A vulnerability was found in weblizar User Login Log Plugin 2.2.1. It has been classified as problematic. Affected is an unknown function. The manipulation leads to basic cross site scripting (Stored). It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: Summer of Pwnage <lists () securify nl>  
_Date_: Wed, 1 Mar 2017 07:13:27 +0100  

\------------------------------------------------------------------------
Stored Cross-Site Scripting vulnerability in User Login Log WordPress
Plugin
------------------------------------------------------------------------
Axel Koolhaas, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A stored Cross-Site Scripting vulnerability was found in the User Login
Log WordPress Plugin. This issue can be exploited by Subscriber (or
higher) and allows an attacker to perform a wide variety of actions,
such as stealing users' session tokens, or performing arbitrary actions
on their behalf.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0011

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on User Login Log WordPress Plugin
version 2.2.1.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/stored\_cross\_site\_scripting\_vulnerability\_in\_user\_login\_log\_wordpress\_plugin.html

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Stored Cross-Site Scripting vulnerability in User Login Log WordPress Plugin** _Summer of Pwnage (Feb 28)_

CVE-2017-20056: Stored Cross-Site Scripting vulnerability in User Login Log WordPress Plugin

Attackers could also potentially gain access to various internal services, researcher warns

Attackers could also potentially gain access to various internal services, researcher warns

A memcached injection vulnerability in business webmail platform Zimbra could allow attackers to steal login credentials without user interaction, security researchers have revealed.

Zimbra, an open source alternative to services including Microsoft Exchange, is used by more than 200,000 businesses and more than 1,000 government and financial institutions worldwide, according to its developer, Synacor.

Simon Scannell, vulnerability researcher at Swiss security firm Sonar (formerly SonarSource), has documented how unauthenticated attackers could poison an unsuspecting victim’s cache.

It is then possible to steal cleartext credentials from the Zimbra instance, when the mail client connects to the Zimbra server, as demonstrated in the following proof-of-concept video:

Because newline characters () were not escaped in untrusted user input, attackers could inject arbitrary memcached commands into a targeted instance and trigger an overwrite of arbitrary cached entries.

Memcached servers store key/value pairs that can be set and retrieved with a simple text-based protocol and interpret incoming data line by line.

**Escalation risk**

Zimbra users have been urged to upgrade their installations immediately, given the potential impact of successful exploitation.

**RECOMMENDED** Oblivious DNS-over-HTTPS offers privacy enhancements to secure lookup protocol

The severity of the vulnerability (CVE-2022-27924) is listed as ‘high’ (CVSS 7.5) rather than ‘critical’, but once a mailbox is breached, “attackers can potentially escalate their access to targeted organizations and gain access to various internal services and steal highly sensitive information”, Scannell warned.

“With mail access, attackers can reset passwords, impersonate their victims, and silently read all private conversations within the targeted company.”

**Continuous injections**

Attackers could poison victims’ IMAP route cache entries by ascertaining the victim’s email address – an easy enough task with OSINT methods – but the researchers also successfully deployed response smuggling to steal cleartext credentials without first obtaining this information.

“By continuously injecting more responses than there are work items into the shared response streams of Memcached, we can force random Memcached lookups to use injected responses instead of the correct response,” explained Scannell.

“This works because Zimbra did not validate the key of the Memcached response when consuming it. By exploiting this behavior, we can hijack the proxy connection of random users connecting to our IMAP server without having to know their email addresses.”

**Holding the newline**

The flaw affects both open source and commercial versions of Zimbra in their default configurations.

The flaws were reported on March 11 and an initial fix, released on March 31, failed to properly address the issue. The comprehensively patched versions are 8.8.15 with patch level 31.1 and 9.0.0 with patch level 24.1.

Catch up with the latest security research news

“Zimbra patched the vulnerability by creating a SHA-256 hash of all Memcache keys before sending them to the Memcache server,” said Scannell. “As the hex-string representation of a SHA-256 can’t contain whitespaces, no new-lines can be injected anymore.”

**Sonar disclosed the flaw on June 14.**

Scannell concluded his write-up by observing that cross-site scripting (XSS) and SQL injection flaws arising from a lack of input escaping “have been well known and documented for decades”, but that “other injection vulnerabilities can occur that are less known and can have a critical impact”.

As a consequence, Scannell recommends that developers “be aware of special characters that should be escaped when dealing with technology where less documentation and research about potential vulnerabilities exists”.

