The YaySMTP WordPress plugin before 2.2.1 does not have proper authorisation when saving its settings, allowing users with a role as low as subscriber to change them, and use that to conduct Stored Cross-Site Scripting attack due to the lack of escaping in them as well.

CVE-2022-2371

The YaySMTP WordPress plugin before 2.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2022-2372

The Discy WordPress theme before 5.0 lacks authorization checks then processing ajax requests to the discy_update_options action, allowing any logged in users (with privileges as low as Subscriber,) to change Theme options by sending a crafted POST request.

CVE-2022-1323

Pwn stars

Hacker Summer Camp is only days away, so in order to whet your appetite, The Daily Swig has compiled a list of some of the best talks of years past.

Over the years there’s been thrills, spills, and (of course) ‘sploits, as the top researchers in the security world have descended on Las Vegas for Black Hat USA and DEF CON – a security double bill that’s hard to beat.

This year’s Black Hat – which is again taking place as a hybrid event – and DEF CON offerings are sure to add to the already impressive roster of ground-breaking talks from years gone by.

Now that Covid-related restrictions have largely been lifted, the 2022 edition promises to be something of a grand reopening of arguably the single most important event in the infosec calendar.

Without further ado (and in no particular order) here are our top picks from past Black Hat and DEF CON events…

**Panic in the Cisco**

Michael Lunn’s 2005 talk on the security shortcomings of Cisco’s networking technology was important not only because of the potential impact of his discovery, but because it served as an example of an attempt to suppress security research.

Lunn resigned from his employment with Internet Security Systems in order to deliver a talk on a critical vulnerability in router technology from Cisco.

The security researcher demonstrated an exploit – which opened the door to a range of attacks from eavesdropping to disabling the compromised device – while withholding any details. Cisco issued a security fix to its firmware prior to the talk, but not many organizations had applied it by the time it rolled around.

Cisco initially gave the go-ahead for the talk but had second thoughts with the event imminent. ISS agreed to a request from the networking giant, but Lunn disagreed. This prompted his decision to resign in order to present his findings.

**Cache from chaos**

Dan Kaminsky’s reveal of a cache poisoning flaw affecting the software of multiple DNS vendors back in 2008 remains a landmark event in networking security.

The security researcher worked with DNS vendors for months to fix the critical vulnerability before laying the problem bare during Black Hat 2008.

It remains a testament to the late security researcher, who sadly passed away in April 2021, prompting an outpouring of tributes to a true infosec great characterized by “kindness, boundless energy, and positivity”.

**Hitting the Jackpot**

Barnaby Jack’s live hack demo on an ATM set the benchmark for spectacular hacks and cutting-edge security research. Jackpotting – as the attack later became known – involved a targeted assault on the software running on ATMs.

The end result involved injecting malware into the operating system of cash dispensing machines, causing them to dish out bank notes fraudulently. Either exploitable vulnerabilities in an ATM’s remote management system or unauthorised physical access to a machine (perhaps facilitated by a corrupt insider) might be used to carry out an attack.

Prior to Jack’s research, embedded systems such as ATMs were widely (but incorrectly) thought to be beyond the scope of potential hack attacks. The research paved the road to follow-up studies into the security of medical devices such as pacemakers and insulin pumps.

**Up in the air**

Interest in the security of air traffic control systems took off with Andrei Costin’s presentation on the issue during Black Hat 2012. Costin’s talk focused on security aspects of ADS-B (Automatic Dependent Surveillance-Broadcast), a satellite-based aircraft tracking technology, and other flight technologies.

The presentation looked at ADS-B (in)security from a practical perspective, presenting the “feasibility and techniques of how potential attackers could play with generated/injected air traffic, and as such potentially opening new attack surface” into air traffic control systems.

**Don’t look up**

Shifting the focus from airborne planes to satellites in orbit, a well-received 2014 talk by Ruben Santamarta reviewed the security of satellite communication terminals.

IOActive found that all the devices they accessed were potentially open to abuse. The vulnerabilities uncovered included multiple backdoors, hardcoded credentials, undocumented and/or insecure protocols, or weak encryption algorithms.

