The Turn off all comments WordPress plugin through 1.0 does not sanitise and escape the rows parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

CVE-2022-1192

The WP Meta SEO WordPress plugin before 4.4.7 does not sanitise or escape the breadcrumb separator before outputting it to the page, allowing a high privilege user such as an administrator to inject arbitrary javascript into the page even when unfiltered html is disallowed.

CVE-2022-1093

The WP Contacts Manager WordPress plugin through 2.2.4 fails to properly sanitize user supplied POST data before it is being interpolated in an SQL statement and then executed, leading to an SQL injection vulnerability.

CVE-2022-1014

The Nirweb support WordPress plugin before 2.8.2 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action (available to unauthenticated users), leading to an SQL injection

CVE-2022-0781

The XML Sitemap Generator for Google WordPress plugin before 2.0.4 does not validate a parameter which can be set to an arbitrary value, thus causing XSS via error message or RCE if allow_url_include is turned on.

CVE-2022-0346

Multiple versions of a WordPress plugin by the name of "School Management Pro" harbored a backdoor that could grant an adversary complete control over vulnerable websites.
The issue, spotted in premium versions before 9.9.7, has been assigned the CVE identifier CVE-2022-1609 and is rated 10 out of 10 for severity.
The backdoor, which is believed to have existed since version 8.9, enables "an

Multiple versions of a WordPress plugin by the name of "School Management Pro" harbored a backdoor that could grant an adversary complete control over vulnerable websites.

The issue, spotted in premium versions before 9.9.7, has been assigned the CVE identifier CVE-2022-1609 and is rated 10 out of 10 for severity.

The backdoor, which is believed to have existed since version 8.9, enables "an unauthenticated attacker to execute arbitrary PHP code on sites with the plugin installed," Jetpack's Harald Eilertsen said in a Friday write-up.

School Management, developed by an India-based company called Weblizar, is billed as a Wordpress add-on to "manage complete school operation." It also claims more than 340,000 customers of its premium and free WordPress themes and plugins.

The WordPress security company noted that it uncovered the implant on May 4 after it was alerted to the presence of heavily obfuscated code in the license-checking code of the plugin. The free version of School Management, which doesn't pack the licensing code, is not impacted.

While the backdoor has since been removed, the exact origins of the compromise remains unclear, with the vendor stating that "they do not know when or how the code came into their software."

Customers of the plugin are recommended to update to the latest version (9.9.7) to prevent active exploitation attempts.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Find Backdoor in School Management Plugin for WordPress

Authenticated (administrator or higher user role) Local File Inclusion (LFI) vulnerability in Wow-Company's Hover Effects plugin <= 2.1 at WordPress.

**hover-effects**

**Software**

**Hover Effects**

**Vulnerable Versions**

**<= 2.1**

**Fixed in version**

**2.1.1**

**CVE**

**CVE-2022-29447**

**References**

**Credits**

**Classification**

**Local File Inclusion**

**OWASP Top 10**

**A1: Injection**

**Disclosure Date**

**2022-05-16**

**CVSS 3.0 score**

**Requires high role user authentication like admin.**

**Are your websites subject to this vulnerability?**

**Details**

**Authenticated Local File Inclusion (LFI) vulnerability discovered by 0xB9 (Patchstack Alliance) in WordPress Hover Effects plugin (versions <= 2.1).**

**Solution**

**Update the WordPress Hover Effects plugin to the latest available version (at least 2.1.1).**

**Found a vulnerability that puts your sites at risk?**

**Found a vulnerability? Help us secure the web and join our community of ethical hackers.**

**Are you the developer of this software? Hire our researchers for a thorough security audit.**

CVE-2022-29447: WordPress Hover Effects plugin <= 2.1 - Authenticated Local File Inclusion (LFI) vulnerability - Patchstack

Insecure Direct Object References (IDOR) vulnerability in Spiffy Plugins Spiffy Calendar <= 4.9.0 at WordPress allows an attacker to edit or delete events.

CVE-2022-29434: Spiffy Calendar

Multiple Authenticated (administrator or higher user role) Persistent Cross-Site Scripting (XSS) vulnerabilities in TMS-Plugins wpDataTables plugin <= 2.1.27 on WordPress via &data-link-text, &data-link-url, &data, &data-shortcode, &data-star-num vulnerable parameters.

CVE-2022-29432: wpDataTables – Tables & Table Charts

Cross-Site Request Forgery (CSRF) vulnerability in KubiQ CPT base plugin <= 5.8 at WordPress allows an attacker to delete the CPT base.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Remove custom post type base slug from url

*   possibility to select specific custom post type(s)
*   auto redirect old slugs to no-base slugs

1.  Upload remove-cpt-base directory to the /wp-content/plugins/ directory
2.  Activate the plugin through the ‘Plugins’ menu in WordPress

I easily removed the services slug from the link

Very simple plugin, but works perfectly! 🎉

A simple but efficient plugin that works like charm... 🙂

couldnt get the slug remove done with custom code on one particular site for whatever reason ... but this little thing works flawlessly! thanks - please keep it up!! 🙂

Read all 18 reviews

“Remove CPT base” is open source software. The following people have contributed to this plugin.

Contributors

*    kubiq

**5.9**

*   added nonce and security checks

**5.8**

*   tested on WP 5.9

**5.7**

*   tested on WP 5.5
*   minor fix

**5.6**

*   tested again with WPML, Polylang and Custom Post Type Permalinks and fixed

**5.5**

*   tested on WP 5.5
*   another fix for Custom Post Type Permalinks plugin

**5.4**

*   enable previews for CPTs without base

**5.3**

*   make it works with WPML
*   make it works with Polylang
*   make it works with Custom Post Type Permalinks plugin

**5.2**

*   tested on WP 5.4

**5.1**

*   removed auto-prevent slug duplicates
*   removed debug mode
*   removed remove\_cpt\_base\_skip filter
*   use default WP function instead of custom
*   make it works for custom rewrite slugs
*   prioritize page and post like WP does

**5.0**

*   YOU HAVE TO SAVE YOUR SETTINGS AGAIN, because:
*   added alternation option for each post type separately
*   added debug mode

**4.8**

*   fix alternative CPT children solving for nested children

**4.7**

*   alternative CPT children solving

**4.6**

*   fix server port redirect

**4.5**

*   make it works for WP installations in directory

**4.4**

*   minor changes

**4.3**

*   fix for some endpoints and make sure post is not interpreted as attachment

**4.2**

*   fix for hierarchical CPTs on some servers

**4.1**

*   make it works for posts interpreted like category by WP

**4.0**

*   tested on WP 5.2
*   make it works for hierarchical post types and different permalink structures
*   going back to ‘pre\_get\_posts’
*   optimize generating slug for duplicate names

**3.3**

*   change HTTP code from 404 to 200

**3.2**

*   fix for query strings

**3.1**

*   add custom endpoint rewrites support

**3.0**

*   stop using complicated ‘pre\_get\_posts’ and handle 404 instead

**2.3**

*   tested on WP 5.0

**2.2**

*   fix 404

**2.1**

*   fix redirect loop in WPML and WooCommerce

**2.0**

*   stop using .htaccess rules

**1.2**

*   auto init after permalinks updated

**1.1**

*   add uninstall hook
*   add duplicate slug check
*   minor updates

**1.0**

*   First version

Tag

#wordpress