The Very Simple Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vsgmap' shortcode in all versions up to, and including, 2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

CVE-2023-5744: Very Simple Google Maps <= 2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode — Wordfence Intelligence

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Print, PDF, Email by PrintFriendly plugin <= 5.5.1 versions.

**Solution**

 Fixed

Update the WordPress Print, PDF, Email by PrintFriendly plugin to the latest available version (at least 5.5.2).

Found this useful? Thank Abdi Pranata for reporting this vulnerability. Buy a coffee ☕

Abdi Pranata discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Print, PDF, Email by PrintFriendly Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 5.5.2.

**Other vulnerabilities in this plugin**

 0 present

 3 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-25032: WordPress Print, PDF, Email by PrintFriendly plugin <= 5.5.1 - Cross Site Scripting (XSS) vulnerability - Patchstack

By Owais Sultan
Looking for a SaaS SEO consultant? We’ve rounded up the top 15 SaaS SEO experts you need to…
This is a post from HackRead.com Read the original post: 15 Best SaaS SEO Experts That Will Help You Dominate Online

15 Best SaaS SEO Experts That Will Help You Dominate Online

WordPress LiteSpeed Cache plugin versions 5.6 and below suffer from a persistent cross site scripting vulnerability.

    Vulnerability Summary from Wordfence IntelligenceDescription: LiteSpeed Cache <= 5.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected Plugin: LiteSpeed CachePlugin Slug: litespeed-cacheAffected Versions: <= 5.6CVE ID: CVE-2023-4372CVSS Score: 6.4 (Medium)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NResearcher/s: Lana Codes Fully Patched Version: <= 5.7The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘esi’ shortcode in versions up to, and including, 5.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.Technical AnalysisThe LiteSpeed Cache is a site acceleration plugin with server-level cache and optimization. It provides a shortcode ([esi]) that can be used to cache blocks with Edge Side Includes technology when added to a WordPress page, if ESI was previously enabled in the settings.Unfortunately, insecure implementation of the plugin’s shortcode functionality allows for the injection of arbitrary web scripts into these pages. Examining the vulnerable code reveals that the shortcode method in the ESI class does not adequately sanitize the user-supplied ‘cache’ input, and then fails to escape the ‘control’ output derived from the ‘cache’ parameter when it builds the ESI block. This makes it possible to inject attribute-based Cross-Site Scripting payloads via the ‘cache’ attribute.[You can view these code snippets on the blog] This makes it possible for threat actors to carry out stored XSS attacks. Once a script is injected into a page or post, it will execute each time a user accesses the affected page. While this vulnerability does require that a trusted contributor account is compromised, or a user be able to register as a contributor, successful threat actors could steal sensitive information, manipulate site content, inject administrative users, edit files, or redirect users to malicious websites which are all severe consequences.Shortcode Exploit PossibilitiesPrevious versions of WordPress contained a vulnerability that allowed shortcodes supplied by unauthenticated commenters to be rendered in certain configurations. This would make it possible for unauthenticated attackers to exploit this Cross-Site Scripting vulnerability on vulnerable installations. Fortunately, however, a vast majority of sites have been automatically upgraded to a patched release of WordPress as of this writing, which means most site owners do not need to be concerned about this. We still strongly recommend verifying your site has been updated to one of the patched versions of WordPress core found here. Disclosure TimelineAugust 14, 2023 – Wordfence Threat Intelligence team discovers the stored XSS vulnerability in LiteSpeed Cache.August 14, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.August 14, 2023 – The vendor confirms the inbox for handling the discussion.August 14, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.August 16, 2023 – The vendor made the patch and sent us the GitHub commit.October 10, 2023 – The fully patched version, 5.7, is released.ConclusionIn this blog post, we have detailed a stored XSS vulnerability within the LiteSpeed Cache plugin affecting versions 5.6 and earlier. This vulnerability allows authenticated threat actors with contributor-level permissions or higher to inject malicious web scripts into pages that execute when a user accesses an affected page. The vulnerability has been fully addressed in version 5.7 of the plugin.We encourage WordPress users to verify that their sites are updated to the latest patched version of LiteSpeed Cache.All Wordfence users, including those running Wordfence Premium , Wordfence Care , and Wordfence Response , as well as sites still running the free version of Wordfence, are fully protected against this vulnerability.If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence  and potentially earn a spot on our leaderboard .

WordPress LiteSpeed Cache 5.6 Cross Site Scripting

Cross-Site Request Forgery (CSRF) vulnerability in Chetan Gole Smooth Scroll Links [SSL] plugin <= 1.1.0 versions.

**Solution**

 No fix

No patched version is available.

Skalucy discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Smooth Scroll Links Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-46095: WordPress Smooth Scroll Links [SSL] plugin <= 1.1.0 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Wpmet Wp Ultimate Review plugin <= 2.2.4 versions.

