The site-offline plugin before 1.4.4 for WordPress lacks certain wp_create_nonce and wp_verify_nonce calls, aka CSRF.

**wp\_create\_nonce( string|int $action = \-1 )**

Creates a cryptographic token tied to a specific action, user, user session, and window of time.

**Contents**

*   Parameters
*   Return
*   More Information
*   Source
*   Related
    *   Uses
    *   Used By
*   Changelog
*   User Contributed Notes

**Parameters**

$action

(string|int) (Optional) Scalar value to add context to the nonce.

Default value: -1

Top ↑

**Return**

(string) The token.

Top ↑

**More Information**

The function should be called using the init or any subsequent action hook. Calling it outside of an action hook can lead to problems, see the ticket #14024 for details.

Top ↑

**Source**

File: wp-includes/pluggable.php

	function wp\_create\_nonce( $action = -1 ) {
		$user = wp\_get\_current\_user();
		$uid  = (int) $user->ID;
		if ( ! $uid ) {
			/\*\* This filter is documented in wp-includes/pluggable.php \*/
			$uid = apply\_filters( 'nonce\_user\_logged\_out', $uid, $action );
		}

		$token = wp\_get\_session\_token();
		$i     = wp\_nonce\_tick();

		return substr( wp\_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
	}

Expand full source code Collapse full source code View on Trac View on GitHub

Top ↑

**Changelog**

Changelog

Version

Description

4.0.0

Session tokens were integrated with nonce creation

2.0.3

Introduced.

Top ↑

**User Contributed Notes**

CVE-2020-35773: wp_create_nonce() | Function | WordPress Developer Resources

The ultimate-category-excluder plugin before 1.2 for WordPress allows ultimate-category-excluder.php CSRF.

Timestamp:

12/08/2020 12:29:27 PM (20 months ago)

Marios Alexandrou

Message:

Addressed minor vulnerability reported by SCA AppSec.  

Location:

ultimate-category-excluder/trunk

Files:

  

*   readme.txt (1 diff)
*   ultimate-category-excluder.php (3 diffs)

**Legend:**

Unmodified

Added

Removed

*   **ultimate-category-excluder/trunk/readme.txt**
    
    r2364782
    
    r2434070
    
     
    
    32
    
    32
    
    33
    
    33
    
    \== Changelog ==
    
     
    
    34
    
     
    
    35
    
    \= 1.2 =
    
     
    
    36
    
    \* Addressed minor vulnerability reported by SCA AppSec. If concerned, review your UCE category settings to ensure they are set as expected.
    
    34
    
    37
    
    35
    
    38
    
    \= 1.1 =
    
*   **ultimate-category-excluder/trunk/ultimate-category-excluder.php**
    
    r1490271
    
    r2434070
    
     
    
    2
    
    2
    
    /\*
    
    3
    
    3
    
    Plugin Name: Ultimate Category Excluder
    
    4
    
     
    
    Version: 1.1
    
     
    
    4
    
    Version: 1.2
    
    5
    
    5
    
    Plugin URI: http://infolific.com/technology/software-worth-using/ultimate-category-excluder/
    
    6
    
    6
    
    Description: Easily exclude categories from your front page, feeds, archives, and search results.
    
    …
    
    …
    
     
    
    42
    
    42
    
    43
    
    43
    
    function ksuce\_options\_page() {
    
    44
    
     
    
        if( isset( $\_POST\[ 'ksuce' \] ) ) { $message = ksuce\_process(); }
    
     
    
    44
    
        if( isset( $\_POST\[ 'ksuce' \] ) ) {
    
     
    
    45
    
            check\_admin\_referer( 'uce\_form' );
    
     
    
    46
    
            $message = ksuce\_process();
    
     
    
    47
    
        }
    
    45
    
    48
    
        $options = ksuce\_get\_options();
    
    46
    
    49
    
        ?>
    
    …
    
    …
    
     
    
    50
    
    53
    
            <p><?php \_e( 'Use this page to select the categories you wish to exclude and where you would like to exclude them from.', 'UCE' ); ?></p>
    
    51
    
    54
    
            <form action="options-general.php?page=ultimate-category-excluder.php" method="post">
    
     
    
    55
    
            <?php wp\_nonce\_field( 'uce\_form' ); ?>
    
    52
    
    56
    
            <table class="widefat">
    
    53
    
    57
    
            <thead>
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2020-35135: Changeset 2434070 – WordPress Plugin Repository

In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575).

