Cross-Site Request Forgery (CSRF) vulnerability in MagePeople Team Event Manager and Tickets Selling Plugin for WooCommerce plugin <= 3.7.7 versions.

**Solution**

Fixed 

Update the WordPress Event Manager for WooCommerce plugin to the latest available version (at least 3.7.8).

Found this useful? Thank Lana Codes for reporting this vulnerability. Buy a coffee ☕

Lana Codes discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Event Manager for WooCommerce Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 3.7.8.

**Other vulnerabilities in this plugin**

 0 present

 6 patched

View all

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-47164: WordPress Event Manager and Tickets Selling Plugin for WooCommerce plugin <= 3.7.7 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in German Krutov LOGIN AND REGISTRATION ATTEMPTS LIMIT plugin <= 2.1 versions.

**Solution**

No fix 

Deactivate and delete. No reply from the vendor.

rezaduty discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress LOGIN AND REGISTRATION ATTEMPTS LIMIT Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-47138: WordPress LOGIN AND REGISTRATION ATTEMPTS LIMIT plugin <= 2.1 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Damir Calusic WP Basic Elements plugin <= 5.2.15 versions.

**Solution**

Fixed 

Update the WordPress WP Basic Elements plugin to the latest available version (at least 5.3.0).

rezaduty discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress WP Basic Elements Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 5.3.0.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-47139: WordPress WP Basic Elements plugin <= 5.2.15 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Marty Thornley Import External Images plugin <= 1.4 versions.

**Solution**

No fix 

Deactivate and delete. No reply from the vendor.

Cat discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Import External Images Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-46866: WordPress Import External Images plugin <= 1.4 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Logaster Logaster Logo Generator plugin <= 1.3 versions.

**Solution**

No fix 

No patched version available.

rezaduty discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Logaster Logo Generator Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-47159: WordPress Logaster Logo Generator plugin <= 1.3 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in chronoengine.Com Chronoforms plugin <= 7.0.9 versions.

**Solution**

No fix 

Deactivate and delete. No reply from the vendor.

rezaduty discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Chronoforms Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-47135: WordPress Chronoforms plugin <= 7.0.9 - Cross Site Request Forgery (CSRF) - Patchstack

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.1. This is due to insufficient verification on the user being supplied during the cart sync from mobile REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.

CVE-2023-2734: flutter-woo.php in mstore-api/tags/3.9.0/controllers – WordPress Plugin Repository

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.0. This is due to insufficient verification on the user being supplied during the coupon redemption REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.

**mstore-api/trunk/controllers/flutter-user.php**

r2910707

r2913397

 

215

215

                'methods' => 'GET',

216

216

                'callback' => array($this, 'check\_user'),

217

 

                'permission\_callback' => function () {

218

 

                    return parent::checkApiPermission();

219

 

                }

220

 

            ),

221

 

        ));

222

 

223

 

        register\_rest\_route($this->namespace, '/test\_push\_notification', array(

224

 

            array(

225

 

                'methods' => 'POST',

226

 

                'callback' => array($this, 'test\_push\_notification'),

227

 

                'permission\_callback' => function () {

228

 

                    return parent::checkApiPermission();

229

 

                }

230

 

            ),

231

 

        ));

232

 

233

 

        register\_rest\_route($this->namespace, '/test\_push\_notification\_created\_order', array(

234

 

            array(

235

 

                'methods' => 'POST',

236

 

                'callback' => array($this, 'test\_push\_notification\_created\_order'),

237

217

                'permission\_callback' => function () {

238

218

                    return parent::checkApiPermission();

…

…

 

1194

1174

    }

1195

1175

1196

 

    public function test\_push\_notification()

1197

 

    {

1198

 

        $json = file\_get\_contents('php://input');

1199

 

        $params = json\_decode($json);

1200

 

        $email = $params->email;

1201

 

        $is\_manager = $params->is\_manager;

1202

 

        $is\_delivery = $params->is\_delivery;

1203

 

        $user = get\_user\_by('email', $email);

1204

 

        $user\_id = $user->ID;

1205

 

        $serverKey = get\_option("mstore\_firebase\_server\_key");