**Solution**

 No fix

No patched version is available.

qilin\_99 discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Wp Ultimate Review Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 1 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-46085: WordPress Wp Ultimate Review plugin <= 2.2.4 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Lee Le @ Userback Userback plugin <= 1.0.13 versions.

**Solution**

 No fix

No patched version is available.

LEE SE HYOUNG (hackintoanetwork) discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Userback Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-46089: WordPress Userback plugin <= 1.0.13 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in PluginEver WC Serial Numbers plugin <= 1.6.3 versions.

**Solution**

 No fix

No patched version is available.

Skalucy discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Serial Numbers for WooCommerce – License Manager Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-46078: WordPress Serial Numbers for WooCommerce – License Manager plugin <= 1.6.3 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Qwerty23 Rocket Font plugin <= 1.2.3 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank Abdi Pranata for reporting this vulnerability. Buy a coffee ☕

Abdi Pranata discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Rocket Font Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-46067: WordPress Rocket Font plugin <= 1.2.3 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

The SALESmanago plugin for WordPress is vulnerable to Log Injection in versions up to, and including, 3.2.4. This is due to the use of a weak authentication token for the /wp-json/salesmanago/v1/callbackApiV3 API endpoint which is simply a SHA1 hash of the site URL and client ID found in the page source of the website. This makes it possible for unauthenticated attackers to inject arbitrary content into the log files, and when combined with another vulnerability this could have significant consequences.