CVE-2020-29136: 90 Change Log

WordPress before 5.5.2 allows stored XSS via post slugs.

CVE-2020-28038: SonarSource Blog

WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.

WordPress 5.5.2 is now available!

This security and maintenance release features 14 bug fixes in addition to 10 security fixes. Because this is a **security release**, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 5.5.2 is a short-cycle security and maintenance release. The next major release will be version 5.6.

You can download WordPress 5.5.2 by downloading from WordPress.org, or visit your Dashboard → Updates and click Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

**Security Updates**

Ten security issues affect WordPress versions 5.5.1 and earlier. If you haven’t yet updated to 5.5, all WordPress versions since 3.7 have also been updated to fix the following security issues:

*   Props to Alex Concha of the WordPress Security Team for their work in hardening deserialization requests.
*   Props to David Binovec on a fix to disable spam embeds from disabled sites on a multisite network.
*   Thanks to Marc Montas from Sucuri for reporting an issue that could lead to XSS from global variables.
*   Thanks to Justin Tran who reported an issue surrounding privilege escalation in XML-RPC. He also found and disclosed an issue around privilege escalation around post commenting via XML-RPC.
*   Props to Omar Ganiev who reported a method where a DoS attack could lead to RCE.
*   Thanks to Karim El Ouerghemmi from RIPS who disclosed a method to store XSS in post slugs.
*   Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a method to bypass protected meta that could lead to arbitrary file deletion.
*   Thanks to Erwan LR from WPScan who responsibly disclosed a method that could lead to CSRF.
*   And a special thanks to @zieladam who was integral in many of the releases and patches during this release.

Thank you to all of the reporters for privately disclosing the vulnerabilities. This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked.

For more information, browse the full list of changes on Trac, or check out the version 5.5.2 HelpHub documentation page.

**Thanks and props!**

The 5.5.2 release was led by @whyisjake and the following release squad:  @audrasjb, @davidbaumwald, @desrosj, @johnbillion, @metalandcoffee, @noisysocks @planningwrite, @sarahricker and @sergeybiryukov.

In addition to the security researchers and release squad members mentioned above, thank you to everyone who helped make WordPress 5.5.2 happen:

Aaron Jorbin, Alex Concha, Amit Dudhat, Andrey “Rarst” Savchenko, Andy Fragen, Ayesh Karunaratne, bridgetwillard, Daniel Richards, David Baumwald, Davis Shaver, dd32, Florian TIAR, Hareesh, Hugh Lashbrooke, Ian Dunn, Igor Radovanov, Jake Spurlock, Jb Audras, John Blackbourn, Jonathan Desrosiers, Jon Brown, Joy, Juliette Reinders Folmer, kellybleck, mailnew2ster, Marcus Kazmierczak, Marius L. J., Milan Dinić, Mohammad Jangda, Mukesh Panchal, Paal Joachim Romdahl, Peter Wilson, Regan Khadgi, Robert Anderson, Sergey Biryukov, Sergey Yakimov, Syed Balkhi, szaqal21, Tellyworth, Timi Wahalahti, Timothy Jacobs, Towhidul I. Chowdhury, Vinayak Anivase, and zieladam.

CVE-2020-28033: WordPress 5.5.2 Security and Maintenance Release

WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.

CVE-2020-28032

is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected.

CVE-2020-28039

The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.

