WordPress 3dady Real-Time Web Stats plugin version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress Plugin 3dady real-time web stats 1.0 - Stored Cross Site Scripting (XSS)# Google Dork: inurl:/wp-content/plugins/3dady-real-time-web-stats/# Date: 2022-08-24# Exploit Author: UnD3sc0n0c1d0# Vendor Homepage: https://profiles.wordpress.org/3dady/# Software Link: https://downloads.wordpress.org/plugin/3dady-real-time-web-stats.zip# Category: Web Application# Version: 1.0# Tested on: Debian / WordPress 6.0.1# CVE : N/A# 1. Technical Description:The 3dady real-time web stats WordPress plugin is vulnerable to stored XSS. Specifically in the dady_input_text and dady2_input_text fields because the user's input is not properly sanitized which allows the insertion of JavaScript code that can exploit the vulnerability.  # 2. Proof of Concept (PoC):  a. Install and activate version 1.0 of the plugin.  b. Go to the plugin options panel (http://[TARGET]/wp-admin/admin.php?page=3dady).  c. Insert the following payload in any of the visible fields (dady_input_text or dady2_input_text):    " autofocus onfocus=alert(/XSS/)>  d. Save the changes and immediately the popup window demonstrating the vulnerability (PoC) will be executed.  Note: This change will be permanent until you modify the edited fields.

WordPress 3dady Real-Time Web Stats 1.0 Cross Site Scripting

The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title & Description values that can be added to an Image Hover in versions up to, and including, 9.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, the plugin only allows administrators access to edit Image Hovers, however, if a site admin makes the plugin's features available to lower privileged users through the 'Who Can Edit?' setting then this can be exploited by those users.

CVE-2022-2937: Vulnerability Advisories - Wordfence

WordPress WP-UserOnline plugin version 2.88.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress Plugin WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS)# Google Dork: inurl:/wp-content/plugins/wp-useronline/# Date: 2022-08-24# Exploit Author: UnD3sc0n0c1d0# Vendor Homepage: https://github.com/lesterchan/wp-useronline# Software Link: https://downloads.wordpress.org/plugin/wp-useronline.2.88.0.zip# Category: Web Application# Version: 2.88.0# Tested on: Debian / WordPress 6.0.1# CVE : CVE-2022-2941# Reference: https://github.com/lesterchan/wp-useronline/commit/59c76b20e4e27489f93dee4ef1254d6204e08b3c# 1. Technical Description:The WP-UserOnline plugin for WordPress has multiple Stored Cross-Site Scripting vulnerabilities in versions up to, and including 2.88.0. This is due to the fact that all fields in the “Naming Conventions” section do not properly sanitize user input, nor escape it on output. This makes it possible for authenticated attackers, with administrative privileges, to inject JavaScript code into the setting that will execute whenever a user accesses the injected page.  # 2. Proof of Concept (PoC):  a. Install and activate version 2.88.0 of the plugin.  b. Go to the plugin options panel (http://[TARGET]/wp-admin/options-general.php?page=useronline-settings).  c. Identify the "Naming Conventions" section and type your payload in any of the existing fields. You can use     the following payload:    <script>alert(/XSS/)</script>  d. Save the changes and now go to the Dashboard/WP-UserOnline option. As soon as you click here, your payload      will be executed.Note: This change will be permanent until you modify the edited fields.

WordPress WP-UserOnline 2.88.0 Cross Site Scripting

Authenticated (admin+) Arbitrary File Edit/Upload vulnerability in XplodedThemes WPide plugin <= 2.6 at WordPress.

 Verified

 Fixed

**6.5**

CVSS 3.1 score Medium severity

Monitoring Coming soon

PSID 

6ecb43251ea1

Classification 

Arbitrary File Upload

OWASP Top 10 

A1: Injection

Required privilege 

Requires high role user authentication like admin.

Publicly disclosed

2022-08-09

**Details**

Authenticated Arbitrary File Edit/Upload vulnerability discovered by Vlad Vector (Patchstack) in WordPress WPide plugin (versions <= 2.6).

**Solution**

Update the WordPress WPIDE – File Manager & Code Editor plugin to the latest available version (at least 3.0).

**References**

CVE-2022-40217: WordPress WPide plugin <= 2.6 - Authenticated Arbitrary File Edit/Upload vulnerability - Patchstack

Multiple Authenticated (custom specific plugin role) Persistent Cross-Site Scripting (XSS) vulnerability in Awesome Support plugin <= 6.0.7 at WordPress.

CVE-2022-38073: Awesome Support – WordPress HelpDesk & Support Plugin

Authenticated (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Totalsoft Event Calendar – Calendar plugin <= 1.4.6 at WordPress.

 Verified

 Fixed

**4.1**

CVSS 3.1 score Medium severity

Monitoring Coming soon

PSID 

aee14c950d8b

Classification 

Cross Site Scripting (XSS)

OWASP Top 10 

A7: Cross-Site Scripting (XSS)

Required privilege 

Requires subscriber or higher role user authentication.

