding markers and opening popups
*   Fixed: JavaScript not executing inside popup templates

**2.84.6**

*   Fixed: error when manually centering some maps, in toJSON() method

**2.84.5**

*   Fixed: translations loading from plugin directory

**2.84.4**

*   Added: maps GDPR compliance using the ‘Complianz’ plugin
*   Changed: renamed ‘iframes’ setting to ‘compatibility mode’
*   Changed: iframes forced when Jetpack infinite scroll active
*   Fixed: mashup query not filtering POIs when run in iframe

**2.84.3**

*   Added: new Google marker clusterer (https://github.com/googlemaps/js-markerclusterer)
*   Added: setting to geolocate on user when map is first displayed
*   Changed: better initial centering when poiZoom is set
*   Changed: updates to welcome guide and deactvation menu
*   Fixed: KML files not centering when added in editor
*   Fixed: KML error when using Leaflet
*   Fixed: initial centering when geolocating and browser geolocation is disabled

**2.84.2**

*   Fixed: map sizing incorrectly when using inline list in iframe

**2.84.1**

*   Added: Google AMP compatibility
*   Added: better help text for the “poiZoom” setting
*   Changed: revert iframes to template\_redirect
*   Changed: removed CSS centering for popup texts
*   Fixed: templates and scripts loaded on the main page when iframes active

**2.84**

*   Added: new map editor
*   Fixed: Google sheet upload error
*   Fixed: map styles search not working if enter key pressed

**2.83.23**

*   Fixed: database upgrade running for new installs
*   Fixed: option setting to initially close sidebar is ignored

**2.83.22**

*   Changed: allow popup to size larger when thumbnails are set to top, but no image is present
*   Fixed: missing scrollbars when popup content is large
*   Fixed: warning if default size selected in settings is invalid

**2.83.21**

*   Fixed: typo in setting ‘showCoverageOnHover’

**2.83.20**

*   Fixed: SVN publish

**2.83.19**

*   Fixed: remove generated iframe from build

**2.83.18**

*   Changed: enabled ‘check now’ button even when license is active

**2.83.17**

*   Fixed: mini map class not being applied to small maps
*   Fixed: other plugins break iframes by adding ‘defer’ to script tags

**2.83.16**

*   Changed: prevent WP from overwriting Pro with free version

**2.83.15**

*   Fixed: setting initialopeninfo with no map POIs causes JS error

**2.83.14**

*   Fixed: console warnings in Google marker clusterer from deprecated google.maps.addDomEventListener
*   Fixed: iframe not resizing when height is ‘vh’

**2.83.13**

*   Added: setting to allow mashup thumbnail images to come from either post or POI (mashupThumbs)
*   Added: fast iframes, and iframes that resize to inline (bottom) POI list layout
*   Changed: popups opened by marker hover now close after a short delay when mouse is moved away
*   Fixed: POI list not scrolling to top on page change

**2.83.12**

*   Changed: Google now returns viewport for street addresses, so poiZoom (default zoom) setting applies even if viewport is present
*   Fixed: map loses attachment if attached and then immediately edited

**2.83.11**

*   Fixed: syntax error in API for old versions of PHP

**2.83.10**

*   Changed: map minimum width changed from 250 to 200px
*   Changed: template editor split to separate module
*   Changed: post attachment control updated
*   Changed: REST API code added
*   Fixed: hideEmpty mashup parameter not compatible with new query functions

**2.83.9**

*   Changed: importer updated to allow upper-case column names
*   Changed: updated authors in mashup block to reflect new core data
*   Fixed: focus incorrect when creating new map and selecting title
*   Fixed: map not linked to post when creating new post
*   Fixed: refresh query button not working in mashup block

**2.83.8**

*   Fixed: mashup block shortcode viewer removed
*   Fixed: importer sample map selecting all POIs at once

**2.83.7**

*   Fixed: republish 2.83.6 changes

**2.83.6**

*   Fixed: map iframe interfering with theme customizer

**2.83.5**

*   Changed: workaround for other plugins loading obsolete versions of wp.element
*   Fixed: clicking on mashup thumbnail image not opening underlying post

**2.83.4**

*   Fixed: updated German translation
*   Fixed: double markers showing when using multiple maps with Leaflet clustering

**2.83.3**

*   Fixed: POI list pagination incorrect

**2.83.2**

*   Fixed: drag and drop error with Leaflet polyfill

**2.83.1**

*   Fixed: error from Leaflet json polyfill when theme overwrites Leaflet

**2.83**

*   Added: setting to disable Leaflet cluster outline polygons
*   Changed: editor maps switched to react
*   Fixed: directions not working for POIs with no address

**2.82.4**

*   Fixed: directions link not working

**2.82.3**

*   Fixed: markers shown outside clusters on initial load
*   Fixed: editor marker drag/drop not working

