The Retain Live Chat WordPress plugin through 0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2022-3391

The Kadence WooCommerce Email Designer WordPress plugin before 1.5.7 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.

CVE-2022-3335

The Contact Bank WordPress plugin through 3.0.30 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2022-3350

By Owais Sultan
Credit card scams are on the rise, and according to research, the US and Canadian citizens are more…
This is a post from HackRead.com Read the original post: Credit Card Scams and How to Avoid Them

Credit card scams are on the rise, and according to research, the US and Canadian citizens are more likely to be a victim of this crime than those of any other country in the world, with billions lost annually to crooks and fraudsters.

Both individuals and businesses can be at risk of credit card scams, which are now recognized as the most common form of identity fraud – there were half a million cases in the US last year alone. Fortunately, you can take several simple steps to avoid getting caught up in a con – here’s what you need to know.

**Only Buy From Trusted Websites**

One of the most common ways that scammers get hold of victims’ credit card details is via cloned or fake websites. These sites may appear totally legit and could even masquerade as a well-known brand’s website but have, in fact, been set up by crooks purely to harvest unsuspecting visitors’ card details.

Avoid this by only buying from trusted sites. To do this, start by looking at the website’s address bar to ensure it’s that of the business you think it is. Scammers deploy tricks such as replacing the odd letter with a special character (such as a $ for an S) so that, at first glance, the website address seems legit.

Also, ensure that the address starts with ‘HTTPS’ rather than just ‘HTTP’ – this indicates that it’s secure and mechanisms are in place to protect your payment and personal details.

**Use Secure Payment Processing Systems**

How you process customers’ card transactions is crucial for businesses to avoid clients’ details falling into the wrong hands.

Ensure your merchant service provider offers the highest levels of security possible – some are specifically designed for what is considered ‘high-risk’ industries. It’s also vital to ensure that any physical copies of receipts your business holds are kept securely. This means keeping them locked away, ideally in a safe, where they can’t be easily accessed.

**Check Your Statements Regularly**

A low-tech but extremely effective way to guard against credit card scams is to check your card statements regularly: ideally, once or twice a fortnight.

Many scammers, having gotten hold of your card details, will siphon off very small amounts of money initially, so you’re unlikely to notice. After a while, they may use your card details to make an expensive purchase, potentially clearing out your available funds.

Go through your statements with a fine tooth comb, looking for anything unusual or a payment to a business or individual you don’t recognize. If you spot something suspicious, get in touch with your bank or card issuers immediately to let them know what’s happened.

**Protecting Your Card**

Scammers don’t just operate in the digital world: it’s important to take steps to ensure the safety of your physical card.

Crooks now have access to devices that can potentially harvest your card details even when it’s safely tucked away in your wallet or a pocket – the scammers simply need to be physically close to you – which can be surreptitiously done while waiting in line to pay, for example, or walking around a busy store.

Now cardholders on the market will block out attempts to read these details – an easy, cost-effective way to guard against fraudsters. Alternatively, although unconfirmed, some suggest wrapping a card in aluminum foil will also have the same protective effect.

**Keep Your Devices Secure**

Another way scammers can access your credit card is via the devices you use. To prevent being hacked, ensure you not only deploy high-quality virus and malware protection but also update it regularly.

Avoid, too, using public Wifi connections, especially to make purchases. These connections are relatively easy for hackers and snoopers to access, allowing them to get hold of your card and personal details.

Consider using a VPN (a virtual private network) to connect to the internet, which provides a much more secure way to be online and makes even connecting via public Wifi safe.

A VPN works by protecting your device’s IP address and encrypting all internet traffic – even in the unlikely event that a hacker gains access to your data, they won’t be able to interpret it.

**Stay Safe from Phishing Attacks**

Phishing attacks are on the rise and are a common way that con artists commit credit card fraud. Typically, an email is sent to an unsuspecting recipient, often appearing to be from a legit business or brand or possibly from the recipient’s bank. However, when the victim clicks on the link and enters the requested details, they’re actually giving their information to a scammer.

Always be on guard for phishing emails: never click on a link unless you are absolutely sure the message is from who it says it is. Poor spelling, grammar, or layout is a major red flag of a phishing scam, as is an incorrect ‘from’ address. To check the latter, simply hover the mouse over the sender’s name, and see if this matches the company that the message purports to be from.