“These vulnerabilities allow remote, unauthenticated attackers to fully compromise the affected products,” IOActive warned at the time. “In certain cases, no user interaction is required to exploit the vulnerability, just sending a simple SMS or specially crafted message from one ship to another ship can do it.”

**Policy forum**

Black Hat and DEF CON have never been the forum for technical discussions and hacking demos alone. Policy issues are often in play too, as evidenced by talks from the likes of Dan Geer and Jennifer Granick.

Geer, CISO for In-Q-Tel, a not-for-profit venture capitalist firm that looks for tech that supports the US intelligence community, spoke about cyberspace as a domain for conflict between nations and on power politics in 2014.

Granick, director of civil liberties at the Stanford Center for Internet and Society, looked forward to the next phases of the development of the internet in 2015.

More recently Parisa Tabriz, director of engineering at Google, used her 2018 Black Hat keynote to give a practical perspective on secure development. And last year Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), outlined how hackers, the government, and the private sector can work together to confront cyber threats.

**Kettle reinvents HTTP request smuggling**

PortSwigger’s James Kettle reinvented the long-neglected topic of request smuggling with his presentation on HTTP desync attacks at DEF CON in 2019.

Kettle showed how it was possible to manipulate web requests in order to poison web caches. The hack allowed Kettle to compromise PayPal’s login page, among other targets, and claim $70K in bug bounties.

The hack relied in exploiting flaws in how web systems pass web-based requests between front end and back end system, as explained in a Daily Swig article published at the time of the talk.

**A new era in SSRF**

Noted web security researcher Orange Tsai used a 2017 Black Hat talk to outline an exploit technique variant that might be harnessed to bypass server-side request forgery (SSRF) protections.

The technique relied on fuzzing to unearth previously undiscovered vulnerabilities in the libraries of programming languages including Python, PHP, Perl, Ruby, Java, JavaScript, Wget, and cURL.

The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.

Flaws in web applications such as WordPress, vBulletin, MyBB, and GitHub have also been uncovered using the same approach, the security researcher told Black Hat USA attended in 2017.

**Hasta la Vista**

Polish security researcher Joanna Rutkowska became well known in the security community following her demonstration of an attack against Windows Vista’s kernel protection mechanism at Black Hat USA 2006.

During the same presentation, she also demonstrated a technique called ‘Blue Pill’ that involved hacking the operation of a virtual machine to plant stealthy malware.

**Gone in 40ms**

Hacking took to the roads in 2015 after security researchers Charlie Millar and Chris Valasek demonstrated how to launch a remote cyber-attack against an unaltered factory vehicle.

The security researchers hacked into a Jeep Cherokee through a mobile connection to its entertainment system via a technique that allowed them to send messages on the CAN bus to critical electronic control units. This, in turn, allowed them to control the braking, steering, and acceleration of the car.

That’s our round-up of the best-ever talks at Hacker Summer Camp – but what are your picks?

Have we failed to mention any unmissable talks? What are your favourite hacks? Let us know on Twitter at @DailySwig.

You can also watch more talks from previous Hacker Summer Camps on YouTube, ranked by numbers of views, via the DEF CON and Black Hat archives.  

YOU MAY ALSO LIKE ParseThru: HTTP parameter smuggling flaw uncovered in several Go applications

The best Black Hat and DEF CON talks of all time

Cross-Site Request Forgery (CSRF) vulnerability in Rich Reviews by Starfish plugin <= 1.9.14 at WordPress allows an attacker to delete reviews.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of August 2, 2022 and is not available for download. This closure is temporary, pending a full review.

Very bad plugin. Google doesn't show the snippets. When I ask this to the support, they said that I need to wait more. But I've already waited more than 1 year! And still no Google snippets. Go with much more a better plugin.

After a week and no respons i deactivated the plugin. I, and support of Starfish, was not able to activate the license. I need to go on. I have a waiting customer.

This guys will help you everytime! Thanks for such simple and effective tool. Regards, Alex

The plugin code contains a bunch of errors. For example, you will never see a warning if you have not rated a review, even if the rating field in the settings is required. Very bad localization. Many text strings in the plugin are not translated at all, as they are hardcoded. Finally, reviews are sent multiple times. Several duplicate records appear in the database and the same number of notifications are sent to e-mail. So, I does NOT recommend this plugin at all!