**2.82.2**

*   Fixed: zooming in and out on Google clusters could result in ‘null’ marker
*   Fixed: revert auto-sizing iframes; not compatible with viewport (‘vh’) sizing

**2.82.1**

*   Fixed: maps sized wrong when using sizes without units

**2.82**

*   Changed: frontend loader and rendering switched to react components
*   Changed: iframes resize to content

**2.81.2**

*   Changed: convert import/settings to react map

**2.81.1**

*   Fixed: url query parameter removed, some sites throw 403 error

**2.81**

*   Fixed: POI list showing extra POI beyond page size
*   Fixed: Map editor page size should not be controlled by front-end settings
*   Changed: begin React code transition for admin

**2.80.11**

*   Fixed: innodb utf8mb4 index on map title limited to 191 characters

**2.80.10**

*   Fixed: sorting not working in map list
*   Fixed: save button not disabled during map save
*   Fixed: trashed maps included in mashups

**2.80.9**

*   Fixed: array not initialized for custom props

**2.80.8**

*   Fixed: missing token description in template editor
*   Fixed: multiple custom fields not pulled into templates

**2.80.7**

*   Fixed: settings not saved in setup wizard

**2.80.6**

*   Added: trigger DB upgrade automatically

**2.80.5**

*   Fixed: maps not displaying when scripts output in footer

**2.80.4**

*   Added: enabled user maps

**2.80.3**

*   Changed: authorization ‘edit\_posts’ is now used instead of ‘manage\_options’ for the ‘maps’ menu
*   Changed: thumbnail images now specify size for better popup sizing

**2.80.2**

*   Fixed: POI list not selecting open POI
*   Fixed: mashup error when debugging enabled
*   Fixed: error when dismissing notices

**2.80.1**

*   Fixed: database upgrade check incorrect

**2.80**

*   Added: settings added for directions links in POI list
*   Changed: filters output even when closed, to allow custom CSS modification
*   Fixed: POIs filtered by map bounds even when search disabled

**2.77.3**

*   Fixed: thumbnail not positioned properly in popup modal
*   Fixed: template ‘default’ tab showing current template instead
*   Fixed: POIs were being filtered by bounds even when search disabled

**2.77.2**

*   Fixed: shapes not centering correctly when clicked
*   Fixed: not possible to enable POI hover and open POIs in a new tab or modal
*   Changed: added lazy loading and speed tests for iframes
*   Changed: deactivation screen updated

**2.77.1**

*   Fixed: ACF map fields not being read in mashups
*   Fixed: enable beta versions checkbox not working

**2.77**

*   Changed: source files renamed
*   Fixed: show filter options without escaping

**2.76.6**

*   Changed: updated query filters for WP 6.0
*   Fixed: adjusted infowindow sizing for sub-pixel rendering

**2.76.5**

*   Fixed: adjust webpack configuration to pick up missing translations

**2.76.4**

*   Fixed: mashup inline list not scrolling
*   Fixed: category filter include/exclude not working

**2.76.3**

*   Fixed: mashup list pagination not working

**2.76.2**

*   Fixed: directions link not working

**2.76.1**

*   Fixed: syntax error in mashups
*   Fixed: missing translation for pages
*   Fixed: list page size not working

**2.76**

*   Added: images can now be attached to POIs
*   Added: if multiple images exist, an image gallery is displayed in the map list and popups
*   Fixed: KML overlays were not displaying properly

**2.75.6**

*   Fixed: error when dragging Leaflet markers

**2.75.5**

*   Fixed: geocoding errors written to posts with no custom fields
*   Fixed: thumbnails not displaying properly in list
*   Fixed: insert not working for map sidebar panel

**2.75.4**

*   Fixed: maps with save center not displaying

**2.75.3**

*   Fixed: directions ‘to’ address blank

**2.75.2**

*   Changed: removed unused list templates
*   Fixed: missing POT translation for filter counts
*   Fixed: POI popup modal not working

**2.75.1**

*   Fixed: CSS preventing scrolling bottom POI list
*   Fixed: POI list not displaying in editor if disabled in settings
*   Fixed: blank map edit screen for some sites

**2.75**

*   Changed: completed removal of obsolete Algolia geocoder
*   Changed: updated JavaScript: map editor, POI editor, POI list, directions, map menu, map picker and settings
*   Changed: clustering libraries sourced from CDN

**2.74.3**

*   Fixed: removed import menu from free version
*   Fixed: removed french translation from plugin directory

**2.74.2**

*   Fixed: custom field geocoding not working

**2.74.1**

*   Fixed: option screen alignment wrong for some options
*   Fixed: travel line animation setting not saving properly

