Broken Access Control vulnerability in YIKES Inc. Custom Product Tabs for WooCommerce plugin <= 1.7.7 at WordPress leading to &yikes-the-content-toggle option update.



**Solution**

 Fixed

Update the WordPress Custom Product Tabs for WooCommerce plugin to the latest available version (at least 1.7.9).

Nguyen Anh Tien discovered and reported this Broken Authentication vulnerability in WordPress Custom Product Tabs for WooCommerce Plugin. This can be abused by a malicious actor to perform action which normally should only be able to be executed by higher privileged users. These actions might allow the malicious actor to gain admin access to the website. This vulnerability has been fixed in version 1.7.9.

**Other vulnerabilities in this plugin**

 0 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2022-28666: WordPress Custom Product Tabs for WooCommerce plugin <= 1.7.7 -  Broken Access Control vulnerability leading to &yikes-the-content-toggle option update - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in JoomUnited WP Meta SEO plugin <= 4.4.8 at WordPress allows an attacker to update the social settings.

CVE-2022-30337: WP Meta SEO

Cross-Site Request Forgery (CSRF) vulnerability in Sygnoos Popup Builder plugin <= 4.1.0 at WordPress leading to popup status change.

 Verified

 Fixed

**5.4**

CVSS 3.1 score Medium severity

Monitoring Coming soon

PSID 

de4f39bd2fdd

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-06-17

**Details**

Cross-Site Request Forgery (CSRF) vulnerability leading to Popup Status Change discovered by BEE-K (Patchstack) in WordPress Popup Builder plugin (versions <= 4.1.0).

**Solution**

Update the WordPress Popup Builder plugin to the latest available version (at least 4.1.1).

**References**

Changeset

CVE-2022-32289: WordPress Popup Builder plugin <= 4.1.0 - Cross-Site Request Forgery (CSRF) vulnerability leading to Popup Status Change - Patchstack

Unauthenticated SQL injection bugs put thousands of WordPress sites under threat

Unauthenticated SQL injection bugs put thousands of WordPress sites under threat

A researcher at security firm Cyllective has unearthed vulnerabilities in dozens of WordPress plugins, affecting tens of thousands of installations.

Dave Miller, who leads Cyllective’s penetration testing team, says they started out testing randomly selected plugins, quickly finding an unauthenticated SQL injection vulnerability.

They also found a series of local file inclusion and remote code execution (RCE) vulnerabilities. However, as these issues were found in severely outdated plugins, the team decided to concentrate its efforts on those that have received updates in the last two years – around 5,000 plugins in total.

**Exposed endpoints**

Looking particularly for unauthenticated SQL injection vulnerabilities, the researcher used a system of tags to identify plugins showing interaction with the WordPress database; string interpolation in SQL-like strings; security measures relating to sanitization attempts; and exposure of unauthenticated endpoints.

And after three months’ research, says Miller, the result was a total of 35 vulnerabilities, all of which could have been exploited by unauthenticated attackers, affecting around 60,500 instances running the affected WordPress plugins.

**RELATED** Unpatched plugins threaten millions of WordPress websites

“Although the vast majority of the vulnerabilities I reported were unauthenticated SQL injection vulnerabilities, which would have enabled an attacker to dump the entire WordPress database contents, these were not the most devastating ones,” Miller tells _The Daily Swig_.

“The sitemap-by-click5 plugin suffered from an unauthenticated arbitrary options update flaw, which would have allowed an attacker to maliciously enable the registration functionality and set the default user role to that of an administrator.”

This, he says, would essentially allow an unauthenticated attacker to create a new administrator account and take over the WordPress instance. And, from there, the attacker would be able to upload malicious PHP files, which would grant the attacker remote code execution capabilities on the underlying server as a low-privileged user.

**Looking for patterns**

With a bit more engineering, says Miller, the team's tag strategy could be used to fine flaws other than SQL injection vulnerabilities.

“New patterns would need to be developed which capture the specifics of the vulnerability class to be able to detect them,” he says. “Some vulnerability classes are, however, hard or even impossible to detect with this approach.”

Read more of the latest WordPress security news

Miller says that, despite the large number of vulnerabilities discovered, the disclosure process went smoothly, with the team reporting each vulnerability as it was discovered – on occasion, as many as four or five per day.