**Staying Safe from Scams**

Around 10% of the adult population in the US falls victim to credit card scams every year – avoid being part of this statistic by taking the relevant steps outlined above to stay safe and secure from fraudsters.

1.  Hackers now use web skimmers to steal credit card data
2.  22 people indicted on malware, credit card fraud charges
3.  5 Signs your WordPress Site is Hacked (And How to Fix It)
4.  Authorities disrupt stolen credit card trading scam on dark web
5.  Protection Against Online Scams: How to Keep Your Credit Safe

Credit Card Scams and How to Avoid Them

Auth. Stored Cross-Site Scripting (XSS) in Pop-Up Chop Chop plugin <= 2.1.7 on WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

**OVERVIEW**

Pop-Up Chop Chop plugin brings unlimited pop-ups with easily customizable professional templates. Each template comes in **two sizes** (big and small). The pop-ups are **fully responsive** and work with any WordPress theme.

With Pop-Up Chop Chop 2.0 you can create **any number** of input fields and collect your visitors’ emails, names, phone numbers…

Pop-Up Chop Chop is a perfect solution to capture the audience’s attention in the right time and place to build your mailing list.

**CUSTOMIZATION**

Pop-Up Chop Chop allows you to build elegant and professional pop-ups in a couple of minutes. Create attractive content and the pop-ups matching your website’s design. Preview your changes live while editing the content in our custom visual editor. Decide when the visitors see your pop-up – set the time and display the pop-up exactly when and where you want to.

**Features:**

*   Unlimited pop-up number
*   Multiple input fields (drag & drop ordering)
*   Neat designs
*   6 elegant and professional pop-up templates
*   Two pop-up sizes (big and small)
*   Responsive pop-up themes
*   Retina-friendly
*   Quick and easy pop-up setup
*   User-friendly interface
*   Smooth and swift admin panel
*   Highly customizable content
*   Email notifications
*   Turn on/off the pop-ups on mobile devices

**Using The WordPress Dashboard**

1.  Navigate to the ‘Add New’ in the plugins dashboard
2.  Search for ‘pop-up’
3.  Click ‘Install Now’
4.  Activate the plugin on the Plugin dashboard
5.  Go to PopUp in the left menu to manage the pop-ups

**Uploading in WordPress Dashboard**

1.  Navigate to the ‘Add New’ in the plugins dashboard
2.  Navigate to the ‘Upload’ area
3.  Select pop-up from your computer
4.  Click ‘Install Now’
5.  Activate the plugin in the Plugin dashboard
6.  Go to PopUp in the left menu to manage the pop-ups

**Using FTP**

1.  Download ‘pop-up’
2.  Extract the ‘pop-up’ directory to your computer
3.  Upload the ‘pop-up’ directory to the ‘/wp-content/plugins/’ directory
4.  Activate the plugin in the Plugin dashboard
5.  Go to PopUp in the left menu to manage the pop-ups

**1\. How do I add custom fields to my pop-up?**

Follow the Custom Fields Manual to learn how to add new fields to your contact form.

**2\. Questions? Comments?**

Contact talk@chop-chop.org if you have any questions or wish to provide feedback.

Possibilité de relier à MailChimp en version Pro. Vraiment très simple à utiliser et paramétrer.

I went thru all free pop-up plugins out there and everyone of them was really bad - hard to configure, not responsive or just ugly. Pop-up CC is easy to setup and looks awesome. Premium version has more options, but free is still very good - you can use all the templates etc. I had and issue tho with plugin not sending notifications about new subscribers so wrote about it to the creators and they responded very fast, helping me fix it. It works as intended now. Thanks!

Great plugin design and functionality. I had some difficulty setting it up - based on a lack of developer knowledge, but their support team were fantastic and responded to my query within hours. They went above ad beyond to get me set up and now I'm on my way there's no looking back. Can't recommend highly enough - keep up the great work.

Good and quite simple to use. Poor documentation, you have to try to understand some option.

Read all 16 reviews

“Pop-Up Chop Chop” is open source software. The following people have contributed to this plugin.