Плагин не умеет в локализацию.

doesn't have product as an option.. definitely don't recommend for google snippet.

Read all 115 reviews

“Rich Reviews by Starfish” is open source software. The following people have contributed to this plugin.

Contributors

CVE-2021-36861: Rich Reviews by Starfish

Multiple Improper Access Control vulnerabilities in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress.

CVE-2022-25649

Cross-Site Request Forgery (CSRF) vulnerability in MailerLite – Signup forms (official) plugin <= 1.5.7 at WordPress allows an attacker to change the API key.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

**MailerLite – Signup forms (official) plugin**

The Official MailerLite signup forms plugin makes it easy to grow your newsletter subscriber list from your WordPress blog or website. The plugin automatically integrates your WordPress form with your MailerLite email marketing account.

If you don’t have MailerLite account yet, you can signup for a FREE trial here.

Once you activate the plugin, you’ll be able to select and add any of the pre-built webforms from your MailerLite account or create a new form from scratch. You can place the form in the sidebar using a widget or use a shortcode to put it wherever you want.

Setup is fast and easy! You just need to enter your MailerLite account API code and you’re all set.

Plugin features include:

*   Easily-to-add webforms from MailerLite to your WordPress blog or website
*   Option to create new webforms
*   WordPress 5 new editor support
*   Save subscribers automatically to your MailerLite account
*   Place webforms using widget or shortcode
*   Double opt-in signup
*   Updated plugin layout
*   Automate welcome emails from your MailerLite account

**Arbitrary section**

This plugin provides 1 block.

*   MailerLite signup form

**Method 1**

1.  Login to your WordPress admin panel.
2.  Open Plugins in the left sidebar, click Add New, and search for MailerLite plugin.
3.  Install the plugin and activate it.

**Method 2**

1.  Download the MailerLite plugin.
2.  Unzip the downloaded file and upload to your /wp-content/plugins/ folder.
3.  Activate the plugin in WordPress admin panel.

**Setup**

1.  After successful installation you will see MailerLite icon on the left sidebar. Click it.
2.  Enter your MailerLite account API key. You can find it in your MailerLite account by clicking “Developer API” link in the bottom of the page.
3.  Click “Add New Signup Form” .
4.  Choose “Webforms created using MailerLite” if you wan’t to use a signup form that you already created in your MailerLite account or “Custom signup form” if you want to create it now.
5.  If you want to include signup form in the sidebar of your blog or website, go to Appearance > Widgets and drag “MailerLite signup form” to the sidebar. Choose which signup form to display.
6.  If you want to include signup form inside your post or page, use shortcodes. You will see MailerLite icon in your content editor, click it and choose which form to display. It will put a shortcode (for example \[mailerlite\_form form\_id=1\]) and your visitors will see signup form in that place.

**Requirements**

*   Requires PHP5 and CURL.

**What is the plugin license?**

*   This plugin is released under a GPL license.

**What is MailerLite?**

MailerLite is easy to use web-based email marketing software. It can help you create and send email newsletters, manage subscribers, track and analyze results.

**Do I need a MailerLite account to use this plugin?**

Yes, you can easily register at www.mailerlite.com

**How to display a form in posts or pages?**

Use shortcode with form id which you created \[mailerlite\_form form\_id=1\].

Just add “MailerLite signup form widget” and select form you have created

**How to display a form in my template files?**

Use the load\_mailerlite\_form($id) function.

    <?php
    if( function_exists( 'load_mailerlite_form' ) ) {
        load_mailerlite_form(0);
    }
    

**How can I style the sign-up form?**

You can use CSS rules to style the sign-up form, use the following CSS selectors to target the various form elements.

Every form can be different, because element ID of form is:

    #mailerlite-form_(your_form_id)
    

Elements of form can be styled.