“WPScan \[a WordPress security vendor\] coordinated the process of communication between all the parties involved - researcher, plugin author and the WordPress plugin team – in a timely manner,” he says.

And, he adds, the team is still working through more plugins, with more vulnerabilities being discovered and responsibly disclosed.

“Security is ultimately the responsibility of the plugin developer, and the Plugin team encourages this to the best of its ability,” a WordPress spokesperson tells _The Daily Swi_g.

“To this end, guidelines exist for plugin authors to consult before submitting plugins to the directory. All developers are expected to abide by these guidelines. In addition, they have at their disposal a Plugin Handbook that covers security best practices.”

**DON’T MISS** W3C launches Decentralized Identifiers as a web standard

WordPress plugin security audit unearths dozens of vulnerabilities impacting 60,000 websites

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in René Hermenau's Social Media Share Buttons plugin <= 3.8.1 at WordPress.

 Verified

 Not fixed

**3.4**

CVSS 3.1 score Low severity

Monitoring Coming soon

Vulnerable versions

<= 3.8.1

PSID 

cf86e8d15058

Classification 

Cross Site Scripting (XSS)

OWASP Top 10 

A7: Cross-Site Scripting (XSS)

Required privilege 

Requires high role user authentication like admin.

Publicly disclosed

2022-06-16

**Details**

Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Asif Nawaz Minhas (Patchstack Alliance) in WordPress Social Media Share Buttons plugin (versions <= 3.8.1).

**Solution**

No patched version available. No reply from the vendor.

**References**

CVE-2021-36849: WordPress Social Media Share Buttons plugin <= 3.8.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

Authenticated (admin or higher user role) Reflected Cross-Site Scripting (XSS) vulnerability in ThingsForRestaurants Quick Restaurant Reservations plugin <= 1.4.1 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

> Quick Restaurant Reservations is the easiest way to manage your restaurant bookings. Confirm / Reject reservations and send notifications to your customers. Manage several schedules, dates and time intervals.

**Quick Restaurant Reservations Features**

The plugin uses default WordPress functionality. Creates custom post types for Restaurants, Bookings and Clients.

*   Unlimited bookings
*   Bookings per restaurant
*   Pending, Confirm, Reject, Cancel status.
*   Notify customers about their booking status via email.
*   Manual confirmation.
*   Define min / max party
*   Early / Late bookings
*   Date format
*   Custom message after form submitted
*   Custom redirect after form submitted
*   Unlimited schedules
*   Schedule status open / close
*   Define week days and time interval for each schedule
*   Customize email notifications (admin, pending, confirmed, rejected, update)
*   Clients list
*   Form fields: date, party, time, name, email, phone, message

**ADD-ONS Features**

*   Unlimited restaurants
*   Each restaurant has its own page and booking form
*   Automatic confirmations
*   Set max capacity based on number of seats
*   Set max capacity based on tables
*   Limit automatic confirmation to max party
*   Limit automatic confirmation until X seats reached
*   Customize logo of email notifications
*   Monthly calendar view
*   Daily calendar view
*   Unlimited form custom fields

Make sure to review our ADD-ONS for Quick Restaurant Reservations page for more detailed information.

**How to use**

Add the shortcode of the restaurant form in any existing post or page:

    [qrr_form id="123"]
    

**Translations**

1.  Unzip the plugin and upload it to your site’s wp-content/plugins/ folder.
2.  Activate Quick Restaurant Reservations trough the “plugins” area in your WordPress dashboard
3.  A new menu item called “Rest. Bookings” will appear in your dashboard navigation.
4.  Go there and create a new restaurant.
5.  Define schedules for the restaurant.
6.  Copy and paste the shortcode for the bookings form in another page content.

**How do I create a booking form?**

Create a new restaurant.  
Define schedules for the restaurant.  
Insert the shortcode on any post or page.

Purchased the Capacity add on and it didn't work. We had a maximum set and we could just keep adding bookings endlessly. It didn't close off the numbers. Contacted support, no reply after a month. Put in another support ticket and asked for a refund. Same thing, no refund and no reply. We have to delete the whole plugin from our site because the capacity won't work.