Contributors

*    Chop Chop

**2.1.7**

WordPress 5.5.1 and PHP 7.4 compatibility  
FIX: Minor php and css errors

**2.1.6**

WordPress 5.4.2 compatibility  
FIX: Input error message

**2.1.5**

WordPress 5.4.1 compatibility  
PHP 7.4 compatibility

**2.1.3**

FIX: Admin responsive css  
UPDATE: Tested with 4.9.2

**2.0.9**

Change load time

**2.0.8**

Cleanup

**2.0.6**

ADD: close on overlay click

**2.0.5**

ADD: style select to wysywig editor

**2.0.4**

Delete: old live preview fields

**2.0.3**

ADD: missing files in wordpress repo

**2.0.2**

ADD: missing files in wordpress repo

**2.0.1**

UPDATE: add newsletter metabox file

**1.4.1**

FIX: wordpress help tabs

**1.4.0**

ADD: CMB upgrade

**1.3.5**

FIX: “disable on” list

**1.3.4**

FIX: Templates css

**1.3.3**

ADD: woocommerce products to “disable on” list

**1.3.2**

FIX: background image uploader

**1.3.0**

ADD: woocommerce pages to “disable on” list

**1.2.5**

FIX: Customize button

**1.2.4**

FIX: Templates css

**1.2.3**

FIX: Google fonts

**1.2.2**

ADD: Jquery Cookies new version

**1.2.1**

FIX: Templates css

**1.2.0**

FIX: Templates css

**1.1.6**

FIX: Templates css

**1.1.5**

ADD: Close timeout option  
FIX: Templates css

**1.1.4**

FIX: Templates css  
FIX: Wysiwyg editor

**1.1.3**

ADD: Field label

**1.1.2**

ADD: “Thank you” message edit option

**1.1.1**

ADD: intro/outro fade  
ADD: New thumbnails  
FIX: Newsletter section

**1.1.0**

FIX: Admin ajax  
ADD: Speed optimization

**1.0.9**

FIX: Templates css

**1.0.8**

ADD: Cookie option  
FIX: Templates css  
ADD: Admin panel enhancements

**1.0.7**

FIX: Templates css

**1.0.6**

FIX: Wysiwyg editor

**1.0.5**

ADD: Field label  
FIX: Button css

**1.0.4**

FIX: headers  
FIX: mobile templates

**1.0.3**

FIX: Templates css

**1.0.2**

FIX: Templates css  
ADD: “Show once per session” option  
ADD: Auto close the pop-up after the sign-up

**1.0.1**

Fix: newsletter signup form

**1.0.0**

First release

CVE-2022-41638: Pop-Up Chop Chop

Auth. (admin+) Stored Cross-Site Scripting (XSS) in Fatcat Apps Analytics Cat plugin <= 1.0.9 on WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Analytics Cat – Google Analytics is a lean, fast, simple, no-frills way to add your Google Analytics / Universal Google Analytics code to your WordPress site.

This bloat-free, simple Google Analytics WordPress plugin doesn’t add tons of features. Instead, Analytics Cat – Google Analytics simply focuses on letting you add your Google Analytics (Universal Analytics) Code to your site in less than 2 minutes, without slowing your site down.

**Which features does Analytics Cat – Google Analytics have?**

*   Add the Google Analytics (Universal Analytics) tracking code to your WordPress site with ease.
*   Hide your Google Analytics tracking code from logged-in users so you don’t pollute your data.

**How to use Analytics Cat – Google Analytics?**

There are multiple ways to add the Google Analytics tracking code to your WordPress site.

**1\. Pasting your Google Analytics script into your theme**  
This approach isn’t great for two reasons:  
a) If you edit your live site and make a mistake when pasting your Google Analytics script into your theme, you could take down your website.  
b) If your theme is updated with new features or security fixes, your Google Analytics code will be overwritten.

**2\. Pasting your Google Analytics script into a header/footer script plugin**  
This is a valid approach, but has some disadvantages. General purposes “header script plugins” aren’t built from the ground-up to support Google Analytics.

What this means is that :  
a) These plugins lack Google Analytics-specific functionality.  
b) These plugins will not adapt if Google Analytics changes again. Since Analytics Cat is a dedicated Google Analytics WordPress plugin, we’ll make sure make sure to stay compatible with future changes to Google Analytics.  
c) These plugins usually don’t support hiding your Google Analytics code from logged-in users.

**3\. Using Some Other Google Analytics WordPress Plugin**  
There are some good Google Analytics plugins out there, but many of them are bloated, have too many settings and are slow.

