WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.

CVE-2020-28032

is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected.

CVE-2020-28039

The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.

Timestamp:

09/01/2020 12:33:01 PM (3 years ago)

mndpsingh287

Message:

fixed security issues  

Location:

wp-file-manager/trunk

Files:

  

*   file\_folder\_manager.php (2 diffs)
*   lib/php/connector.maximal.php-dist
*   lib/php/connector.minimal.php
*   lib/php/connector.minimal.php-dist
*   lib/php/connector.php-dist
*   readme.txt (2 diffs)

**Legend:**

Unmodified

Added

Removed

*   **wp-file-manager/trunk/file\_folder\_manager.php**
    
    r2372895
    
    r2373068
    
     
    
    5
    
    5
    
      Description: Manage your WP files.
    
    6
    
    6
    
      Author: mndpsingh287
    
    7
    
     
    
      Version: 6.8
    
     
    
    7
    
      Version: 6.9
    
    8
    
    8
    
      Author URI: https://profiles.wordpress.org/mndpsingh287
    
    9
    
    9
    
      License: GPLv2
    
    …
    
    …
    
     
    
    17
    
    17
    
        {
    
    18
    
    18
    
            protected $SERVER = 'http://ikon.digital/plugindata/api.php';
    
    19
    
     
    
            var $ver = '6.8';
    
     
    
    19
    
            var $ver = '6.9';
    
    20
    
    20
    
            /\* Auto Load Hooks \*/
    
    21
    
    21
    
            public function \_\_construct()
    
*   **wp-file-manager/trunk/readme.txt**
    
    r2372895
    
    r2373068
    
     
    
    5
    
    5
    
    Tested up to: 5.5
    
    6
    
    6
    
    Requires PHP: 5.2.4
    
    7
    
     
    
    Stable tag: 6.8
    
     
    
    7
    
    Stable tag: 6.9
    
    8
    
    8
    
    License: GPLv2 or later
    
    9
    
    9
    
    License URI: http://www.gnu.org/licenses/gpl-2.0.html
    
    …
    
    …
    
     
    
    138
    
    138
    
    \== Changelog ==
    
    139
    
    139
    
     
    
    140
    
    \= 6.9 (1st Sept, 2020) =
    
     
    
    141
    
     
    
    142
    
    \* Security issue fixed
    
     
    
    143
    
    140
    
    144
    
    \= 6.8 (31st Aug, 2020) =
    
    141
    
    145
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2020-25213: Changeset 2373068 – WordPress Plugin Repository

The includes/gateways/stripe/includes/admin/admin-actions.php in GiveWP plugin through 2.5.9 for WordPress allows unauthenticated settings change.

The WordPress GiveWP plugin, which has 70,000+ active installations, fixed vulnerabilities affecting version 2.5.9 and below.

**Reference**

_A CVE ID has been requested and we’ll update this post when it is assigned._

**Unauthenticated settings change**

In the “includes/gateways/stripe/includes/admin/admin-actions.php” script, the give_stripe_connect_save_options function is loaded via the admin_init hook:

function give\_stripe\_connect\_save\_options() {

   $get\_vars = give\_clean( $\_GET );

   // If we don't have values here, bounce.
   if (
      ! isset( $get\_vars\['stripe\_publishable\_key'\] )
      || ! isset( $get\_vars\['stripe\_user\_id'\] )
      || ! isset( $get\_vars\['stripe\_access\_token'\] )
      || ! isset( $get\_vars\['stripe\_access\_token\_test'\] )
      || ! isset( $get\_vars\['connected'\] )
   ) {
      return false;
   }

   // Update keys.
   give\_update\_option( 'give\_stripe\_connected', $get\_vars\['connected'\] );
   give\_update\_option( 'give\_stripe\_user\_id', $get\_vars\['stripe\_user\_id'\] );
   give\_update\_option( 'live\_secret\_key', $get\_vars\['stripe\_access\_token'\] );
   give\_update\_option( 'test\_secret\_key', $get\_vars\['stripe\_access\_token\_test'\] );
   give\_update\_option( 'live\_publishable\_key', $get\_vars\['stripe\_publishable\_key'\] );
   give\_update\_option( 'test\_publishable\_key', $get\_vars\['stripe\_publishable\_key\_test'\] );