    .mailerlite-form .mailerlite-form-title {} /* the form title */
    .mailerlite-form .mailerlite-form-description {} /* the form description */
    .mailerlite-form .mailerlite-form-field label {} /* the form input label */
    .mailerlite-form .mailerlite-form-field input {} /* the form inputs */
    .mailerlite-form .mailerlite-form-loader {} /* the form loading text */
    .mailerlite-form .mailerlite-subscribe-button-container {} /* the form button container */
    .mailerlite-form .mailerlite-subscribe-button-container .mailerlite-subscribe-submit {} /* the form submit button */
    .mailerlite-form .mailerlite-form-response {} /* the form response message */
    

Add your custom CSS rules to the end of your theme stylesheet, /wp-content/themes/your-theme-name/style.css. Do not add them to the plugin stylesheet as they will be automatically overwritten on the next plugin update.

**Where can I find my MailerLite API key?**

Check it here!

The plugin mostly does what it's supposed to. They will occasionally push updates that breaks things and won't respond to any support inquiries. Be careful when updating this plugin.

I installed the plugin since a while, but it has no effect, nothing appear to setup or configure the popups. Actual version of mailer lite officially not tested (1.4.9) with current version of WP (5.8.2).

Plugin works great - I know other people have had trouble with it, but I found it easy and intuitive to integrate. MailerLite has the best support team ever!

It's working well for me so far as purely a mailing list signup mechanism. However, I'd like to be able to add new site member signups to the mailing list too (with their permission, of course). (I have Paid Memberships Pro on one site, which I did have working with Mailchimp, and LearnPress with WooCommerce on the other.) Not sure I'm techy enough to get to grips with using Zapier or some other middleman app to do this!

This is a good plugin to add a for fairly quick and easy. If you are trying to do anything more, you will run out of luck fast. There are no settings or useful code hooks (actions or filters) for customizing redirect to landing page or other useful tricks with forms.

I have no clue how I can get the new created forms visible in Wordpress... I tried a couple of times to add the API key again. And that worked, until the last time. But overall, I really like how easy it is to get the forms created AND visible in Wordpress. No issues what so ever.

Read all 20 reviews

“MailerLite – Signup forms (official)” is open source software. The following people have contributed to this plugin.

Contributors

*    mailerlite

**1.5.9**

*   Update – API client

**1.5.8**

*   Security fix

**1.5.7**

*   Tested up to latest WP version

**1.5.6**

*   Fix – deactivate issue
*   Tested up to latest WP version

**1.5.5**

*   Fix – wp\_nonce for cached pages

**1.5.4**

*   Fix – Input validation
*   Tested up to latest WP version

**1.5.3**

*   Update – API update
*   Tested up to latest WP version

**1.5.2**

*   Fix – Include Universal js

**1.5.1**

*   Fix – Form clear issue

**1.5.0**

*   Tested with WordPress 5.8.3
*   Update – Gutenberg plugin in plain JS

**1.4.10**

*   Update – Plugin display name
*   Tested up to latest WP version

**1.4.9**

*   Forms are embedded with the new method
*   1k limit to webforms API request

**1.4.8**

*   Fix – Gutenberg add / edit form fix

**1.4.7**

*   Tweak – Embedded forms subdomain changed

**1.4.6**

*   Fix – Gutenberg script enqueue called action method was non-static

**1.4.5**

*   Fix – Additional security for AJAX calls

**1.4.4**

*   Fix – Additional security for database queries

**1.4.3**

*   Fix – removed use of deprecated php method

**1.4.2**

*   Fix – Styles on form description bug
*   Update – Added a Load more button for groups on the creation stage phase.
*   Update – Hidden api key

**1.4**

*   Tweak – Show more than 100 groups when creating a custom form
*   Tweak – Renamed some classes to avoid fatal errors from other plugin having the same class names
*   Tweak – Reformatted code to WordPress code style
*   Tweak – Loading custom form javascript after window load for better optimisations
*   Tweak – Switched loading jQuery validate plugin from MailerLite CDN to your local WordPress site

**1.3.6**

*   Feature – Status page to provide information about your environment
*   Tweak – Even better support for older PHP versions in main plugin file
*   Fix – Plugin’s stylesheet is only included in pages where it is required