You’ll love Analytics Cat – Google Analytics Cat iff what you want is a simple, reliable Google Analytics plugin,

**Does Analytics Cat – Google Analytics Plugin work with Universal Analytics?**

Yes. Analytics Cat is built from the ground up to support Universal Analytics.

Analytics Cat – Google Analytics does not work with the old Google Analytics script that Google deprecated.

**Can I hide my Google Analytics tracking code from logged in users?**

Yes. You can hide your Google Analytics code from logged in users by going to Settings -> Google Analytics Manager.

**Is Analytics Cat – Google Analytics easy to translate?**

Yes. Analytics Cat – Google Analytics Cat is fully translateable. Please let us know if you’re interested in contributing.

**Analytics Cat – Google Analytics Feature Roadmap**

This is just the first version of Analytics Cat – we have tons of new features & improvements lined up. Do you have any suggestions? Please leave a comment in the support forums.

—The Fatcat Apps Team

**Privacy Disclosure**

This plugin can be configured to connect to 3rd party service providers such as Google.

If you use this plugin to connect to a 3rd party, personal data may also be shared with that party.

Additional privacy policy information for 3rd party services can be found here:

Google

Our full privacy policy is available here: https://fatcatapps.com/legal/privacy-policy/

*   Analytics Cat - Google Analytics for WordPress settings screen
    

1.  Upload the Analytics Cat – Google Analytics plugin file (fca-ga.zip) to the /wp-content/plugins/ directory
2.  Activate the plugin through the ‘Plugins’ menu in WordPress
3.  In your sidebar, select ‘Settings -> Google Analytics Manager’ to add your tracking code.

**How do I set up Google Analytics using Analytics Cat?**

After installing this plugin, simply go to Settings -> Google Analytics Manager and add your Google Analytics (Universal Analytics) ID.

**What is my Google Analytics tracking ID?**

Follow these steps to find your Google Analytics tracking id:

1.  Sign in to your Google Analytics account
    
2.  On the bottom left side of the screen, click on “Admin” (Cog icon).
    
3.  Select your preferred Account and Property from the columns.
    
4.  Under Property, Click ‘Tracking Info’ > ‘Tracking Code’
    
5.  You will find your Tracking ID here (example: UA-xxxxxx-01)
    
6.  Paste this Tracking ID into Analytics Cat
    

Important: Do not paste your tracking code (starting with ). Instead, paste your tracking id (example: UA-xxxxxx-01) into Analytics Cat.

**Can I anonimize ip addresses?**

Yes you can! Append the following code to your theme’s functions.php page:

    function my_custom_ga_attributes ( $value ) {
        return '&aip=1';
    }
    
    add_filter( 'fca_ga_attributes', 'my_custom_ga_attributes' );
    

For more information, read this: How to find your Google Analytics tracking code, Google Analytics tracking ID, and Google Analytics property number

This plugin works well and does what it's supposed to do without issues.

Does what it says. Simple and easy to setup.

No extra fluff makes me tear up in joy. Thank you for staying true to the description and point. 👏

I have used this plugin to get input/insights for my ActiveCampaign marketing tool. It does exactly what it says it does, reliably.

It works really well but I deducted a star because I have started getting spam after installing it. Prior to this I was receiving none and this is the only plugin I have installed in the last three months.

Read all 11 reviews

“Analytics Cat – Google Analytics Made Easy” is open source software. The following people have contributed to this plugin.

Contributors

**Analytics Cat – Google Analytics 1.1.1**

*   Improved notices
*   Changed default role exclusion to none
*   Fix potential empty value error reported
*   Remove unused API calls

**Analytics Cat – Google Analytics 1.1.0**

*   Improved security for Editor page
*   Tested up to WordPress 5.9.1

**Analytics Cat – Google Analytics 1.0.9**

*   Updated feedback form
*   Tested up to WordPress 5.6.2

**Analytics Cat – Google Analytics 1.0.8**

*   Fixed double tracking issue

**Analytics Cat – Google Analytics 1.0.7**

*   Tested up to WordPress 5.5

**Analytics Cat – Google Analytics 1.0.6**

*   Added filter fca\_ga\_attributes to add ability to customize enqueued script attributes (see readme)
*   Admin UI text update
*   Removed quotes from Google Analytics ID ( fixed issue with 3rd party add-on )
*   Tested up to WordPress 5.4.2