   // Delete option for user API key.
   give\_delete\_option( 'stripe\_user\_api\_keys' );

}
add\_action( 'admin\_init', 'give\_stripe\_connect\_save\_options' );

The function lacks a capability check and a security nonce. Because the admin_init hook can be triggered by anyone, an unauthenticated user can tamper with the authentication credentials of the Stripe Connect payment gateway: ACCESS\_TOKEN, REFRESH\_TOKEN, PUBLISHABLE\_KEY, ACCOUNT\_ID.

**Authenticated settings change**

In the “includes/admin/emails/ajax-handler.php” script, the give_set_notification_status_handler function is loaded via the wp_ajax hook. It is used to enable or disable email notifications sent by GiveWP to the administrator:

function give\_set\_notification\_status\_handler() {
   $notification\_id = isset( $\_POST\['notification\_id'\] ) ? give\_clean( $\_POST\['notification\_id'\] ) : '';
   if ( ! empty( $notification\_id ) && give\_update\_option( "{$notification\_id}\_notification", give\_clean( $\_POST\['status'\] ) ) ) {
      wp\_send\_json\_success();
   }

   wp\_send\_json\_error();
}

add\_action( 'wp\_ajax\_give\_set\_notification\_status', 'give\_set\_notification\_status\_handler' );

The function lacks a capability check and a security nonce and thus can be accessed by an authenticated user such as a subscriber.

This vulnerability could be used in conjunction with the previous one: after tampering with the payment gateway, the attacker could disable all email notifications sent to the admin, which includes the notification sent when a new donation is received.

**Additional issues**

In the “includes/misc-functions.php” script, the give_get_ip function is used to retrieve the user IP address:

function give\_get\_ip() {

   $ip = '127.0.0.1';

   if ( ! empty( $\_SERVER\['HTTP\_CLIENT\_IP'\] ) ) {
      // check ip from share internet
      $ip = $\_SERVER\['HTTP\_CLIENT\_IP'\];
   } elseif ( ! empty( $\_SERVER\['HTTP\_X\_FORWARDED\_FOR'\] ) ) {
      // to check ip is pass from proxy
      $ip = $\_SERVER\['HTTP\_X\_FORWARDED\_FOR'\];
   } elseif ( ! empty( $\_SERVER\['REMOTE\_ADDR'\] ) ) {
      $ip = $\_SERVER\['REMOTE\_ADDR'\];
   }

   /\*\*
    \* Filter the IP
    \*
    \* @since 1.0
    \*/
   $ip = apply\_filters( 'give\_get\_ip', $ip );

   // Filter empty values.
   if ( false !== strpos( $ip, ',' ) ) {
      $ip = give\_clean( explode( ',', $ip ) );
      $ip = array\_filter( $ip );
      $ip = implode( ',', $ip );
   } else {
      $ip = give\_clean( $ip );
   }

   return $ip;
}

It relies on untrusted user input (HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR) that is sanitised in order to prevent attacks such as XSS, but isn’t properly validated: GiveWP will accept Client-IP: foo as a valid IP address.

**Timeline**

The vulnerability was reported to the authors on October 18, 2019 and a new version 2.5.10 was released on October 28, 2019.

**Recommendations**

Update as soon as possible if you have version 2.5.9 or below installed.  
If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.

Stay informed about the latest vulnerabilities in WordPress plugins and themes: @nintechnet

CVE-2020-20627: Multiple vulnerabilities fixed in WordPress GiveWP plugin.

An issue was discovered in the Elementor plugin through 2.9.13 for WordPress. An authenticated attacker can achieve stored XSS via the Name Your Template field.