Publicly disclosed

2022-08-25

**Details**

Authenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered by Vlad Vector (Patchstack) in WordPress Event Calendar – Calendar plugin (versions <= 1.4.6).

**Solution**

Update the WordPress Event Calendar – Calendar plugin to the latest available version (at least 1.4.7).

**References**

CVE-2022-36390: WordPress Event Calendar – Calendar plugin <= 1.4.6 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability - Patchstack

Authenticated Arbitrary Code Execution vulnerability in Soflyy Import any XML or CSV File to WordPress plugin <= 3.6.7 at WordPress.

CVE-2022-36386: Import any XML or CSV File to WordPress

Multiple Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerabilities in WHA Word Search Puzzles game plugin <= 2.0.1 at WordPress.

 Verified

 Not fixed

**5.4**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Software

Word Search Puzzles game

Vulnerable versions

<= 2.0.1

PSID 

b189ec77df94

Classification 

Cross Site Scripting (XSS)

OWASP Top 10 

A7: Cross-Site Scripting (XSS)

Required privilege 

Requires contributor or higher role user authentication.

Publicly disclosed

2022-09-01

**Details**

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities were discovered by Vlad Vector (Patchstack) in the WordPress Word Search Puzzles game plugin (versions <= 2.0.1).

**Solution**

Deactivate and delete. No reply from the vendor.

**References**

CVE-2022-36383: WordPress Word Search Puzzles game plugin <= 2.0.1 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities - Patchstack

Multiple Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerabilities in WHA Crossword plugin <= 1.1.10 at WordPress.

 Verified

 Not fixed

**5.4**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Vulnerable versions

<= 1.1.10

PSID 

c155cfbae813

Classification 

Cross Site Scripting (XSS)

OWASP Top 10 

A7: Cross-Site Scripting (XSS)

Required privilege 

Requires contributor or higher role user authentication.

Publicly disclosed

2022-09-01

**Details**

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities were discovered by Vlad Vector (Patchstack) in the WordPress WHA Crossword plugin (versions <= 1.1.10).

**Solution**

Deactivate and delete. No reply from the vendor.

**References**

CVE-2022-36365: WordPress WHA Crossword plugin <= 1.1.10 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities - Patchstack

By Deeba Ahmed
Dubbed AttachMe by researchers; the vulnerability was a severe one since it targeted all OIC customers.
This is a post from HackRead.com Read the original post: AttachMe – Oracle Patches  “Severe” Vulnerability in its Cloud Infrastructure

Wiz security researcher Elad Gabay reported that they discovered a critical vulnerability in the Oracle Cloud Infrastructure (OCI), which a customer may have exploited to read/write another customer’s data on the same platform without permission.

This means the vulnerability could allow any Oracle customer unauthorized access to the Cloud storage data of another customer.

The good news is that when Wiz researchers notified Oracle about the bug, the IT firm fixed it within 24 hours. The even better news is that customers don’t need to do anything regarding the fix.

**Vulnerability Analysis**

Dubbed AttachMe by researchers, the vulnerability is one of the best examples of cloud isolation vulnerabilities and how threat actors can exploit the flaws to gain unauthorized access to someone else’s data.

The vulnerability, according to Wiz’s blog post, was discovered by Wiz in June 2022 and was regarded as one of the severest cloud vulnerabilities that could impact all OCI customers and violate cloud storage’s most significant pledge of customer data safety.

> AttachMe is one of the most severe cloud vulnerabilities reported since it could have impacted all OCI customers. Cloud isolation vulnerabilities usually impact a specific cloud service. However, in this case, the impact is related to a core cloud service. 
> 
> Elad Gabay – Wix

1.  Attackers Exploit Oracle WebLogic Flaw to Mine $266K in Monero
2.  Oracle, Google, and Microsoft generated most vulnerabilities in 2021
3.  Oracle’s Point-of-service Division MICROS Suffers Massive Data Breach
4.  Hackers Use Malware To Steal Cisco, IBM and Oracle Certification Manager

**Exploiting the Vulnerability**

Gabay said the flaw was exploitable if the threat actor knew the Oracle Cloud Identifier for a customer’s storage volume. Since this identified isn’t confidential data, it was possible to attach that volume to the actor’s virtual machine in Oracle’s cloud if the volume was not attached already or supported multiple attachments.

Therefore, all the attacker needed was the identifier to attach a volume and access the storage volume, including the target user’s sensitive data. Perhaps the flaw emerged because Oracle Infrastructure didn’t verify permission for linking the storage, which caused the issue.

After hijacking someone’s cloud storage, a threat actor could perform several destructive acts, such as leaking sensitive data, altering code, and gaining privilege escalation. Nevertheless, since the vulnerability has been fixed, users should not be worried.

**More Vulnerability News**

1.  Critical WordPress plugin vulnerability allowed wiping databases
2.  Attackers exploiting Windows Installer vulnerability despite patching
3.  Critical Amazon Ring Vulnerability Could Expose Camera Recordings
4.  Attackers can Exploit Dirty Pipe Linux Vulnerability to Overwrite Data
5.  Rarible NFT Market Vulnerability Let Attackers to Transfer Crypto Assets

Tag

#wordpress