Timestamp:

09/01/2020 12:33:01 PM (3 years ago)

mndpsingh287

Message:

fixed security issues  

Location:

wp-file-manager/trunk

Files:

  

*   file\_folder\_manager.php (2 diffs)
*   lib/php/connector.maximal.php-dist
*   lib/php/connector.minimal.php
*   lib/php/connector.minimal.php-dist
*   lib/php/connector.php-dist
*   readme.txt (2 diffs)

**Legend:**

Unmodified

Added

Removed

*   **wp-file-manager/trunk/file\_folder\_manager.php**
    
    r2372895
    
    r2373068
    
     
    
    5
    
    5
    
      Description: Manage your WP files.
    
    6
    
    6
    
      Author: mndpsingh287
    
    7
    
     
    
      Version: 6.8
    
     
    
    7
    
      Version: 6.9
    
    8
    
    8
    
      Author URI: https://profiles.wordpress.org/mndpsingh287
    
    9
    
    9
    
      License: GPLv2
    
    …
    
    …
    
     
    
    17
    
    17
    
        {
    
    18
    
    18
    
            protected $SERVER = 'http://ikon.digital/plugindata/api.php';
    
    19
    
     
    
            var $ver = '6.8';
    
     
    
    19
    
            var $ver = '6.9';
    
    20
    
    20
    
            /\* Auto Load Hooks \*/
    
    21
    
    21
    
            public function \_\_construct()
    
*   **wp-file-manager/trunk/readme.txt**
    
    r2372895
    
    r2373068
    
     
    
    5
    
    5
    
    Tested up to: 5.5
    
    6
    
    6
    
    Requires PHP: 5.2.4
    
    7
    
     
    
    Stable tag: 6.8
    
     
    
    7
    
    Stable tag: 6.9
    
    8
    
    8
    
    License: GPLv2 or later
    
    9
    
    9
    
    License URI: http://www.gnu.org/licenses/gpl-2.0.html
    
    …
    
    …
    
     
    
    138
    
    138
    
    \== Changelog ==
    
    139
    
    139
    
     
    
    140
    
    \= 6.9 (1st Sept, 2020) =
    
     
    
    141
    
     
    
    142
    
    \* Security issue fixed
    
     
    
    143
    
    140
    
    144
    
    \= 6.8 (31st Aug, 2020) =
    
    141
    
    145
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2020-25213: Changeset 2373068 – WordPress Plugin Repository

The includes/gateways/stripe/includes/admin/admin-actions.php in GiveWP plugin through 2.5.9 for WordPress allows unauthenticated settings change.

The WordPress GiveWP plugin, which has 70,000+ active installations, fixed vulnerabilities affecting version 2.5.9 and below.

**Reference**

_A CVE ID has been requested and we’ll update this post when it is assigned._

**Unauthenticated settings change**

In the “includes/gateways/stripe/includes/admin/admin-actions.php” script, the give_stripe_connect_save_options function is loaded via the admin_init hook:

function give\_stripe\_connect\_save\_options() {

   $get\_vars = give\_clean( $\_GET );

   // If we don't have values here, bounce.
   if (
      ! isset( $get\_vars\['stripe\_publishable\_key'\] )
      || ! isset( $get\_vars\['stripe\_user\_id'\] )
      || ! isset( $get\_vars\['stripe\_access\_token'\] )
      || ! isset( $get\_vars\['stripe\_access\_token\_test'\] )
      || ! isset( $get\_vars\['connected'\] )
   ) {
      return false;
   }

   // Update keys.
   give\_update\_option( 'give\_stripe\_connected', $get\_vars\['connected'\] );
   give\_update\_option( 'give\_stripe\_user\_id', $get\_vars\['stripe\_user\_id'\] );
   give\_update\_option( 'live\_secret\_key', $get\_vars\['stripe\_access\_token'\] );
   give\_update\_option( 'test\_secret\_key', $get\_vars\['stripe\_access\_token\_test'\] );
   give\_update\_option( 'live\_publishable\_key', $get\_vars\['stripe\_publishable\_key'\] );
   give\_update\_option( 'test\_publishable\_key', $get\_vars\['stripe\_publishable\_key\_test'\] );

