Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in BestWebSoft Car Rental by BestWebSoft plugin <= 1.1.2 versions.

**Solution**

No patched version is available.

sk4rl1ghT discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Car Rental by BestWebSoft Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-44734: WordPress Car Rental by BestWebSoft plugin <= 1.1.2 - Auth. Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

Auth. (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Silkalns Activello theme <= 1.4.4 versions.

**Solution**

No patched version available.

Brandon Roldan discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Activello Theme. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**2 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-45849: WordPress Activello theme <= 1.4.4 - Auth. Reflected Cross-Site Scripting (XSS) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Kilian Evang Ultimate Noindex Nofollow Tool II plugin <= 1.3 versions.

**Solution**

Update the WordPress Ultimate Noindex Nofollow Tool II plugin to the latest available version (at least 1.3.4).

Found this useful? Thank Abdi Pranata for reporting this vulnerability. Buy a coffee ☕

Abdi Pranata discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Ultimate Noindex Nofollow Tool II Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 1.3.4.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-30474: WordPress Ultimate Noindex Nofollow Tool II plugin <= 1.3 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Auth. (admin+) SQL Injection (SQLi) vulnerability in TransbankDevelopers Transbank Webpay REST plugin <= 1.6.6 versions.

**Solution**

Update the WordPress Transbank Webpay REST plugin to the latest available version (at least 1.6.7).

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this SQL Injection vulnerability in WordPress Transbank Webpay REST Plugin. This could allow a malicious actor to directly interact with your database, including but not limited to stealing information. This vulnerability has been fixed in version 1.6.7.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-27610: WordPress Transbank Webpay REST plugin <= 1.6.7 - Auth. SQL Injection (SQLi) vulnerability - Patchstack

A vulnerability classified as problematic was found in Google Analytics Top Content Widget Plugin up to 1.5.6 on WordPress. Affected by this vulnerability is an unknown functionality of the file class-tgm-plugin-activation.php. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.5.7 is able to address this issue. The name of the patch is 25bb1dea113716200a6f0f3135801d84a7a65540. It is recommended to upgrade the affected component. The identifier VDB-226117 was assigned to this vulnerability.

CVE-2015-10101

The ZM Ajax Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.0.2. This is due to insufficient verification on the user being supplied during a Facebook login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.