**2.74**

*   Added: option to connect POIs with lines, for travel blogs, etc. Lines can be enabled/disabled in the settings or with the shortcode: \[mappress lines=”true”\]
*   Added: new filters form using AJAX
*   Added: import screen for importing maps from CSV files
*   Changed: geocoding custom fields now use a datalist dropdown for easier entry
*   Fixed: Leaflet popup not centered when POI is opened from off-screen
*   Fixed: translations not available for JavaScript texts
*   Fixed: directions not opening when list is below map
*   Fixed: hovering highlight not removed
*   Fixed: on some servers compression settings prevented AJAX calls with output buffering enabled

**2.73.18**

*   Fixed: added back ability to programmatically specify center as array of (lat,lng)

**2.73.17**

*   Added: KML URL is now output when there is an error loading the KML file
*   Fixed: geocoder not recognizing some locations, including “lat,lng” entries

**2.73.16**

*   Fixed: autocomplete not creating new POIs

**2.73.15**

*   Changed: replaced JQuery Autocomplete with new search box

**2.73.14**

*   Fixed: check for wp-config settings preventing file changes

**2.73.13**

*   Fixed: check for wp-config settings preventing file changes

**2.73.12**

*   Fixed: inline directions input not working

**2.73.11**

*   Fixed: include/exclude not working for taxonomy filters

**2.73.10**

*   Fixed: notice on widget screen
*   Fixed: errors on beta theme editor screen
*   Changed: Remove jQuery version check and jQuery tabs control

**2.73.9**

*   Fixed: map doesn’t display if google directions used
*   Changed: filter CSS updated

**2.73.8**

*   Fixed: allow autoptimize to process scripts
*   Fixed: underscore functions and templates broken by woocommerce lodash

**2.73.7**

*   Fixed: notice in wp\_query groupby

**2.73.6**

*   Fixed: exclude wp JS from autoptimize

**2.73.5**

*   Fixed: error resizing maps in jQuery tabs

**2.73.4**

*   Added: base code for mashups by users
*   Fixed: maps attached to a trashed post now appear in the map library
*   Fixed: template editor now inserts properly-formatted tokens for custom fields
*   Fixed: mashup query filtes could interfere with queries from POI oembeds

**2.73.3**

*   Fixed: PHP error when loading filters template

**2.73.2**

*   Fixed: possible PHP error on settings screen
*   Fixed: box-sizing added to layout CSS, directions made max width in mini view

**2.73.1**

*   Fixed: directions not displaying

**2.73**

*   Important: filters CSS has been updated, please update any custom filter forms to match
*   Added: better popup panning and sizing
*   Added: new custom JSON styles can be created in the style editor
*   Added: setting for filter position (search box or POI list)
*   Added: new filter editor in MapPress settings
*   Added: post count in filter dropdown
*   Added: new filter types: post type and text box
*   Added: user-defined labels for filters
*   Added: filter display formats (select/checkbox/radio)
*   Added: include or exclude specific terms (tags, categories,…) for filters
*   Fixed: filters size better in mini mode
*   Fixed: POI body not showing in Firefox when thumbnails on left/right
*   Fixed: control for attaching posts to maps now shows the correct custom post type
*   Fixed: mashup block not updating when query parameters change
*   Fixed: Gutenberg boolean attributes defaulting to false when converting classic blocks
*   Fixed: settings screen not displaying on some wordpress hosted sites

**2.72.5**

*   Fixed: list toggle not working

**2.72.4**

*   Fixed: directions link not working if no POI list present

**2.72.3**

*   Increment version

**2.72.2**

*   Changed: allow DOM events to bubble out of the map container

**2.72.1**

*   Fixed: POI drag and drop sorting not working in editor
*   Fixed: shortcodes in AJAX calls now include scripts with map/mashup output

**2.72**

*   Changed: mashup queries now use a single SQL statement, for hosts that limit SQL size
*   Fixed: youtube videos inside popups did not play full screen
*   Fixed: \[mashup query=”current”\] now displays current posts correctly

**2.71.1**

*   Added: option for POI list page size
*   Added: option for POI list open/closed when map is loaded
*   Fixed: directions not working on Android

**2.71**

*   Added: enable search for individual maps
*   Added: classic editor button updated for compatibility with Enfold theme
*   Changed: remove initialOpenDirections parameter
*   Changed: speed up Nominatim autocomplete
*   Changed: internal updates to ES6 JS for options and maps

**2.70.1**

*   Changed: clearer highlighting in map list
*   Changed: remove beta version
*   Changed: remove IE11 support

**2.70**

*   Added: maps can now be trashed or restored

CVE-2020-12077: MapPress Maps for WordPress

Untrusted Search Path vulnerability in the windows installer of Google Earth Pro versions prior to 7.3.3 allows an attacker to insert malicious local files to execute unauthenticated remote code on the targeted system.

CVE-2020-8895: See notes on Google Earth releases

Zoho ManageEngine OpManager before 125120 allows an unauthenticated user to retrieve an API key via a servlet call.

Tag

#firefox