**Analytics Cat – Google Analytics 1.0.5**

*   Upgraded from analytics.js to gtag.js
*   Tested up to WordPress 5.4.1

**Analytics Cat – Google Analytics 1.0.4**

*   Load Select2 library locally instead of via CDN
*   Add privacy disclosure

**Analytics Cat – Google Analytics 1.0.3**

*   Removed installation splash screen

**Analytics Cat – Google Analytics 1.0.2**

*   Add settings saved message
*   Update help text & links
*   Update permissions text

**Analytics Cat – Google Analytics 1.0.1**

*   Fix link to quick start guide in admin UI

**Analytics Cat – Google Analytics 1.0.0**

*   Release candidate 1 of Analytics Cat – Google Analytics

CVE-2022-40311: Analytics Cat – Google Analytics Made Easy

WordPress security company Wordfence on Thursday said it started detecting exploitation attempts targeting the newly disclosed flaw in Apache Commons Text on October 18, 2022.
The vulnerability, tracked as CVE-2022-42889 aka Text4Shell, has been assigned a severity ranking of 9.8 out of a possible 10.0 on the CVSS scale and affects versions 1.5 through 1.9 of the library.
It's also similar to

WordPress security company Wordfence on Thursday said it started detecting exploitation attempts targeting the newly disclosed flaw in **Apache Commons Text** on October 18, 2022.

The vulnerability, tracked as CVE-2022-42889 aka **Text4Shell**, has been assigned a severity ranking of 9.8 out of a possible 10.0 on the CVSS scale and affects versions 1.5 through 1.9 of the library.

It's also similar to the now infamous Log4Shell vulnerability in that the issue is rooted in the manner string substitutions carried out during DNS, script, and URL lookups could lead to the execution of arbitrary code on susceptible systems when passing untrusted input.

A successful exploitation of the flaw can enable a threat actor to open a reverse shell connection with the vulnerable application simply via a specially crafted payload, effectively opening the door for follow-on attacks.

While the issue was originally reported in early March 2022, the Apache Software Foundation (ASF) released an updated version of the software (1.10.0) on September 24, followed by issuing an advisory only last week on October 13.

"Fortunately, not all users of this library would be affected by this vulnerability – unlike Log4J in the Log4Shell vulnerability, which was vulnerable even in its most basic use-cases," Checkmarx researcher Yaniv Nizry said.

"Apache Commons Text must be used in a certain way to expose the attack surface and make the vulnerability exploitable."

Wordfence also reiterated that the likelihood of successful exploitation is significantly limited in scope when compared to Log4j, with most of the payloads observed so far designed to scan for vulnerable installations.

"A successful attempt would result in the victim site making a DNS query to the attacker-controlled listener domain," Wordfence researcher Ram Gall said, adding requests with script and URL prefixes have been comparatively lower in volume.

If anything, the development is yet another indication of the potential security risks posed by third-party open source dependencies, necessitating that organizations routinely assess their attack surface and set up appropriate patch management strategies.

Users who have direct dependencies on Apache Commons Text are recommended to upgrade to the fixed version to mitigate potential threats. According to Maven Repository, as many as 2,593 projects use the Apache Commons Text library.

The Apache Commons Text flaw also follows another critical security weakness that was disclosed in Apache Commons Configuration in July 2022 (CVE-2022-33980, CVSS score: 9.8), which could result in arbitrary code execution through the variable interpolation functionality.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Started Exploiting Critical "Text4Shell" Apache Commons Text Vulnerability

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE-2022-38108: Published | Zero Day Initiative

CVE-2022-36957: Published | Zero Day Initiative

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mammothology AB Press Optimizer plugin <= 1.1.1 on WordPress.

 Verified

 Not fixed

**4.8**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 1.1.1

PSID 

4cad9e9947bf

Classification 

Cross Site Scripting (XSS)

OWASP Top 10 

A7: Cross-Site Scripting (XSS)

Required privilege 

Requires high role user authentication like admin.

Publicly disclosed

2022-10-12

**Details**

Auth. Stored Cross-Site Scripting (XSS) vulnerability discovered by ptsfence (Patchstack Alliance) in WordPress AB Press Optimizer plugin (versions <= 1.1.1).

**Solution**

No patched version is available. No reply from the vendor.

**References**

Tag

#wordpress