I tested others plugins, this is very simple and complete. Other popular plugins don't work as well as this one.

This plugin is easy to implement and to customize.

I had a few challenges in a Wordpress multi-site environment, with a chain of 5 restaurants, each offering different arrangements on different times, different opening hours etcetera. I tried quite a few other plugins, but this one is by far the best! Support was great, even after more than several (beginner) questions, each was answered quickly and politely and the few issues that arose from this difficult setup were dealt with swiftly... Truly a 5-star review!

I love this plugin. It is exactly what I was looking for. It allows you change tags and personalize notifications. However, I couldn't edit the button text. Is it possible to do that?

Read all 8 reviews

“Quick Restaurant Reservations” is open source software. The following people have contributed to this plugin.

Contributors

*    Alejandro

**1.5.2**

*   Bulk action Cancel fixed

**1.5.1**

*   Fixed issue bulk updating bookings

**1.5.0**

*   Fixed issue email not saving format
*   Fixes issue in clients list layout

**1.4.8**

*   Fixed booking create status dropdown
*   Added new column for tables assigned

**1.4.7**

*   Fixed booking Action Selector dropdown

**1.4.6**

*   Fixed problem with emails layout

**1.4.5**

*   Fixed issue restaurant settings not saved

**1.4.4**

*   Fixed some bugs

**1.3.6**

*   Added time to Closed schedules
*   Can be closed full day or specific time

**1.3.5**

*   Fix issue with min booking duration
*   Fix issue with link to cancel booking
*   Added new column ‘Duration’
*   Integration with add-on ‘Capacity’ to export CSV

**1.3.3**

*   Added NL translation thanks to Bjron

**1.3.2**

*   Fixed issue for deleting trash old booking
*   Added booking column ID

**1.3.1**

*   Small issue with the front reservation ajax action

**1.3.0**

*   The admin table bookings has a default view for Today/Future bookings
*   New filter for Today or Future reservations at the admin table bookings list
*   New filter ‘qrr\_admin\_booking\_column\_date’ for changing the admin column Date format
*   Fixed issue calendar flickering at the front-end

**1.2.8**

*   Fixed issue with i18n date

**1.2.7**

*   Fixed small issues with front-form.php template
*   Added new filters to remove all other metaboxes from CPTs
*   filter: qrr\_restaurant\_remove\_all\_other\_metaboxes (default false)
*   filter: qrr\_client\_remove\_all\_other\_metaboxes (default false)
*   filter: qrr\_booking\_remove\_all\_other\_metaboxes (default false)

**1.2.6**

*   Fixed date translation inside the emails sent

**1.2.5**

*   Fixed action links from email sent to administrator (confirm, reject, calcel booking)
*   Added early booking new options (1 and 2 years in advance)

**1.2.0**

*   Solved bug when sending emails from admin bookings panel

**1.1.5**

*   Hours format: 24h / 12H
*   Small bugs fixed
*   Default admin email set if field is empty
*   Form date picker with >40 available translations

**1.0.5**

*   Bookings list filtering by date and restaurant.
*   Bookings list ordered by date.

**1.0.0**

*   Plugin released.

CVE-2022-29923: Quick Restaurant Reservations

Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin <= 1.9.9.148 at WordPress allows attackers to upload files. File attachment to messages must be activated.

CVE-2022-29454: Better Messages – Live Chat for WordPress, BuddyPress, BuddyBoss, Ultimate Member, PeepSo

DotNetNuke (DNN) 9.9.1 CMS is vulnerable to a Stored Cross-Site Scripting vulnerability in the user profile biography section which allows remote authenticated users to inject arbitrary code via a crafted payload.

July 08, 2022**1\. Vulnerability Properties**

**Title:** Stored Cross-Site Scripting in DotNetNuke  
**CVE ID:** CVE-2021-31858  
**CVSSv3 Base Score:** 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)  
**Vendor:** DNNSoftware  
**Products:** DotNetNuke  
**Advisory Release Date:** 19-07-2022  
**Advisory URL:** https://labs.integrity.pt/advisories/cve-2021-31858  
**Credits:** Discovery by Bruno Barreirinhas <bb\[at\]integrity.pt>

**2\. Vulnerability Summary**

DotNetNuke CMS is vulnerable to a Stored Cross-Site Scripting vulnerability in the user profile biography section which allows remote authenticated users to inject JavaScript and/or HTML via a crafted payload.  
Any subsequent requests to the attacker’s user profile page will retrieve the malicious content and exploit the vulnerability in the victim’s browser.