1206

 

        $status = false;

1207

 

        $is\_onesignal = $params->is\_onesignal;

1208

 

        if($is\_onesignal){

1209

 

            $status = one\_signal\_push\_notification("Fluxstore", "Test push notification", array($user\_id));

1210

 

            return \['status' => $status\];

1211

 

        }

1212

 

        if (isset($is\_manager)) {

1213

 

            if ($is\_manager) {

1214

 

                $deviceToken = get\_user\_meta($user\_id, 'mstore\_manager\_device\_token', true);

1215

 

                if ($deviceToken) {

1216

 

                    $status = pushNotification("Fluxstore", "Test push notification", $deviceToken);

1217

 

                }

1218

 

            }

1219

 

            return \["deviceToken" => $deviceToken, 'serverKey' => $serverKey, 'status' => $status\];

1220

 

        }

1221

 

        if (isset($is\_delivery)) {

1222

 

            if ($is\_delivery) {

1223

 

                $deviceToken = get\_user\_meta($user\_id, 'mstore\_delivery\_device\_token', true);

1224

 

                if ($deviceToken) {

1225

 

                    $status = pushNotification("Fluxstore", "Test push notification", $deviceToken);

1226

 

                }

1227

 

            }

1228

 

            return \["deviceToken" => $deviceToken, 'serverKey' => $serverKey, 'status' => $status\];

1229

 

        }

1230

 

        $deviceToken = get\_user\_meta($user\_id, 'mstore\_device\_token', true);

1231

 

        if ($deviceToken) {

1232

 

            $status = pushNotification("Fluxstore", "Test push notification", $deviceToken);

1233

 

        }

1234

 

        return \["deviceToken" => $deviceToken, 'serverKey' => $serverKey, 'status' => $status\];

1235

 

    }

1236

 

1237

 

    function test\_push\_notification\_created\_order(){

1238

 

        $json = file\_get\_contents('php://input');

1239

 

        $params = json\_decode($json);

1240

 

        return trackNewOrder($params->order\_id);

1241

 

    }

1242

 

1243

1176

    function chat\_notification()

1244

1177

    {

**mstore-api/trunk/controllers/flutter-woo.php**

r2910707

r2913397

 

743

743

        }

744

744

745

 

        if (isset($body\["customer\_id"\]) && $body\["customer\_id"\] != null) {

746

 

            $userId = $body\["customer\_id"\];

747

 

            $user = get\_userdata($userId);

748

 

            if ($user) {

749

 

                wp\_set\_current\_user($userId, $user->user\_login);

750

 

                wp\_set\_auth\_cookie($userId);

751

 

                WC()->customer = new WC\_Customer($userId, true);

752

 

            }

 

745

        $cookie = $request->get\_header("User-Cookie");

 

746

        if (isset($cookie) && $cookie != null) {

 

747

            $user\_id = validateCookieLogin($cookie);

 

748

            if (is\_wp\_error($user\_id)) {

 

749

                return $user\_id;

 

750

            }

 

751

            wp\_set\_current\_user($user\_id);

 

752

            wp\_set\_auth\_cookie($user\_id);

 

753

            WC()->customer = new WC\_Customer($user\_id, true);

753

754

        }

754

755

**mstore-api/trunk/functions/index.php**

r2910707

r2913397

 

113

113

114

114

    if (isset($deviceToken) && $deviceToken != false) {

115

 

        pushNotification($title, $message, $deviceToken);

116

 

    }

117

 

    one\_signal\_push\_notification($title,$message,array($userId));

 

115

        \_pushNotificationFirebase($userId,$title, $message, $deviceToken);

 

116

    }

 

117

    \_pushNotificationOneSignal($userId, $title,$message);

118

118

}

119

119

…

…

 

142

142

            $result = $wpdb->get\_results($sql);

143

143

144

 

            $user\_ids = array();

145

144

            foreach ($result as $item) {

146

 

                $user\_ids\[\]=$item->delivery\_boy;

147

145

                $deviceToken = get\_user\_meta($item->delivery\_boy, 'mstore\_delivery\_device\_token', true);