CVE-2020-15020: Elementor Website Builder – More than Just a Page Builder

Elementor 2.9.5 and below WordPress plugin allows authenticated users to activate its safe mode feature. This can be exploited to disable all security plugins on the blog.

Elementor, a popular WordPress plugin installed on 4+ million websites, fixed a high severity vulnerability affecting version 2.9.5 and below. Any authenticated user could enable its Safe Mode feature allowing everyone, logged-in or not, to interact with it and to disable security plugins installed on the website such as firewall, antispam, two-factor authentication or captcha plugins for instance.

Elementor has a Safe Mode feature that is described as “a safe environment that isolates Elementor and WordPress from the themes and plugins that might be causing the error”. It can be enabled by the administrator from the plugin “Tools” page:

The fact that the editor can be loaded without loading any other plugin and the theme is certainly interesting from a developer’s point of view but, because Elementor is accessible to low-privileged users too, it sounds even more interesting from a hacker’s point of view. Let’s see how it works.

When enabling it, it calls the enable_safe_mode function from the “elementor/modules/safe-mode/module.php” script:

public function enable\_safe\_mode() {
   WP\_Filesystem();

   $this->update\_allowed\_plugins();

   if ( ! is\_dir( WPMU\_PLUGIN\_DIR ) ) {
      wp\_mkdir\_p( WPMU\_PLUGIN\_DIR );
      add\_option( 'elementor\_safe\_mode\_created\_mu\_dir', true );
   }

   if ( ! is\_dir( WPMU\_PLUGIN\_DIR ) ) {
      wp\_die( \_\_( 'Cannot enable Safe Mode', 'elementor' ) );
   }

   $results = copy\_dir( \_\_DIR\_\_ . '/mu-plugin/', WPMU\_PLUGIN\_DIR );

   if ( is\_wp\_error( $results ) ) {
      return false;
   }
}

It drops the “elementor/modules/safe-mode/mu-plugin/elementor-safe-mode.php” script into the WordPress “/mu-plugins/” folder:

class Safe\_Mode {

   const OPTION\_ENABLED = 'elementor\_safe\_mode';

   public function is\_enabled() {
      return get\_option( self::OPTION\_ENABLED );
   }

   public function is\_requested() {
      return ! empty( $\_REQUEST\['elementor-mode'\] ) && 'safe' === $\_REQUEST\['elementor-mode'\];
   }

   public function is\_editor() {
      return is\_admin() && isset( $\_GET\['action'\] ) && 'elementor' === $\_GET\['action'\];
   }

   public function is\_editor\_preview() {
      return isset( $\_GET\['elementor-preview'\] );
   }

   public function is\_editor\_ajax() {
      return is\_admin() && isset( $\_POST\['action'\] ) && 'elementor\_ajax' === $\_POST\['action'\];
   }

   public function add\_hooks() {
      add\_filter( 'pre\_option\_active\_plugins', function () {
         return get\_option( 'elementor\_safe\_mode\_allowed\_plugins' );
      } );

      add\_filter( 'pre\_option\_stylesheet', function () {
         return 'elementor-safe';
      } );

      add\_filter( 'pre\_option\_template', function () {
         return 'elementor-safe';
      } );

      add\_action( 'elementor/init', function () {
         do\_action( 'elementor/safe\_mode/init' );
      } );
   }
...
...
   public function \_\_construct() {
      add\_filter( 'plugin\_row\_meta', \[ $this, 'plugin\_row\_meta' \], 10, 4 );

      $enabled\_type = $this->is\_enabled();

      if ( ! $enabled\_type ) {
         return;
      }

      if ( ! $this->is\_requested() && 'global' !== $enabled\_type ) {
         return;
      }

      if ( ! $this->is\_editor() && ! $this->is\_editor\_preview() && ! $this->is\_editor\_ajax() ) {
         return;
      }

      $this->add\_hooks();
   }
}

new Safe\_Mode();

It uses the pre_option_ hook so that when WordPress queries the database to check which plugins, theme and style sheet must be loaded (active_plugins, template and stylesheet respectively), it returns that only Elementor should be activated. But this code is accessible to all users, logged-in or not, and can be triggered just by adding a specific query string to an HTTP request that will disable all other plugins while the request is being processed by WordPress.