**1.3.5**

*   Tweak – Better support for older PHP versions in main plugin file

**1.3.4**

*   Fix – Subscriber adding bug

**1.3.3**

*   Fix – Form edit redirect not working

**1.3.2**

*   Fix – Form block js file version bump

**1.3.1**

*   Fix – “Media views” block bug

**1.3**

*   Feature – WordPress 5 block
*   Feature – Double opt-in feature
*   Tweak – New admin design
*   Update – The plugin uses MailerLite API V2 from now on

**1.2.8**

Check WP 5.0 support

**1.2.7**

API url fix

**1.2.6**

Test new WordPress

**1.2.5**

Updated forms (GDPR compatible)

**1.2.4**

release fix

**1.2.3**

fix form protocol

**1.2.2**

mistype fix in version no

**1.2.1**

adding en\_US locale language translation files

**1.2**

some small php notice errors fixed. More clear tooltips about embed forms. Popup script settings moved to settings page. Added en\_US locale translations (the same as en\_EN)

**1.1.25**

short php open tag fix

**1.1.24**

bigger curl timeout for API call, temporary

**1.1.23**

fixed translations, added english .po/.mo files, added “please wait” message translate option to custom forms

**1.1.22**

updated jquery validation script URL to use static.mailerlite.com

**1.1.21**

small bugfixes

**1.1.20**

curl error showing, empty embed form bugfix, other bugfixes

**1.1.19**

translation fixes

**1.1.18**

mistype fix for old versions

**1.1.17**

translation errors for LT language, allowing only embed and button forms

**1.1.16**

*   providing support for older PHP versions

**1.1.15**

*   file\_get\_contents changed to cURL

**1.1.14**

*   custom thank you message added

**1.1.13**

*   tested with 4.6 version

**1.1.12**

*   multisite support

**1.1.11**

*   post escaped with stripslashes\_deep

**1.1.10**

*   mistype – signing up

**1.1.9**

*   fixed app static script url

**1.1.8**

*   fixed old syntax constructors in API classes

**1.1.7**

*   option to activate popup form

**1.1.6**

*   popup webforms added

**1.1.5**

*   php notice fix

**1.1.4**

*   fixed jquery bug

**1.1.3**

*   some problem with version number

**1.1.2**

*   wordpress issue bug fix

**1.1.1**

*   updated readme and version constants

**1.1**

*   tested with up to 4.5.1 wordpress. version. Added list of languages for validation messages. Fixed mistype “sign up”

**1.0.18**

*   added php,wordpress and curl version checks before activation

**1.0.17**

*   fix db queries for update

**1.0.16**

*   links to https, db update charset

**1.0.15**

*   Updated links to knowledge base about api key, changed db charset for table – utf8\_bin

**1.0.14**

*   Removed new lines for some cases

**1.0.13**

*   Empty form description allowed

**1.0.12**

*   Fix mistype in curl method

**1.0.11**

*   Version fix

**1.0.10**

*   Some code refactor, array fixes for PHP older than 5.4

**1.0.9**

*   Curl safe mode fix

**1.0.8**

*   Fix shortcode popup

**1.0.7**

*   Fix shortcode

**1.0.6**

*   Fix embedded form cache

**1.0.5**

*   Fix for WP 4.0

**1.0.4**

*   Subscribe button update

**1.0.3**

*   jQuery load update

**1.0.2**

*   Small changes

**1.0.1**

*   Added translations

**1.0**

*   First release

CVE-2022-33201: MailerLite – Signup forms (official)

Broken Authentication vulnerability in JumpDEMAND Inc. ActiveDEMAND plugin <= 0.2.27 at WordPress allows unauthenticated post update/create/delete.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of August 2, 2022 and is not available for download. This closure is temporary, pending a full review.

This plugin provides 3 blocks.

*   ActiveDEMAND - Story board
*   ActiveDEMAND - Dynamic Content Block
*   ActiveDEMAND - Web Form

Active Demand plugin works great. Easy to insert short codes and tracks prospects really great. Support is very good too. Quick response time and very helpful.