**3\. Vulnerable Versions**

*   <= 9.10.2

**4\. Solutions**

Until an official patch is released, it’s recommended that affected users take one of the following actions:

*   Disable User profile page in Settings > Site Behavior > Default Pages > User Profile Page
*   Set user profile visibility mode to Admin Only in Settings > Site Behavior > User Profiles > User Profile Settings
*   Disable user profile Biography field in Settings > Site Behavior > User Profiles > User Profile Fields

**5\. Vulnerability Timeline**

*   28/Apr/21 - Bug reported to DNNSoftware via email (no feedback)
*   26/May/21 - Contacted vendor via GitHub
*   26/May/21 - Bug reported to DNNSoftware via email
*   27/May/21 - Bug verified by DNNSoftware
*   13/Jul/21 - Requested feedback regarding the vulnerability
*   22/Jul/21 - Informed the vendor about the assigned CVE ID (no feedback)
*   20/Sep/21 - Requested feedback regarding the vulnerability
*   23/Dez/21 - Requested feedback regarding the vulnerability
*   05/Jul/22 - Notified the vendor about the disclosure (no feedback)
*   11/Jul/22 - Notified the vendor regarding the vulnerability details (no feedback)
*   19/Jul/22 - Advisory released

**6\. References**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31858

CVE-2021-42567 Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints.

**Latest Advisories**

*   CVE-2021-31858 Stored Cross-Site Scripting in DotNetNuke
*   CVE-2021-42567 Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints.
*   CVE-2021-44263 Cross-Site Scripting in Gurock TestRail
*   CVE-2021-41844 Open Redirect in JetEngine Wordpress Plugin
*   CVE-2021-38607 Stored Cross-Site Scripting in JetEngine Wordpress Plugin

**Latest Articles**

*   The Curious Case of Apple iOS IKEv2 VPN On Demand
*   Gmail Android app insecure Network Security Configuration.
*   Reviewing Android Webviews fileAccess attack vectors.
*   Droidstat-X, Android Applications Security Analyser Xmind Generator
*   Uber Hacking: How we found out who you are, where you are and where you went!

© 2022 Integrity Part of Devoteam. All rights reserved.

CVE-2021-31858: CVE-2021-31858 Stored Cross-Site Scripting in DotNetNuke

Scammers have created a PayPal phishing campaign that extensively asks for sensitive information, including government IDs and headshot photos.
The post PayPal phishing campaign goes after more than just your login credentials appeared first on Malwarebytes Labs.

A new phishing campaign targeting PayPal users aims to get extensive data from potential victims. The data it’s after includes government documents like passport, as well as selfie photos. In a nutshell, it’s an extensive form of information theft, the likes of which could result in someone’s identity being fully stolen and their financial and other online accounts being taken over.

PayPal phishing sites are a dime a dozen due to the number of people and companies using it as another form of payment method. However, what’s notable about this campaign is that all the phishing pages are hosted on legitimate WordPress sites.

Hundreds—if not thousands—of WordPress sites remain vulnerable and easily exploited by scammers because of their poor security and the use of weak passwords. This was evident after Akamai found an attacker had planted a phishing kit on its WordPress honeypot.

After successfully brute-forcing their way into the WordPress site using a list of common credentials, the attackers then installed a file manager plugin that let them upload the phishing kit to the compromised site.

To avoid detection, the phishing kit cross-referenced IP addresses to domains belonging to companies it wants to avoid. Naturally, some of these domains include those belonging to cybersecurity organizations.

**Blending into the background**

Akamai researchers also noticed how the scammers made an effort to make their phishing page as indistinguishable as possible from the legitimate one. For one thing, the actors used _.htaccess_ (short for hypertext access), a file that allows an admin to modify how a URL destination appears on the address bar.