148

146

                if (isset($deviceToken) && $deviceToken != false) {

149

 

                    pushNotification($title, $message, $deviceToken);

 

147

                    \_pushNotificationFirebase($item->delivery\_boy,$title, $message, $deviceToken);

150

148

                }

151

 

            }

152

 

            one\_signal\_push\_notification($title,$message, $user\_ids);

 

149

                \_pushNotificationOneSignal($title,$message, $item->delivery\_boy);

 

150

            }

153

151

        }

154

152

…

…

 

176

174

            $deviceToken = get\_user\_meta($driver\_id, 'mstore\_delivery\_device\_token', true);

177

175

            if (isset($deviceToken) && $deviceToken != false) {

178

 

                pushNotification($title, $message, $deviceToken);

 

176

                \_pushNotificationFirebase($driver\_id,$title, $message, $deviceToken);

179

177

                $wpdb->insert($table\_name, array(

180

178

                    'message' => $message,

…

…

 

202

200

    $deviceToken = get\_user\_meta($order\_seller\_id, 'mstore\_device\_token', true);

203

201

    if (isset($deviceToken) && $deviceToken != false) {

204

 

        pushNotification($title, $message, $deviceToken);

 

202

        \_pushNotificationFirebase($order\_seller\_id,$title, $message, $deviceToken);

205

203

    }

206

204

    $managerDeviceToken = get\_user\_meta($order\_seller\_id, 'mstore\_manager\_device\_token', true);

207

205

    if (isset($managerDeviceToken) && $managerDeviceToken != false) {

208

 

        pushNotification($title, $message, $managerDeviceToken);

 

206

        \_pushNotificationFirebase($order\_seller\_id,$title, $message, $managerDeviceToken);

209

207

        if (is\_plugin\_active('wc-multivendor-marketplace/wc-multivendor-marketplace.php')) {

210

208

            wcfm\_message\_on\_new\_order($order\_id);

211

209

        }

212

210

    }

213

 

    one\_signal\_push\_notification($title, $message, array($order\_seller\_id));

 

211

    \_pushNotificationOneSignal($order\_seller\_id,$title, $message);

214

212

}

215

213

…

…

 

611

609

        $managerDeviceToken = get\_user\_meta($seller\_id, 'mstore\_manager\_device\_token', true);

612

610

        if (isset($managerDeviceToken) && $managerDeviceToken != false) {

613

 

            pushNotification($title, $message, $managerDeviceToken);

614

 

        }

615

 

        one\_signal\_push\_notification($title, $message, array($seller\_id));

616

 

    }

 

611

            \_pushNotificationFirebase($seller\_id, $title, $message, $managerDeviceToken);

 

612

        }

 

613

        \_pushNotificationOneSignal($seller\_id,$title, $message);

 

614

    }

 

615

}

 

616

 

617

function \_pushNotificationFirebase($user\_id, $title, $message, $deviceToken){

 

618

    $is\_on = isNotificationEnabled($user\_id);

 

619

    if($is\_on){

 

620

        pushNotification($title, $message, $deviceToken);

 

621

    }

 

622

}

 

623

 

624

function \_pushNotificationOneSignal($user\_id, $title, $message){

 

625

    $is\_on = isNotificationEnabled($user\_id);

 

626

    if($is\_on){

 

627

        one\_signal\_push\_notification($title,$message,array($userId));

 

628

    }

 

629

}

 

630

 

631

function isNotificationEnabled($user\_id){

 

632

    $is\_on = get\_user\_meta($user\_id, "mstore\_notification\_status", true);

 

633

    return  $is\_on === "" || $is\_on === "on";

617

634

}

618

635

?>

**mstore-api/trunk/mstore-api.php**

r2910707

r2913397

 

4

4

 \* Plugin URI: https://github.com/inspireui/mstore-api

5

5

 \* Description: The MStore API Plugin which is used for the MStore and FluxStore Mobile App

6

 

 \* Version: 3.9.0

 

6

 \* Version: 3.9.1

7

7

 \* Author: InspireUI

8

8

 \* Author URI: https://inspireui.com

…

…

 

37

37

include\_once plugin\_dir\_path(\_\_FILE\_\_) . "controllers/flutter-wholesale.php";