I spent months researching providers and only one fit all of our requirements, ActiveDemand. We signed up and found the system to be pleasantly usable compared to the alternatives. On top of that, every time I have reached out with a question, they have been incredibly responsive and informative. I can't say enough good things about the software, but the service is what really makes their company world-class. Thanks ActiveDemand!

This give full control over the form styling and is very easy to use as a short code! Integration was painless!

I love how easy this was. Implementation was simple. The short code makes adding forms unbelievably easy.

I'd been using ActiveDEMAND before the WordPress plugin became available and it's a great marketing automation platform. The integration into WordPress was "okay". It worked and was manageable. However, with the ActiveDEMAND WordPress plugin it is simply awesome. Really easy to use. I can drop in forms easily with a shortcode and everything automatically ties into my ActiveDEMAND lead database as well as all my dashboard reporting.

Read all 6 reviews

“ActiveDEMAND” is open source software. The following people have contributed to this plugin.

Contributors

*    jumpdemand

CVE-2022-36296: ActiveDEMAND

**Solution**

Update the WordPress ActiveDEMAND plugin to the latest available version (at least 0.2.28).

Nguyen Anh Tien discovered and reported this Broken Authentication vulnerability in WordPress ActiveDEMAND Plugin. This can be abused by a malicious actor to perform action which normally should only be able to be executed by higher privileged users. These actions might allow the malicious actor to gain admin access to the website. This vulnerability has been fixed in version 0.2.28.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-36296: WordPress ActiveDEMAND plugin <= 0.2.27 - Broken Authentication vulnerability - Patchstack

WordPress Ecwid Ecommerce Shopping Cart plugin versions 6.10.23 and below suffer from a cross site request forgery vulnerability.

Description: Cross-Site Request Forgery to Settings/Options Update

Affected Plugin: Ecwid Ecommerce Shopping Cart

Plugin Slug: ecwid-shopping-cart

Affected Versions: <= 6.10.23

CVE ID: CVE-2022-2432

CVSS Score: 8.8 (High)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Researcher/s: Marco Wotschka

Fully Patched Version: 6.10.24

Ecwid Ecommerce Shopping Cart is a plugin offered by Lightspeed that allows site owners to set up an eCommerce store on a WordPress website and then sync it across various services such as Amazon and social media. It also offers ad integration and access to marketing tools. As part of the plugin’s functionality, there were some more advanced settings that could be managed. Unfortunately, this was implemented insecurely making it possible for attackers to update these settings via a forged request.

More specifically, the plugin provides the following admin_post action hooked to the ‘ecwid_update_plugin_params‘ function for that purpose:

[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVHxgx1rX_sqW1H4wDd41pXybW1PHNH54NjWySN4jRWbD5js6JV3Zsc37CgGRrW4wJp7s4LR8_8W5GZxc55cBM_qW8hSV9n7QFM8MW16sCxG5h4mMrW8RWrLm7fnSqrW70Vz_q4PPYx1W6cGQ985xBh94W4KV7Yy3dzXV8W8bTSFR1sB2J5N60tSb8sMfWmW3Qhxq480ZZDvW6qNFsM4YqZm2W47Fl6f537-gRW8G9Mq25QpGZZW2B_hWM7ZNSZrW8jJ9gf8MSG0pW3c2FG27vDxqyW24KmsZ1HxD3TW6BS5rM4h9TL_W4My4sZ2R5dngW7nrf8C81zMWXW1bBRCq4lYLdfW5Wd9gF2rjpt7W2b9RlV7CGYQ8W4sgGCX98nMgqW1FPwLN10ndByW6yw5YW7rm4RLW1l8_qC5kZvHYW5kyvmH8qjwnbW6cS_Sd2f9WPjM-RF9H50XrYW6d-cP13xx9gWW8Jr_cw26btsNW30S0Xr6gZ41G36ft1 )

An initial check in the ‘ecwid_update_plugin_params‘ function ensures that the current user is allowed to manage site options, which is a capability that belongs to administrators. However, the nonce check performed shortly after is only executed if a nonce is set due to how the function uses && to combine the checks to validate that a nonce is present in the request and to verify that the nonce is valid. This means that if the wp-nonce parameter is not supplied in the request, the verification step is skipped. This makes the functionality susceptible to Cross-Site Request Forgery attacks in vulnerable versions.