In this case, the scammers wanted their phishing URL to make it look like it wasn’t a PHP file, so they edited out the “.php” bit of the URL. This makes sense because PayPal’s sign-in page doesn’t have an extension.

Oddly enough, the phish starts off asking users to type in the alphanumeric string they see on the “Security Challenge” page, under the guise of a means to verify that the user isn’t a bot.

This fake PayPal page asks you to enter what you see into a text box.  
(Source: Akamai)

The next page then asks for the user’s PayPal credentials. Normally, phishing kits would stop here, and the scammers would leave content with the PayPal credentials they can then misuse and abuse.

But not here. In this case they want more. This is just the start of a sophisticated work-up to get users to provide such sensitive information without them realizing it.

After users provide their PayPal credentials, they are then presented with a notice of “unusual activity” in the next screen.

(Source: Akamai)

Once users click the “Secure My Account” button, they are then directed to a page telling them to confirm all their card details. Here, Akamai noted that a ZIP code and CVV are normally sufficient.

(Source: Akamai)

Next, the scammers then ask users for yet more information, specifically their ATM PIN, social security number (SSN), and their mother’s maiden name—a bit of detail that could bypass an additional security layer for an account.

(Source: Akamai)

The PayPal phishing site then encourages users to link an email address to their PayPal account, giving the attackers a token, and therefore access, to that email account. It also encourages victims to upload official government documents, such as a passport, driver’s license, or national ID, to secure the account.

> Uploading government documents and taking a selfie to verify them is a bigger ballgame for a victim than just losing credit card information — it could be used to create cryptocurrency trading accounts under the victim’s name. These could then be used to launder money, evade taxes, or provide anonymity for other cybercrimes. 
> 
> ~ Akamai Security Research, Akamai

For a verification process for an account showing unusual activity, the amount of information being asked from users is ridiculous and overkill. However, Akamai researchers believe that socially engineering PayPal users to let them keep giving away their data is what makes this phishing kit successful.

“People judge brands and companies on their security measures these days,” said Akamai in the report. “Not only is it commonplace to verify your identity in a multitude of ways, but it’s also an expectation when logging in to sites with ultrasensitive information, such as financial or healthcare companies.”

Phishing, in general, has come a long way. Attackers have been learning from their mistakes thanks to our growing understanding of their tactics and social engineering techniques.

As users of online services, we, too, have an obligation over our own online security and privacy. And the only way one can tell apart two seemingly identical websites is to look at your browser’s address bar.

To rephrase a line: to err is human, to scrutinize URLs is divine.

Stay safe!

PayPal phishing campaign goes after more than just your login credentials

We take a look at a WordPress plugin, abandoned and open to JavaScript related exploitation. Uninstall it now!
The post Warning for WordPress admins: uninstall the Modern WPBakery plugin immediately! appeared first on Malwarebytes Labs.

WordPress admins are being warned to remove a buggy plugin or risk a total site takeover.

This particular threat relates to a plugin which is no longer in use: Modern WPBakery page builder addons. The vulnerability in the plugin, known as CVE-2021-24284, allows “unauthenticated arbitrary file upload via the ‘uploadFontIcon’ AJAX action”. This means that attackers could upload rogue PHP files to the WordPress site, leading to remote code execution and a complete site takeover.

There’s been a sudden increase in attacks related to this abandoned WordPress relic. In 2021, researchers discovered “several vulnerable endpoints” which could lead to injection of malicious JavaScript or even deletion of arbitrary files in Modern WPBakery. This time around, the aim of the game is to once again upload rogue PHP files then inject malicious JavaScript into the site.

Roughly 1.6 million sites have been scanned to check for the plugin’s presence by bad actors, and current estimates suggest somewhere in the region of 4,000 to 8,000 websites are still playing host to the plugin.

**Check and remove ASAP**

The current advice is to check for the plugin, and then remove it as soon as you possibly can. It’s been completely abandoned, and no security-related fixes will be forthcoming.

If you have it installed, you’re on your own, and it’s likely only a matter of time before the exploiters make their way to your Modern WPBakery hosting website and start getting up to mischief.

Do yourself and your site visitors a favour: Remove this outdated invitation to site-wide compromise as soon as you possibly can.

Tag

#wordpress