1<?php23namespace bhr\\Includes;45use bhr\\Admin\\Entity\\Configuration;6use Error;7use Exception;8use SALESmanago\\Model\\Collections\\Api\\V3\\ProductsCollection;91011trait Helper {1213        /\*\*14         \* @param $input  - array or string with commas15         \* @param  bool  $returnString  - true to receive string, false for array16         \* @param  false  $removeInnerSpaces  - spaces within items will be replaced with underscore17         \* @param  false  $toUpperCase18         \* @param  string  $separator  - use separator different from comma19         \* @param  int  $maxLength  - maximum length per value20         \*21         \* @return array|string22         \*/23        public static function clearCSVInput(24                $input,25                $returnString \= true,26                $removeInnerSpaces \= false,27                $toUpperCase \= false,28                $separator \= ',',29                $maxLength \= 25530        ) {31                if ( empty( $input ) ) {32                        return $returnString ? '' : array();33                }34                if ( is\_string( $input ) && ! is\_array( $input ) ) {35                        $inputArray \= explode( ',', $input );36                } else {37                        $inputArray \= $input;38                }39                $output \= array();40                foreach ( $inputArray as $item ) {41                        if ( trim( $item ) ) {42                                $outItem  \= $toUpperCase43                                        ? strtoupper( trim( $item ) )44                                        : trim( $item );45                                $outItem  \= $removeInnerSpaces46                                        ? str\_replace( ' ', '\_', $outItem )47                                        : $outItem;48                                $output\[\] \= substr( $outItem, 0, $maxLength );49                        }50                }5152                return $returnString53                        ? implode( $separator, $output )54                        : $output;55        }5657        /\*\*58         \* @return string59         \*/60        public static function getUserLocale() {61                if ( function\_exists( 'get\_user\_locale' ) ) {62                        return get\_user\_locale();63                }6465                return '';66        }6768        /\*\*69         \* @return string70         \*/71        public static function getLocation() {72                try {73                        $shopLocation \= null;74                        if ( function\_exists( 'wc\_get\_page\_id' ) ) {75                                $shopLocation \= ( get\_permalink( wc\_get\_page\_id( 'shop' ) ) \== \- 1 )76                                        ? get\_home\_url()77                                        : get\_permalink( wc\_get\_page\_id( 'shop' ) );78                        }79                        if ( empty( $shopLocation ) ) {80                                $shopLocation \= $\_SERVER\['SERVER\_NAME'\];81                        }8283                        return GlobalConstant::LOCATION\_PREFIX . md5( $shopLocation );84                } catch ( Error $e ) {85                        error\_log( $e\->getMessage() );8687                        return GlobalConstant::LOCATION\_PREFIX . md5( strval( rand( 1, 100 ) ) );88                }89        }9091        /\*\*92         \* @return string93         \*/94        public static function getLanguage( $lang ) {95                return $lang \=== 'browser'96                        ? substr( $\_SERVER\['HTTP\_ACCEPT\_LANGUAGE'\], 0, 2 )97                        : substr( Helper::getUserLocale(), 0, 2 );98        }99100        /\*\*101         \* @param $param102         \*103         \* @return false|\\WC\_Product|null104         \*/105        public static function wcGetProduct( $param ) {106                return wc\_get\_product( $param );107        }108109        /\*\*110         \* @param $hook\_name111         \* @param $callback112         \* @param  int  $priority113         \* @param  int  $accepted\_args114         \*/115        public static function addAction( $hook\_name, $callback, $priority \= 10, $accepted\_args \= 1 ) {116                add\_action( $hook\_name, $callback, $priority, $accepted\_args );117        }118119        /\*\*120         \* @param $plugin121         \* @param $deprecated122         \* @param $path123         \*/124        public static function loadPluginTextDomain( $plugin, $deprecated, $path ) {125                if ( function\_exists( 'load\_plugin\_textdomain' ) ) {126                        load\_plugin\_textdomain( $plugin, $deprecated, $path );127                }128        }129130        /\*\*131         \* @param $param132         \*133         \* @return bool|\\WC\_Order|\\WC\_Order\_Refund134         \*/135        public static function wcGetOrder( $param ) {136                return wc\_get\_order( $param );137        }138139        /\*\*140         \* @return \\WooCommerce141         \*/142        public static function wc() {143                return WC();144        }145146        /\*\*147         \* @param $orderId148         \* @param $productIdentifierType149         \*150         \* @return array151         \*/152        public static function getProductsFromOrder( $orderId, $productIdentifierType ) {153                /\* Products \*/154                $order          \= self::wcGetOrder( $orderId );155                $ids            \= array();156                $variantIds     \= array();157                $names          \= array();158                $quantities     \= array();159                $skus           \= array();160                $smProductArray \= array();161162                foreach ( $order\->get\_items() as $item\_id \=> $item ) {163                        $WcProduct        \= Helper::wcGetProduct( $item\['variation\_id'\] )164                                ? Helper::wcGetProduct( $item\['variation\_id'\] )165                                : Helper::wcGetProduct( $item\['product\_id'\] );166                        $smProductArray\[\] \= self::getSmEventDetailsFromWcProduct( $WcProduct );167                        $quantities\[\]     \= $item\->get\_quantity();168                }169170                foreach ( $smProductArray as $SmProduct ) {171                        $ids\[\]        \= $SmProduct\->getId();172                        $variantIds\[\] \= $SmProduct\->getVariantId();173                        $skus\[\]       \= $SmProduct\->getSku();174                        $names\[\]      \= $SmProduct\->getName();175                }176177                /\* Shipping \*/178                $shippingMethodNames \= array();179180                foreach ( $order\->get\_items( 'shipping' ) as $item\_id \=> $item ) {181                        $shippingMethodNames\[\] \= $item\->get\_method\_title();182                }183                $shippingMethodName \= implode( ',', $shippingMethodNames );184185                $products \= array(186                        'description' \=> $order\->get\_payment\_method(),187                        'value'       \=> $order\->get\_total(),188                        'detail1'     \=> implode( ',', $names ),189                        'detail2'     \=> $order\->get\_order\_key(),190                        'detail3'     \=> implode( '/', $quantities ),191                        'detail4'     \=> $order\->get\_customer\_note(),192                        'detail5'     \=> $shippingMethodName,193                        'externalId'  \=> $order\->get\_id(),194                );195196                $products += self::generateProductsDetailsByIdentifierType(197                        $productIdentifierType,198                        $ids,199                        $variantIds,200                        $skus201                );202203                return $products;204        }205206        /\*\*207         \* @param $productIdentifierType208         \* @param $ids209         \* @param $skus210         \* @param $variantIds211         \*212         \* @return array213         \*/214        public static function generateProductsDetailsByIdentifierType(215                $productIdentifierType \= '',216                $ids \= array(),217                $variantIds \= array(),218                $skus \= array()219        ) {220                switch ( $productIdentifierType ) {221                        case 'sku':222                                $product\['products'\] \= implode( ',', $skus );223                                $product\['detail6'\]  \= implode( ',', $ids );224                                $product\['detail7'\]  \= implode( ',', $variantIds );225                                break;226227                        case 'variant Id':228                                $product\['products'\] \= implode( ',', $variantIds );229                                $product\['detail6'\]  \= implode( ',', $ids );230                                $product\['detail7'\]  \= implode( ',', $skus );231                                break;232233                        default:234                                $product\['products'\] \= implode( ',', $ids );235                                $product\['detail6'\]  \= implode( ',', $skus );236                                $product\['detail7'\]  \= implode( ',', $variantIds );237                                break;238                }239240                return $product;241        }242243        /\*\*244         \* @param $WcProduct245         \*246         \* @return SmProduct247         \*/248        public static function getSmEventDetailsFromWcProduct( $WcProduct ) {249                $SmProduct \= new SmProduct();250251                /\* Simple products have no parent \*/252                $WcProduct\->get\_parent\_id() !== 0253                        ? $SmProduct\->setId( $WcProduct\->get\_parent\_id() )254                        : $SmProduct\->setId( $WcProduct\->get\_id() );255256                $SmProduct\->setVariantId( $WcProduct\->get\_id() )257                          \->setSku( $WcProduct\->get\_sku() )258                          \->setUnitPrice( $WcProduct\->get\_price() )259                          \->setName( $WcProduct\->get\_name() );260261                return $SmProduct;262        }263264        /\*\*265         \* @param $postId266         \* @param $key267         \* @param $single268         \*269         \* @return mixed270         \*/271        public static function getPostMetaData( $postId, $key, $single ) {272                return get\_post\_meta( $postId, $key, $single );273        }274275    /\*\*276     \* @param $type277     \* @param $arg278     \*279     \* @return false|\\WP\_User280     \*/281    public static function getUserBy( $type, $arg ) {282        return get\_user\_by( $type, $arg );283    }284285        /\*\*286         \* Verify if endpoint starts with https287         \*288         \* @param  string  $endpoint289         \*290         \* @return false|int291         \*/292        public static function checkEndpointForHTTPS( $endpoint ) {293                return preg\_match( '/^(https:\\/\\/)+/', $endpoint );294        }295296        /\*\*297         \* Make sure that salesmanago plugin is loaded last so that woocommerce functions can be used298         \*299         \* @return void300         \*/301        public static function loadSMPluginLast() {302                $SMPlugin      \= "salesmanago/salesmanago.php";303                $activePlugins \= get\_option( 'active\_plugins' );304                $thisPluginKey \= array\_search( $SMPlugin, $activePlugins );305306                if ( in\_array( $SMPlugin, $activePlugins ) && end( $activePlugins ) !== $SMPlugin ) {307                        array\_splice( $activePlugins, $thisPluginKey, 1 );308                        array\_push( $activePlugins, $SMPlugin );309                        update\_option( 'active\_plugins', $activePlugins );310                }311        }312313        /\*\*314         \* Helper function to get image url315         \*316         \* @param $image\_tag string317         \*318         \* @return string319         \*/320        public static function getImageUrl( $image\_tag ) {321                $str \= explode( 'src=', $image\_tag )\[1\];322323                return trim( explode( ' ', $str )\[0\], '"' );324        }325326        /\*\*327         \* Generate webhook callback url for Product API328         \*329         \* @return string330         \*/331        public static function generate\_api\_v3\_webhook\_url() {332                $url \= get\_site\_url();333334                return $url . GlobalConstant::API\_V3\_CALLBACK\_URL . '?sm\_token=' . self::generate\_sm\_token();335        }336337        /\*\*338         \*  Extract WP product id from error message array.339         \*  Iterate over array of error messages, extracting the index of the product that caused the exception.340         \*  The index is then used to extract WP product ID from the $products array.341         \*  Max 8 errors are displayed in the console at a time.342         \*343         \* @param  array  $message\_array  Array of string error message from ApiException344         \* @param  ProductsCollection  $products Collection of products345         \*346         \* @return string|false Readable error message or false on failure347         \*/348        public static function extract\_product\_id\_from\_error\_message\_array( $message\_array, $products ) {349                $preg\_pattern           \= '/\\\[(\\d\*?)\\\]/';350                $errors\_to\_be\_displayed \= \[\];351                $max\_err\_displayed      \= 8;352                try {353                        // additional condition $i < $max\_err\_displayed because we don't want to overwhelm the user with errors354                        $num\_of\_messages \= count( $message\_array );355                        for ( $i \= 0; $i < $num\_of\_messages && $i < $max\_err\_displayed; $i ++ ) {356                                $matches \= array();357                                preg\_match( $preg\_pattern, $message\_array\[ $i \], $matches );358                                $arr\_index                \= $matches\[1\]; // first captured parenthesized subpattern holds the index359                                $productId                \= $products\->toArray()\[ intval( $arr\_index ) \]\['productId'\];360                                $errors\_to\_be\_displayed\[\] \= "{$message\_array\[ $i \]}. Product ID:{$productId}\\n";361                        }362                        sort( $errors\_to\_be\_displayed );363364                        return implode( $errors\_to\_be\_displayed );365                } catch ( Error | Exception $ex ) {366                        return false;367                }368        }369370371        /\*\*372         \* Generate token for api v3 callback verification373         \*374         \* @return string token375         \*/376        public static function generate\_sm\_token() {377                $websiteUrl \= get\_site\_url();378                $clientId   \= Configuration::getInstance()\->getClientId();379                $apiKey     \= Configuration::getInstance()\->getApiKey();380                return hash('sha256', substr(sha1($websiteUrl . $clientId), 0, 16) . substr($apiKey, (strlen($apiKey) \- 8) / 2, 8));381        }382}

Tag

#wordpress