[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVHxgx1rX_sqW1H4wDd41pXybW1PHNH54NjWySN4jRWbD5js6JV3Zsc37CgK04W67C43l5f9PlsW1vTzZ291zXDyW7lwxqt5S_SqhW8qMCLs5Vs8hTMlVtTSW5m53W8jPcbS3cs9wpW6xWDF_2xbLMZN7RfvGrn4vjHVXqXzJ3XzQ-1W3SsZJk5qWZY5W7tNvtn7z-pFSW2T45NG8qgmVjW4mZN5T8CCQR4W4X-xkp3MRyMBW8bQV2l1QmfF2W1N6yKt2SKNJxV9hRB01Dr8M4N4LKmRgHfRR-N5f00LN8JsxlVQCRGg9b5QQgVm1Wrc2NkSRpN22l9qWLg4rRW20bJdN7F1XgdN36zDyK1TZzNW6Fk9mV1Y1vkJW7zJyHY4w7XrNW6YPJyL4yxX2PW6qVHnh960fF3W8yZq6C8Nfqr_VkfJpP34G9dBW7J4NVS8plYskN1tn7-6tGsPRW3vNTQ14zxQXMW2gFKwm8yhK853nT51 )

This makes it possible for an attacker to change the ecwid_store_id, which uniquely identifies the store and is needed for support requests as well as for embedding the store on other sites. Another site option that could be modified is the site’s ecwid_store_page_id, which is the storefront page in the WordPress installation. Both of these settings may result in a loss of availability of the storefront if changed to an invalid store ID. There are several other settings that could be affected in addition to those two. The plugin does not provide a direct link to the settings page in any of its menus and a warning on the page suggests that modifying these settings may significantly affect the plugin functionality.

The Importance of Properly Implementing Nonces

Nonces are a critical component used to prevent Cross-Site Request Forgery vulnerabilities. As such, it’s important to ensure they are properly implemented throughout plugin and theme code to prevent unauthorized execution of that code. Fortunately, WordPress provides several mechanisms to create and validate proper nonces.

Nonce Creation

The first step to proper nonce implementation is nonce creation.

One option to properly implement nonce creation involves the wp_nonce_url() function. This function expects a target URL as well as an action and an optional nonce name. The nonce will be added to a URL and can be verified by a nonce validation function that is executed in the same or subsequent function. This makes it possible for developers to provide links to perform actions such as deletion of posts with a proper nonce that allows the code to verify that the action was initiated from within the site as opposed to a click on a link elsewhere, such as in an email.

An additional option is adding a nonce to a form to secure any submissions originating from that form. The function wp_nonce_field() is frequently used in these cases and expects an action string. This will add a hidden input field to the form. Upon form submission, the created nonce can be checked and verified.

Finally, a nonce can also be generated using wp_create_nonce(), which accepts an action string argument and returns just a nonce. This can be implemented in a variety of different ways and allows more flexibility as a developer to implement nonce validation. We frequently see this function contained in HTML on setting pages that is later used to validate the origin of the request when saving those settings.

Remember that nonces are specific to individual users and sessions and are invalidated after 24 hours, or on logout.

Nonce Validation

The second step to proper nonce implementation involves nonce verification. A plugin can implement an appropriate nonce on a form or settings update, but without proper validation of that nonce, there won’t be adequate protection.

The first option to properly validate a nonce involves the use of the check_admin_referer() function. This function accepts the protected action as well as the name of the nonce as an argument and checks the nonce as well as the referer, thus helping to ensure that the nonce provided is correct and that the request was initiated from an admin page.

When implementing an AJAX action, the check_ajax_referer() function can be used. This will verify the nonce but will not check the referer like the check_admin_referer() function does although it will validate that the request is an AJAX request.

A final option for validating a nonce is the more general wp_verify_nonce() function. With this function, an action and nonce name will need to be supplied, and it will verify that the proper nonce was set. This provides the most flexible implementation of nonce validation for developers.