In Elementor’s documentation, we can find some additional info about the Safe Mode activation:

In fact, there isn’t one but two ways to enable the Safe Mode: either from the settings page by an admin as described above or from the editor. The latter will only occur if there is a problem while it loads.  
With a contributor account, and after messing a bit with some of the HTML code, it wasn’t too difficult to force it to appear inside the editor screen:

When clicking the “Enable Safe Mode” button, it will send an AJAX request along with a security nonce to the handle_ajax_request function, which will forward it to ajax_enable_safe_mode and then will reach our enable_safe_mode function that will drop the MU plugin. None of these functions check user capabilities and they only rely on a nonce that is populated in the “elementor/core/common/app.php” script using the admin_enqueue_scripts hook.

add\_action( 'admin\_enqueue\_scripts', \[ $this, 'register\_scripts' \] );

Because the purpose of this hook is to enqueue scripts for all admin pages, the nonce is accessible to all authenticated users:

Therefore, any logged-in user, including a subscriber, can activate the Safe Mode and it can be triggered by anyone, authenticated or not, in the backend or frontend of WordPress. Attackers could use it for several purposes, for instance:

*   To send spam: they could disable a captcha and an antispam such as Akismet used to protect a form.
*   To bypass a firewall: if there were a vunerability in Elementor or WordPress, attackers could disable the firewall plugin and exploit it.
*   To attack the login page: they could disable any plugin used to protect it (two-factor authentication, brute-force protection, activity log, login notification etc) or to hide it.

Note that Elementor’s Role Manager won’t prevent the exploitation of this vulnerability.  
Additionally, if the Safe Mode can be enabled by any user in the backend, it can also be disabled because the disable_safe_mode action relies on the same AJAX function and security nonce.

**Demonstration**

_The following video has been edited to obscure some parts of the payload used to perform the attack._

This video demonstrates the exploitation of the Elementor Safe Mode privilege escalation vulnerability.  
1\. Attackers will use a subscriber account to enable the Safe Mode.  
2\. They will disable the login page captcha so that they can run a brute-force attack until they find the admin password.  
3\. They will disable the two-factor authentication security plugin in order to gain access to the administrator account.

**Recommendation**

Update ASAP if you have version 2.9.5 or below installed.  
If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability since March 10, 2020.

**Timeline**

The vulnerability was reported on March 10, 2020 and a new version 2.9.6 was released on March 12, 2020.

**Stay informed about the latest vulnerabilities**

*   Running WordPress? You can get email notifications about vulnerabilities in the plugins or themes installed on your blog.
*   On Twitter: @nintechnet

CVE-2020-20634: WordPress Elementor plugin fixed Safe Mode privilege escalation vulnerability.

Firejail through 0.9.62 does not honor the -- end-of-options indicator after the --output option, which may lead to command injection.

**Firejail**

   

Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.

Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. It can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes sandbox profiles for a number of more common Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.

The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer.

Project webpage: https://firejail.wordpress.com/

Download and Installation: https://firejail.wordpress.com/download-2/

Features: https://firejail.wordpress.com/features-3/

Documentation: https://firejail.wordpress.com/documentation-2/

FAQ: https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions

Wiki: https://github.com/netblue30/firejail/wiki

GitLab-CI status: https://gitlab.com/Firejail/firejail\_ci/pipelines/

Video Channel: https://odysee.com/@netblue30:9?order=new

Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/

**Security vulnerabilities**

We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@protonmail.com

    Security Advisory - Feb 8, 2021
    
    Summary: A vulnerability resulting in root privilege escalation was discovered in
    Firejail's OverlayFS code,
    
    Versions affected: Firejail software versions starting with 0.9.30.
    Long Term Support (LTS) Firejail branch is not affected by this bug.
    