1<?php23// Exit if accessed directly4if ( ! defined( 'ABSPATH' ) ) exit;567Class ALRSocialFacebook {89    /\*\*10     \* The prefix used for meta keys, CSS classes, html IDs, etc.11     \*12     \* @since 2.0.013     \*/14    public $prefix;151617    /\*\*18     \* An object containing additional helper functions19     \*20     \* @since 2.0.021     \*/22    public $\_zm\_alr\_helpers;232425    /\*\*26     \* Adding of all hooks27     \*28     \* @since 2.0.029     \*30     \* @param31     \* @return32     \*/33    public function \_\_construct( ZM\_Dependency\_Container $di ){3435        $this\->prefix \= 'zm\_alr\_social\_facebook';36        $this\->\_zm\_alr\_helpers \= $di\->get\_instance( 'helpers', 'ALRHelpers', null );3738        add\_action( 'wp\_ajax\_facebook\_login', array( &$this, 'facebook\_login' ) );39        add\_action( 'wp\_ajax\_nopriv\_facebook\_login', array( &$this, 'facebook\_login') );40        add\_action( 'wp\_head', array( &$this, 'head' ) );4142        add\_filter( 'get\_avatar', array( &$this, 'load\_fb\_avatar' ) , 1, 5 );43        add\_filter( 'zm\_alr\_login\_above\_fields', array( &$this, 'aboveLoginFields' ) );44        add\_filter( 'zm\_alr\_register\_above\_fields', array( &$this, 'aboveLoginFields' ) );45        add\_filter( 'zm\_alr\_social\_settings\_fields\_tab', array( &$this, 'settings' ) );4647    }484950    /\*\*51     \* Maps our FB response fields to the correct user fields as found in wp\_update\_user. Then52     \* calls setUpNewFacebookUser, and passes the correct response via JSON to JS.53     \*54     \* @since 2.0.055     \*56     \* @return  JSON    A JSON object57     \*/58    public function facebook\_login(){5960        check\_ajax\_referer( 'facebook-nonce', 'security' );6162        $user \= array(63            'username'   \=> $\_POST\['fb\_response'\]\['id'\],64            'user\_login' \=> $\_POST\['fb\_response'\]\['id'\],65            'first\_name' \=> $\_POST\['fb\_response'\]\['first\_name'\],66            'last\_name'  \=> $\_POST\['fb\_response'\]\['last\_name'\],67            'email'      \=> $\_POST\['fb\_response'\]\['email'\],68            'user\_url'   \=> $\_POST\['fb\_response'\]\['link'\],69            'fb\_id'      \=> $\_POST\['fb\_response'\]\['id'\]70            );7172        if ( empty( $user\['username'\] ) ){7374            $status \= $this\->\_zm\_alr\_helpers\->status('invalid\_username');75            $user\_id \= false;7677        } else {7879            $user\_obj \= get\_user\_by( 'login', $user\['user\_login'\] );8081            if ( $user\_obj \== false ){8283                $user\_obj \= $this\->setupNewFacebookUser( $user );8485            }8687            // A WP user account already exists that is NOT associated with a FB account88            if ( $user\_obj \== 'existing\_user\_email' ){8990                $status \= $this\->\_zm\_alr\_helpers\->status('username\_exists');9192            } elseif ( $user\_obj ){9394                $user\_id \= $user\_obj\->ID;95                wp\_set\_auth\_cookie( $user\_id, true );96                $status \= $this\->\_zm\_alr\_helpers\->status('success\_login');9798            } else {99100                $status \= $this\->\_zm\_alr\_helpers\->status('invalid\_username');101102            }103        }104105        $status \= array\_merge( $status, $this\->registerRedirect( $user\['user\_login'\] ) );106107        wp\_send\_json( $status );108109    }110111112    /\*\*113     \* Setup a new Facebook User114     \*115     \* @since 1.0.9116     \* @param $user (array) Containing the values as seen117     \*  in: http://codex.wordpress.org/Function\_Reference/wp\_insert\_user118     \* @return $user\_obj (object) The user\_obj as seen119     \*  in: http://codex.wordpress.org/Function\_Reference/get\_user\_by120     \*/121    public function setupNewFacebookUser( $user\=array() ){122123        $user\_id \= $this\->\_zm\_alr\_helpers\->createUser( array\_merge( $user, array(124            'user\_pass' \=> wp\_generate\_password()125        ) ), $this\->prefix );126127128        if ( is\_wp\_error( $user\_id ) ){129130            $user\_obj \= $user\_id\->get\_error\_code();131132        } else {133134            $user\_obj \= get\_user\_by( 'id', $user\_id );135136        }137138        return $user\_obj;139140    }141142143    /\*\*144     \* Replaces the default gravatar with the Facebook profile picture.145     \*146     \* @param string $avatar The default avatar147     \* @param int $id\_or\_email The user id148     \* @param int $size The size of the avatar149     \* @param string $default The URL of the WordPress default avatar150     \* @param string $alt Alternate text for the avatar.151     \*152     \* @return string $avatar The modified avatar153     \*/154    public function load\_fb\_avatar( $avatar, $id\_or\_email, $size, $default, $alt ) {155156        global $zm\_alr\_settings;157158        if ( empty( $zm\_alr\_settings\[ $this\->prefix . '\_use\_avatar' \] )159            && $zm\_alr\_settings\[ $this\->prefix . '\_use\_avatar' \] != 1 ){160161            return $avatar;162163        }164165        $user \= false;166167        if ( is\_numeric( $id\_or\_email ) ) {168169            $id \= (int) $id\_or\_email;170            $user \= get\_user\_by( 'id' , $id );171172        } elseif ( is\_object( $id\_or\_email ) ) {173174            if ( ! empty( $id\_or\_email\->user\_id ) ) {175                $id \= (int) $id\_or\_email\->user\_id;176                $user \= get\_user\_by( 'id' , $id );177            }178179        } else {180            $user \= get\_user\_by( 'email', $id\_or\_email );181        }182        if ( $user && is\_object( $user ) ) {183            $user\_id \= $user\->data\->ID;184185            // We can use username as ID but checking the usermeta we are sure this is a facebook user186            if( $fb\_id \= get\_user\_meta( $user\_id, 'fb\_id', true ) ) {187                $fb\_url \= 'https://graph.facebook.com/' . $fb\_id . '/picture?width='. $size . '&height=' . $size;188                $avatar \= "<img alt='facebook-profile-picture' src='{$fb\_url}' class='avatar avatar-{$size} photo' height='{$size}' width='{$size}' />";189190            }191192        }193        return $avatar;194195    }196197198    /\*\*199     \* Determine if the Facebook login setting is set.200     \*201     \* @since 2.0.0202     \*203     \* @return BOOL204     \*/205    public function isEnabled(){206207        global $zm\_alr\_settings;208209        if ( $zm\_alr\_settings\[ $this\->prefix . '\_enabled' \] \== 'off' ){210            $enabled \= false;211        } else {212            $enabled \= true;213        }214215        return $enabled;216217    }218219220    /\*\*221     \* Filters the fields above the Login form and displays the FB button.222     \*223     \* @since 2.0.0224     \*225     \* @return The FB button226     \*/227    public function aboveLoginFields( $above\_html ){228229        if ( ! $this\->isEnabled() )230            return $above\_html;231232        $container\_classes \= implode( " ", array(233            'fb-login-container',234            ZM\_ALR\_NAMESPACE . '\_login\_container',235            $this\->prefix . '\_login\_container'236            ) );237238        global $zm\_alr\_settings;239240        if ( is\_int( $zm\_alr\_settings\[ $this\->prefix . '\_login\_button' \] ) ){241            $logo\_class \= null;242            $text \= '<img src="' . wp\_get\_attachment\_url( $zm\_alr\_settings\[ $this\->prefix . '\_login\_button' \] ) . '" />';243        } else {244            $logo\_class \= 'fb-login-logo';245            $text \= \_\_( 'Log in using Facebook', ZM\_ALR\_TEXT\_DOMAIN );246        }247248        $above\_html .= sprintf( '<div class="%s"><a href="#" class="fb-login %s" data-zm\_alr\_facebook\_security="%s">%s</a></div>',249            $container\_classes,250            $logo\_class,251            wp\_create\_nonce( 'facebook-nonce' ),252            $text253            );254255        return $above\_html;256257    }258259260    /\*\*261     \* Filters the default settings, adding the additional settings below.262     \*263     \* @since   2.0.0264     \*265     \* @param   $current\_settings   The current global settings266     \*267     \* @return  $settings           The current global settings with the additional FB settings268     \*/269    public function settings( $current\_settings ){270271        // Facebook272        $settings \= array(273            array(274                'title' \=> \_\_( 'Facebook Settings', ZM\_ALR\_TEXT\_DOMAIN ),275                'type' \=> 'header'276                ),277            array(278                'id' \=> $this\->prefix . '\_enabled',279                'type' \=> 'checkbox',280                'title' \=> \_\_( 'Enable', ZM\_ALR\_TEXT\_DOMAIN ),281                'std' \=> 'off',282                'desc' \=> \_\_( 'By enabling this setting visitors will be able to login with Facebook.', ZM\_ALR\_TEXT\_DOMAIN )283            ),284            array(285                'id' \=> $this\->prefix . '\_login\_button',286                'type' \=> 'upload',287                'title' \=> \_\_( 'Login Button', ZM\_ALR\_TEXT\_DOMAIN ),288                'std' \=> ZM\_ALR\_URL . 'assets/images/facebook-screen-grab.png',289                'desc' \=> \_\_( 'Upload a custom image to be displayed as the Facebook login button.', ZM\_ALR\_TEXT\_DOMAIN )290            ),291            array(292                'id' \=> $this\->prefix . '\_app\_id',293                'type' \=> 'fancyText',294                'title' \=> \_\_( 'App ID', ZM\_ALR\_TEXT\_DOMAIN ),295                'desc' \=> \_\_( 'This is the App ID as seen in your <a href="https://developers.facebook.com/">Facebook Developer</a> App Dashboard. For detailed instructions visit the <a href="http://zanematthew.com/ajax-login-register-help-videos/" target="\_blank">How To add Facebook Settings to AJAX Login & Register</a>.', ZM\_ALR\_TEXT\_DOMAIN )296297            ),298            array(299                'id' \=> $this\->prefix . '\_use\_avatar',300                'type' \=> 'checkbox',301                'std' \=> 'off',302                'title' \=> \_\_( 'Use Facebook Avatar', ZM\_ALR\_TEXT\_DOMAIN ),303                'desc' \=> \_\_( 'Checking this box will make Facebook profile picture show as avatar when possible ', ZM\_ALR\_TEXT\_DOMAIN )304            )305        );306307308        $current\_settings \= array\_merge( $current\_settings, $settings );309310        return $current\_settings;311312    }313314315316    /\*\*317     \* Adds our meta and FB script to the HTML head via wp\_head318     \*319     \* @since   2.0.0320     \*321     \* @return  Adds the needed meta fields for FB.322     \*/323    public function head(){324325        if ( ! $this\->isEnabled() )326            return;327328        global $zm\_alr\_settings;329330        $app\_id \= esc\_attr( $zm\_alr\_settings\[ $this\->prefix . '\_app\_id' \] );331332        ?>333334        335        <meta property="fb:<?php echo $app\_id; ?>" content="<?php echo $app\_id; ?>"/>336        337338        339        <script type="text/javascript">340            window.fbAsyncInit = function() {341                FB.init({342                    appId      : "<?php echo $app\_id; ?>", // App ID343                    cookie     : true,  // enable cookies to allow the server to access the session344                    xfbml      : true,  // parse XFBML345                    version    : 'v2.3' // use version 2.3346                });347            };348            // Load the SDK asynchronously349            // This is updated as the old version went to all.js350            (function(d, s, id) {351                var js, fjs = d.getElementsByTagName(s)\[0\];352                if (d.getElementById(id)) return;353                js = d.createElement(s); js.id = id;354                js.src = "//connect.facebook.net/<?php echo get\_locale(); ?>/sdk.js";355                fjs.parentNode.insertBefore(js, fjs);356            }(document, 'script', 'facebook-jssdk'));357        </script>358        359360    <?php }361362363    public function registerRedirect( $user\_login\=null, $status\=null ){364        // Since this is handled via an AJAX request $wp->request is always empty365        // @todo Submit to core366        // global $wp;367        // $tmp = trailingslashit( add\_query\_arg( '', '', site\_url( $wp->request ) ) );368        $current\_url \= empty( $\_SERVER\['HTTP\_REFERER'\] ) ? site\_url( $\_SERVER\['REQUEST\_URI'\] ) : $\_SERVER\['HTTP\_REFERER'\];369        $redirect\['redirect\_url'\] \= apply\_filters( $this\->prefix . '\_redirect\_url', $current\_url, $user\_login, $status );370371        return $redirect;372    }373374}