38

38

include\_once plugin\_dir\_path(\_\_FILE\_\_) . "controllers/flutter-stripe.php";

 

39

include\_once plugin\_dir\_path(\_\_FILE\_\_) . "controllers/flutter-notification.php";

39

40

40

41

class MstoreCheckOut

41

42

{

42

 

    public $version = '3.9.0';

 

43

    public $version = '3.9.1';

43

44

44

45

    public function \_\_construct()

**mstore-api/trunk/readme.txt**

r2910707

r2913397

 

4

4

Requires at least: 4.4

5

5

Tested up to:      6.0.0

6

 

Stable tag:        3.9.0

 

6

Stable tag:        3.9.1

7

7

License:           GPL-2.0

8

8

License URI:       https://www.gnu.org/licenses/gpl-2.0.html

…

…

 

44

44

45

45

\== Changelog ==

 

46

\= 3.9.1 =

 

47

  \* Fix security issue for coupon api

 

48

46

49

\= 3.9.0 =

47

50

  \* Fix to push notification to seller when order created

CVE-2023-2733: Diff [2910707:2913397] for mstore-api – WordPress Plugin Repository

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.2. This is due to insufficient verification on the user being supplied during the add listing REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.

**mstore-api/trunk/controllers/listing-rest-api/class.api.fields.php**

r2915729

r2916124

 

381

381

                }

382

382

        ));

383

 

384

 

        register\_rest\_route('wp/v2', '/add-listing', array(

385

 

            'methods' => 'GET',

386

 

            'callback' => array(

387

 

                $this,

388

 

                'add\_listing'

389

 

            ) ,

390

 

            'permission\_callback' => function () {

391

 

                return true;

392

 

            }

393

 

        ));

394

383

       

395

384

        register\_rest\_route('wp/v2', '/get-nearby-listings', array(

…

…

 

1072

1061

            $user = get\_userdata($object\['author'\]);

1073

1062

            return $user->display\_name;

1074

 

        }

1075

 

1076

 

        //-----------------//

1077

 

       

1078

 

1079

 

        public function add\_listing($request)

1080

 

        {

1081

 

            $id = $request\['id'\];

1082

 

            wp\_clear\_auth\_cookie();

1083

 

            wp\_set\_current\_user($id);

1084

 

            wp\_set\_auth\_cookie($id, true);

1085

 

            header("Location: " . $request\['url'\]);

1086

 

            die();

1087

1063

        }

1088

1064

**mstore-api/trunk/mstore-api.php**

r2915729

r2916124

 

4

4

 \* Plugin URI: https://github.com/inspireui/mstore-api

5

5

 \* Description: The MStore API Plugin which is used for the MStore and FluxStore Mobile App

6

 

 \* Version: 3.9.2

 

6

 \* Version: 3.9.3

7

7

 \* Author: InspireUI

8

8

 \* Author URI: https://inspireui.com

…

…

 

41

41

class MstoreCheckOut

42

42

{

43

 

    public $version = '3.9.2';

 

43

    public $version = '3.9.3';

44

44

45

45

    public function \_\_construct()

**mstore-api/trunk/readme.txt**

r2915729

r2916124

 

4

4

Requires at least: 4.4

5

5

Tested up to:      6.0.0

6

 

Stable tag:        3.9.2

 

6

Stable tag:        3.9.3

7

7

License:           GPL-2.0

8

8

License URI:       https://www.gnu.org/licenses/gpl-2.0.html

…

…

 

44

44

45

45

\== Changelog ==

 

46

\= 3.9.3 =

 

47

  \* Fix security issue for listing api

 

48

46

49

\= 3.9.2 =

47

50

  \* Fix security issue for cart api

CVE-2023-2732: Diff [2915729:2916124] for mstore-api – WordPress Plugin Repository

Cross-Site Request Forgery (CSRF) vulnerability in dev.Xiligroup.Com - MS plugin <= 1.12.03 versions.

**Solution**

No fix 

Deactivate and delete. No reply from the vendor.

rezaduty discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress xili-tidy-tags Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

Tag

#wordpress