    Workaround: Disable overlayfs feature at runtime.
    In a text editor open /etc/firejail/firejail.config file, and set "overlayfs" entry to "no".
    
          $ grep overlayfs /etc/firejail/firejail.config
          # Enable or disable overlayfs features, default enabled.
          overlayfs no
    
    Fix: The bug is fixed in Firejail version 0.9.64.4
    
    GitHub commit: (file configure.ac)
    https://github.com/netblue30/firejail/commit/97d8a03cad19501f017587cc4e47d8418273834b
    
    Credit:  Security researcher Roman Fiedler analyzed the code and discovered the vulnerability.
    Functional PoC exploit code was provided to Firejail development team.
    A description of the problem is here on Roman's blog:
    
    https://unparalleled.eu/publications/2021/advisory-unpar-2021-0.txt
    https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/
    

**Installing****Debian**

Debian stable (bullseye): We recommend to use the backports package.

**Ubuntu**

For Ubuntu 18.04+ and derivatives (such as Linux Mint), users are **strongly advised** to use the PPA.

How to add and install from the PPA:

sudo add-apt-repository ppa:deki/firejail
sudo apt-get update
sudo apt-get install firejail firejail-profiles

Reason: The firejail package for Ubuntu 20.04 has been left vulnerable to CVE-2021-26910 for months after a patch for it was posted on Launchpad:

*   firejail version in Ubuntu 20.04 LTS is vulnerable to CVE-2021-26910

See also https://wiki.ubuntu.com/SecurityTeam/FAQ:

> What software is supported by the Ubuntu Security team?
> 
> Ubuntu is currently divided into four components: main, restricted, universe and multiverse. All binary packages in main and restricted are supported by the Ubuntu Security team for the life of an Ubuntu release, while binary packages in universe and multiverse are supported by the Ubuntu community.

Additionally, the PPA version is likely to be more recent and to contain more profile fixes.

See the following discussions for details:

*   Should I keep using the version of firejail available in my distro repos?
*   How to install the latest version on Ubuntu and derivatives

**Other**

Firejail is included in a large number of Linux distributions.

Note: The firejail 0.9.52-LTS version is deprecated.

You can also install one of the released packages, or clone Firejail’s source code from our Git repository and compile manually:

    $ git clone https://github.com/netblue30/firejail.git
    $ cd firejail
    $ ./configure && make && sudo make install-strip
    

On Debian/Ubuntu you will need to install git and gcc compiler. AppArmor development libraries and pkg-config are required when using --apparmor ./configure option:

    $ sudo apt-get install git build-essential libapparmor-dev pkg-config gawk
    

For --selinux option, add libselinux1-dev (libselinux-devel for Fedora).

Detailed information on using firejail from git is available on the wiki.

**Running the sandbox**

To start the sandbox, prefix your command with firejail:

    $ firejail firefox            # starting Mozilla Firefox
    $ firejail transmission-gtk   # starting Transmission BitTorrent
    $ firejail vlc                # starting VideoLAN Client
    $ sudo firejail /etc/init.d/nginx start
    

Run firejail --list in a terminal to list all active sandboxes. Example:

    $ firejail --list
    1617:netblue:/usr/bin/firejail /usr/bin/firefox-esr
    7719:netblue:/usr/bin/firejail /usr/bin/transmission-qt
    7779:netblue:/usr/bin/firejail /usr/bin/galculator
    7874:netblue:/usr/bin/firejail /usr/bin/vlc --started-from-file file:///home/netblue/firejail-whitelist.mp4
    7916:netblue:firejail --list
    

**Desktop integration**

Integrate your sandbox into your desktop by running the following two commands:

    $ firecfg --fix-sound
    $ sudo firecfg
    

The first command solves some shared memory/PID namespace bugs in PulseAudio software prior to version 9. The second command integrates Firejail into your desktop. You would need to logout and login back to apply PulseAudio changes.