CVE-2023-2027: ALRSocialFacebook.php in zm-ajax-login-register/trunk/src/ALRSocial – WordPress Plugin Repository

Auth. (admin+) Stored Cross-Site Scripting') vulnerability in Zephilou Cyklodev WP Notify plugin <= 1.2.1 versions.

**Solution**

Update the WordPress Cyklodev WP Notify plugin to the latest available version (at least 1.3.0).

sk4rl1ghT discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Cyklodev WP Notify Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 1.3.0.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-44625: WordPress Cyklodev WP Notify plugin <= 1.2.1 - Auth. Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

CVE-2022-45358: WordPress Activello theme <= 1.4.4 - Auth. Reflected Cross-Site Scripting (XSS) vulnerability - Patchstack

An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated.

On March 22, 2023, a vulnerability was discovered within WooCommerce Payments that, if exploited, could permit unauthorized admin access to impacted stores. We immediately deactivated the impacted services and mitigated the issue for all websites hosted on WordPress.com, Pressable, and WPVIP.

The vulnerability was reported by Michael Mazzolini of GoldNetwork, who was conducting white-hat testing for us through our HackerOne program. As soon as the vulnerability was reported, we began an investigation to ascertain whether any data had been exposed or if the vulnerability had been exploited. We currently have no evidence of the vulnerability being used outside of our own security testing program. We shipped a fix and worked with the WordPress.org Plugins Team to auto-update sites running WooCommerce Payments 4.8.0 through 5.6.1 to patched versions. The update is currently being automatically rolled out to as many stores as possible.

Because this vulnerability also had the potential to impact WooPay, a new payment checkout service in beta testing, we have temporarily disabled the beta program.

**I have WooCommerce Payments installed. What actions do I need to take?**  
If your website is hosted on WordPress.com, your store is in the process of being updated or has already been updated to remove the vulnerability.