   // Delete option for user API key.
   give\_delete\_option( 'stripe\_user\_api\_keys' );

}
add\_action( 'admin\_init', 'give\_stripe\_connect\_save\_options' );

The function lacks a capability check and a security nonce. Because the admin_init hook can be triggered by anyone, an unauthenticated user can tamper with the authentication credentials of the Stripe Connect payment gateway: ACCESS\_TOKEN, REFRESH\_TOKEN, PUBLISHABLE\_KEY, ACCOUNT\_ID.

**Authenticated settings change**

In the “includes/admin/emails/ajax-handler.php” script, the give_set_notification_status_handler function is loaded via the wp_ajax hook. It is used to enable or disable email notifications sent by GiveWP to the administrator:

function give\_set\_notification\_status\_handler() {
   $notification\_id = isset( $\_POST\['notification\_id'\] ) ? give\_clean( $\_POST\['notification\_id'\] ) : '';
   if ( ! empty( $notification\_id ) && give\_update\_option( "{$notification\_id}\_notification", give\_clean( $\_POST\['status'\] ) ) ) {
      wp\_send\_json\_success();
   }

   wp\_send\_json\_error();
}

add\_action( 'wp\_ajax\_give\_set\_notification\_status', 'give\_set\_notification\_status\_handler' );

The function lacks a capability check and a security nonce and thus can be accessed by an authenticated user such as a subscriber.

This vulnerability could be used in conjunction with the previous one: after tampering with the payment gateway, the attacker could disable all email notifications sent to the admin, which includes the notification sent when a new donation is received.

**Additional issues**

In the “includes/misc-functions.php” script, the give_get_ip function is used to retrieve the user IP address:

function give\_get\_ip() {

   $ip = '127.0.0.1';

   if ( ! empty( $\_SERVER\['HTTP\_CLIENT\_IP'\] ) ) {
      // check ip from share internet
      $ip = $\_SERVER\['HTTP\_CLIENT\_IP'\];
   } elseif ( ! empty( $\_SERVER\['HTTP\_X\_FORWARDED\_FOR'\] ) ) {
      // to check ip is pass from proxy
      $ip = $\_SERVER\['HTTP\_X\_FORWARDED\_FOR'\];
   } elseif ( ! empty( $\_SERVER\['REMOTE\_ADDR'\] ) ) {
      $ip = $\_SERVER\['REMOTE\_ADDR'\];
   }

   /\*\*
    \* Filter the IP
    \*
    \* @since 1.0
    \*/
   $ip = apply\_filters( 'give\_get\_ip', $ip );

   // Filter empty values.
   if ( false !== strpos( $ip, ',' ) ) {
      $ip = give\_clean( explode( ',', $ip ) );
      $ip = array\_filter( $ip );
      $ip = implode( ',', $ip );
   } else {
      $ip = give\_clean( $ip );
   }

   return $ip;
}

It relies on untrusted user input (HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR) that is sanitised in order to prevent attacks such as XSS, but isn’t properly validated: GiveWP will accept Client-IP: foo as a valid IP address.

**Timeline**

The vulnerability was reported to the authors on October 18, 2019 and a new version 2.5.10 was released on October 28, 2019.

**Recommendations**

Update as soon as possible if you have version 2.5.9 or below installed.  
If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.

Stay informed about the latest vulnerabilities in WordPress plugins and themes: @nintechnet

CVE-2020-20627: Multiple vulnerabilities fixed in WordPress GiveWP plugin.

An issue was discovered in the Elementor plugin through 2.9.13 for WordPress. An authenticated attacker can achieve stored XSS via the Name Your Template field.

Tag

#wordpress