Start your programs the way you are used to: desktop manager menus, file manager, desktop launchers. The integration applies to any program supported by default by Firejail. There are about 250 default applications in current Firejail version, and the number goes up with every new release. We keep the application list in /etc/firejail/firecfg.config file.

**Security profiles**

Most Firejail command line options can be passed to the sandbox using profile files. You can find the profiles for all supported applications in /etc/firejail directory.

If you keep additional Firejail security profiles in a public repository, please give us a link:

*   https://github.com/chiraag-nataraj/firejail-profiles
    
*   https://github.com/triceratops1/fe
    

Use this issue to request new profiles: #1139

You can also use this tool to get a list of syscalls needed by a program: contrib/syscalls.sh.

We also keep a list of profile fixes for previous released versions in etc-fixes directory.

**Latest released version: 0.9.68****Current development version: 0.9.69**

Milestone page: https://github.com/netblue30/firejail/milestone/1

**Shell tab completion**

           --tab  Enable shell tab completion in sandboxes using private or whitelisted
                  home directories.
    
                  $ firejail --private --tab
    

**Profile Statistics**

A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. Run it over the profiles in /etc/profiles:

    $ /usr/lib/firejail/profstats /etc/firejail/*.profile
    No include .local found in /etc/firejail/noprofile.profile
    Warning: multiple caps in /etc/firejail/transmission-daemon.profile
    
    Stats:
        profiles			1184
        include local profile	1183   (include profile-name.local)
        include globals		1152   (include globals.local)
        blacklist ~/.ssh		1057   (include disable-common.inc)
        seccomp			1076
        capabilities		1178
        noexec			1064   (include disable-exec.inc)
        noroot			985
        memory-deny-write-execute	259
        apparmor			707
        private-bin			686
        private-dev			1040
        private-etc			537
        private-tmp			911
        whitelist home directory	567
        whitelist var		849   (include whitelist-var-common.inc)
        whitelist run/user		1153   (include whitelist-runuser-common.inc
    					or blacklist ${RUNUSER})
        whitelist usr/share		621   (include whitelist-usr-share-common.inc
        net none			403
        dbus-user none 		670
        dbus-user filter 		114
        dbus-system none 		824
        dbus-system filter 		10
    

**New profiles:**

onionshare, onionshare-cli, opera-developer, songrec

CVE-2020-17367: GitHub - netblue30/firejail: Linux namespaces and seccomp-bpf sandbox

The Nexos theme through 1.7 for WordPress allows top-map/?search_location= reflected XSS.

Permalink

Cannot retrieve contributors at this time

CVE-2020-15364: vladvector.github.io/2020-06-17-nexos-real-estate-wordpress-theme-v1-7.txt at master · vladvector/vladvector.github.io

The SeedProd coming-soon plugin before 5.1.1 for WordPress allows XSS.

Coming Soon Page, Under Construction & Maintenance Mode by SeedProd plugin for WordPress version 5.1.0 and below were found to be vulnerable to stored XSS while I was auditing the plugin. Plugin version 5.1.2 with improved data sanitization was released on June 24, 2020.

**CVE ID:** CVE-2020-15038

****Summary****

Coming Soon Page, Under Construction & Maintenance Mode by SeedProd is a popular WordPress Plugin with over 1 million active installations. It was found to be vulnerable to stored Cross-Site Scripting (XSS) vulnerability. XSS is a type of vulnerability that can be exploited by attackers to perform various malicious actions such as stealing the victim’s session cookies or login credentials, performing arbitrary actions on the victim’s behalf, logging their keystrokes and more.

**Impact**

While there are multiple ways in which an attacker can perform malicious actions exploiting this vulnerability, let’s take a look at two.

*   **Redirection**:
    
    If an attacker were to exploit the vulnerability, they would be able to use an XSS payload to cause redirection such that any time the developer enables maintenance mode, a user visiting the site would be redirected to a domain under the attacker’s control, which could be made to look exactly like the original website with a login form for the user to submit their credentials. If the user submits their credentials without noticing the changed domain, their account gets compromised.
    