In the case of today’s disclosure, the nonce was created on the settings form itself with wp_create_nonce():

[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVHxgx1rX_sqW1H4wDd41pXybW1PHNH54NjWySN4jRWbD5js6JV3Zsc37CgF42W98C5CQ5NDR3nN58bq_96Ch4zW3GRvs_6bwRX5W3tsvrb2ShCghW3x06W68pRQH9W3Dg71b6v1HrYN1qR5fbY2lRlW1k5j_14xFFJHW7X-WLl1rqWk4W2Xtb8w2ZQV1fW60H5QG1l9dtQW4FrrX83gDD31W6PL9cT6F_6LvW370m6b2hcXrhW87SST67k_CFgW5-p6J61CRPtqW41Q3yy1ZncNXW3tf7LN7M0RtnVB_kYq1ywQZZW5nCmTg91v6g7W7d0m-m6FkNhhW7ZJZnp8SNnfqW8slWGB5dKbwfW6hRPqV27VwPwN6VYg76H73KcW5RSHN32P4qKzW87nrK28tmgf3W9kClqb5c9kpxW4sNhxd6ZtC1NW4W6S6N4tX1hSW8VG37Z822PTvW3vQSg86XJbffMW8y1Kj7SkzW8qWmSB1p6tWz33Jt1 )

As you can see, this statement will call wp_verify_nonce() but only if the nonce is set due to the if (isset($_POST['wp-nonce']) check and the use of && in combination with the wp_verify_nonce() function. Therefore, if the nonce is omitted, this check will not take place.

[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVHxgx1rX_sqW1H4wDd41pXybW1PHNH54NjWySN4jRWbD5js6JV3Zsc37CgYDJW4r9V7C4zvxxJW8nbMdr8F-cRDW2rwyLJ1CP2WHW4J-5Pl31WzP1W6DVyjb8Z3jqdN4stQLdG_ZkNW4mglnq1G8sRNW5mXcDc3VtGGNW4FY3bS3VJv8bW81wTgx9bFbTPV1C4Hj2mqjn2W34wsp890BqJ4W3mYsyR7j1ZmkW3N5y145YdY3JW1y9Jw7794yXvN8-B_JcFVNZ3W7qmWfy4_SYqlW8phV2n20Y2n1VY28TM2d1DnBVmThSG3kLmm9W3w1Qb8274pyfW3DMgQT1d69drW1Z_vwR8tNJ00W5VhJ9W1WWjw5V21_7j12XCNfW4nmmL65HjtPhW6bzWt73Vyc5XW49_SzN8D05kRW1p_M0l1RcrzgN5kXSx6thPmgW6kq5wb8y9lv7W2wb9d72F0qKFW6RJdQV89RNSpN1_lhTsk65Q51P1 )

This serves as an important reminder to not only properly implement nonces and validation checks but also to ensure that the check fails when the nonce value is empty or otherwise not present.

As a final important note: never rely on nonce checks alone. Developers should always remember to include a capability check using a function like current_user_can() in order to ensure the user initiating the action is indeed allowed to perform it. Nonces should never be used for authentication, authorization or any form of access control as they are simply intended to verify the origin of the request, and do not perform any authorization.

Timeline

June 24, 2022 – Initial outreach to the plugin developer.

July 11, 2022 – We escalate the issue to the WordPress.org plugins team and send them the full disclosure details.

July 13, 2022 – The vulnerability is patched in version 6.10.24.

Conclusion

In today’s post, we covered a vulnerability in the Ecwid Ecommerce Shopping Cart plugin that could be used to trick site administrators into updating plugin settings due to improper nonce verification. The vulnerability was patched by ensuring that a proper nonce was set and by verifying it.

Please remember that due to the nature of Cross-Site Request Forgery vulnerabilities, it is not possible to provide adequate protection via the Wordfence firewall without blocking legitimate requests. As such, we highly recommend updating to version 6.10.24 or higher of Ecwid Ecommerce Shopping Cart to ensure that your site is protected against any exploits targeting this vulnerability.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance.

If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of Ecwid Ecommerce Shopping Cart as soon as possible.

Tag

#wordpress