All websites with WooCommerce Payments 4.8.0 and higher installed and activated on their site, that are not hosted on WordPress.com and which have not updated to a patched version (see below), are still potentially vulnerable to this issue. Here’s how to make sure you have the latest version:​​

1.  From your WP Admin dashboard, click the _Plugins_ menu item and look for **_WooCommerce Payments_** in your list of plugins.
2.  The version number should be displayed in the _Description_ column next to the plugin name. If this number matches any of the patched versions listed below, **no further action is needed**.
3.  If a new version is available for download, you should see a notice guiding you to **update WooCommerce Payments** — please go ahead and do so.

Once you’re running a secure version, we recommend checking for any unexpected admin users or posts on your site. **If you find any evidence of unexpected activity**, we suggest:

1.  Updating the passwords for any Admin users on your site, especially if they reuse the same passwords on multiple websites. 
2.  Rotating any API keys used on your site, including the WooCommerce API keys used on your site. Here’s how to update your WooCommerce API keys. For resetting other keys, please consult the documentation for those specific plugins or services.

**How do I know if my version is up-to-date?  
**Below you can find the full list of patched versions of WooCommerce Payments. If you are running a version of WooCommerce Payments that is not on this list, please update to one of these versions immediately.

**Patched WooCommerce Payments Versions**

4.8.2

4.9.1

5.0.4

5.1.3

5.2.2

5.3.1

5.4.1

5.5.2

5.6.2

5.7.0 and above

**Has my data been compromised?**  
At this time we have no evidence that the vulnerability was exploited beyond identifying it in our own security testing program. We will continue to investigate, and if we discover any new information we will update this post.

**Which passwords do I need to change?**  
It’s unlikely that your password was compromised as it is hashed.

WordPress user passwords are hashed using salts, which means the resulting hash value is very difficult to crack. This salted hash approach protects your password as an admin user, and also the passwords of any other users on your site, including customers. While it is possible the hashed version of your password stored in your database may have been accessed through this vulnerability, the hash value should be indiscernible and still protect your passwords from unauthorized use.

Note that our guidance on passwords assumes that your site is using the standard WordPress password management for users. Depending on the plugins you’ve installed on your site you may have passwords or other sensitive information stored in less secure ways.

If any of the Administrator users on your site might have reused the same passwords on multiple websites, we recommend you update those passwords in case their credentials have been compromised elsewhere.

  
We also recommend changing any private or secret data stored in your WordPress/WooCommerce database. This may include API keys, public/private keys for payment gateways, and more, depending on your particular store configuration. Here’s how to update your WooCommerce API key. For resetting other keys, please consult the documentation for those specific plugins.  

**I’m a service provider, developer, or agency. Should I alert my WooCommerce merchants?**  
We encourage anyone who supports or develops for other WooCommerce merchants to share this information and to make sure that their clients who have WooCommerce Payments installed are using the most updated version of WooCommerce Payments.

**I’m a merchant. Do I need to contact my customers?**  
We do not believe any store or customer data was compromised as a result of this vulnerability. If we have any reason to think this is not the case, we will contact you via email directly.

**Is WooCommerce still safe to use?**  
Yes. Identifying a new vulnerability is uncommon, however it still can arise sometimes. When it does, we work diligently to track and patch any vulnerabilities as quickly as possible. And we strive to investigate, act, and communicate with our merchants and customers as quickly as possible.

**I have other questions.**  
If you have any further concerns or questions regarding this issue, our team of Happiness Engineers is on hand to help – open a support ticket.

**_March 27, 2023 UPDATE_**  
Since posting about the WooCommerce Payments vulnerability last week, we have been in touch with a few customers who have reported potential exploits to their WooCommerce stores. We’re investigating each of those reports to better understand what has taken place, and we’re working directly with impacted customers to help them secure their shops. 

We continue to encourage you to reach out and open a ticket with Woo’s support team if you believe your store was impacted.

CVE-2023-28121: Critical Vulnerability Patched in WooCommerce Payments – What You Need to Know

Auth. SQL Injection') vulnerability in Kunal Nagar Custom 404 Pro plugin <= 3.7.0 versions.

**Solution**

Update the WordPress Custom 404 Pro plugin to the latest available version (at least 3.7.1).

Found this useful? Thank minhtuanact for reporting this vulnerability. Buy a coffee ☕

minhtuanact discovered and reported this SQL Injection vulnerability in WordPress Custom 404 Pro Plugin. This could allow a malicious actor to directly interact with your database, including but not limited to stealing information. This vulnerability has been fixed in version 3.7.1.

**2 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

Tag

#wordpress