  
*   **Phishing**:
    
    Similarly, an attacker can also use a payload to create a login form on the Coming Soon/Maintenance Mode page itself, trying to bait unsuspecting users into entering their credentials.
    

**Vulnerability**

The Headline field under the Page Settings section along with other fields in the plugin settings were found to be vulnerable to stored XSS, which gets triggered when the Coming Soon page is displayed (both in preview mode and live).

    POST /wp-admin/options.php HTTP/1.1
    Host: localhost:10004
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://localhost:10004/wp-admin/admin.php?page=seed_csp4
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 636
    Origin: http://localhost:10004
    Connection: close
    Cookie: ...
    
    option_page=seed_csp4_settings_content&action=update&_wpnonce=faced0b8ff&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dseed_csp4&seed_csp4_settings_content%5Bstatus%5D=1&seed_csp4_settings_content%5Blogo%5D=&seed_csp4_settings_content%5Bheadline%5D=%3Cscript%3Ealert%28%22Stored+XSS+in+Page+Headline%22%29%3C%2Fscript%3E&seed_csp4_settings_content%5Bdescription%5D=Proof+of+Concept&seed_csp4_settings_content%5Bfooter_credit%5D=0&submit=Save+All+Changes&seed_csp4_settings_content%5Bfavicon%5D=&seed_csp4_settings_content%5Bseo_title%5D=&seed_csp4_settings_content%5Bseo_description%5D=&seed_csp4_settings_content%5Bga_analytics%5D=

****Timeline****

Vulnerability reported to the SeedProd team on June 22, 2020.  
Version 5.1.2 containing the fix to the vulnerability was released on June 24, 2020.

****Recommendation****

It is highly recommended to update the plugin to the latest version.

**Reference**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15038
*   https://nvd.nist.gov/vuln/detail/CVE-2020-15038
*   https://wordpress.org/plugins/coming-soon/#developers
*   https://wpvulndb.com/vulnerabilities/10283

For best security practices, you can follow the below guides:

*   WordPress Security Guide
*   WordPress Hack and Malware Removal

Tags: coming soon page, Cross Site Scripting, maintenance mode, seedprod, stored xss, under construction, vulnerability, WordPress, WordPress Maintenance, Wordpress Plugin Vulnerability, wordpress security, XSS

**Jinson Varghese**

Jinson Varghese Behanan is an Information Security Analyst at Astra. Passionate about Cybersecurity from a young age, Jinson completed his Bachelor's degree in Computer Security from Northumbria University. When he isn’t glued to a computer screen, he spends his time reading InfoSec materials, playing basketball, learning French and traveling. You can follow him on Medium or visit his Website for more stories about the various Security Audits he does and the crazy vulnerabilities he finds.

CVE-2020-15038: XSS Found In Coming Soon Page and Maintenance Mode Plugin

A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the order parameter of a wpdLoadMoreComments request. (No 7.x versions are affected.)

(@tomson)

Posts: 487

Honorable Member Support

We just released wpDiscuz 5.3.6 version for all who still use the old v5.3.5 version and don't want to update to current latest 7.x.x version.

We have got a report that, there is a security vulnerability issue in 5.3.5 version. This issue was fixed in the major update 7.x.x versions. However, we also fixed the issue for 5.x version users and released 5.3.6 version.

If you want to keep using the old 5.x version, just update it to the 5.3.6 version using this instruction:

1.  Deactivate delete the 5.3.5 version.
2.  Download the 5.3.6 verison: https://downloads.wordpress.org/plugin/wpdiscuz.5.3.6.zip
3.  Click the \[Add New\] button in Dashboard > Plugins admin page and upload/install the 5.3.6 installation zip file.

If you don't want to use old 5.x versions, just click the \[Update\] link on wpDiscuz plugin in Dashboard > Plugins admin page and update it to the latest version.

Posted : 12/06/2020 4:55 pm

Tag

#wordpress