The vulnerability has emerged four months after Zimbra released a hotfix for an XSS flaw whose abuse underpinned a series of sophisticated spear-phishing campaigns linked to an unknown Chinese threat group.

Sonar also discovered a pair of Zimbra vulnerabilities last year that, if combined, allowed unauthenticated attackers to gain control of Zimbra servers.

**RELATED** Horde Webmail contains zero-day RCE bug with no patch on the horizon

Business email platform Zimbra patches memcached injection flaw that imperils user credentials

Cross-site scripting vulnerability in Modern Events Calendar Lite versions prior to 6.3.0 allows remote an authenticated attacker to inject an arbitrary script via unspecified vectors.

*   Demo
    *   **Calendar View**
        
        *   Full Calendar
        *   General CalendarNew
        *   Yearly ViewPro
        *   Monthly View – Modern
        *   Monthly View – Clean
        *   Monthly View – Classic
        *   Monthly View – Simple
        *   Monthly View – Novel
        *   Weekly View
        *   Daily View
        *   Full Calendar – Fluent
        
        **List View**
        
        *   List View – Classic
        *   List View – Standard
        *   List View – Modern
        *   List View – Minimal
        *   List View – Toggle
        *   List View – With MapPro
        *   List View – Fluent
        
        **Grid View**
        
        *   Grid View – Simple
        *   Grid View – Modern
        *   Grid View – Minimal
        *   Grid View – Clean
        *   Grid View – Classic
        *   Grid View – Colorful
        *   Grid View – Novel Style
        *   Grid View – With MapPro
        *   Tile View
        *   Grid View – Fluent
        
        **Other Views**
        
        *   Agenda ViewPro
        *   Masonry ViewPro
        *   Available SpotPro
        *   Map ViewPro
        *   Advanced MapAddon
        *   Search Bar
        *   Widgets View
        *   Single Event
        *   Single Event – Fluent
        *   Booking Shortcode
        *   FrontEnd Submission Form
        *   Available Spot – Fluent
        
        **Slider View**
        
        *   Slider View – Type 1
        *   Slider View – Type 2
        *   Slider View – Type 3
        *   Slider View – Type 4
        *   Slider View – Type 5
        *   Slider View – Fluent
        
*   Features
*   AddonsNew
*   Resources
    *   Help
    *   Changelog
    *   Feature Request
    *   Support
    *   Covid-19
    *   Blog
    *   Services
    *   Themes

*   Demo
    *   **Calendar View**
        
        *   Full Calendar
        *   General CalendarNew
        *   Yearly ViewPro
        *   Monthly View – Modern
        *   Monthly View – Clean
        *   Monthly View – Classic
        *   Monthly View – Simple
        *   Monthly View – Novel
        *   Weekly View
        *   Daily View
        *   Full Calendar – Fluent
        
        **List View**
        
        *   List View – Classic
        *   List View – Standard
        *   List View – Modern
        *   List View – Minimal
        *   List View – Toggle
        *   List View – With MapPro
        *   List View – Fluent
        
        **Grid View**
        
        *   Grid View – Simple
        *   Grid View – Modern
        *   Grid View – Minimal
        *   Grid View – Clean
        *   Grid View – Classic
        *   Grid View – Colorful
        *   Grid View – Novel Style
        *   Grid View – With MapPro
        *   Tile View
        *   Grid View – Fluent
        
        **Other Views**
        
        *   Agenda ViewPro
        *   Masonry ViewPro
        *   Available SpotPro
        *   Map ViewPro
        *   Advanced MapAddon
        *   Search Bar
        *   Widgets View
        *   Single Event
        *   Single Event – Fluent
        *   Booking Shortcode
        *   FrontEnd Submission Form
        *   Available Spot – Fluent
        
        **Slider View**
        
        *   Slider View – Type 1
        *   Slider View – Type 2
        *   Slider View – Type 3
        *   Slider View – Type 4
        *   Slider View – Type 5
        *   Slider View – Fluent
        
*   Features
*   AddonsNew
*   Resources
    *   Help
    *   Changelog
    *   Feature Request
    *   Support
    *   Covid-19
    *   Blog
    *   Services
    *   Themes

*   Demo
    *   **Calendar View**
        
        *   Full Calendar
        *   General CalendarNew
        *   Yearly ViewPro
        *   Monthly View – Modern
        *   Monthly View – Clean
        *   Monthly View – Classic
        *   Monthly View – Simple
        *   Monthly View – Novel
        *   Weekly View
        *   Daily View
        *   Full Calendar – Fluent
        
        **List View**
        
        *   List View – Classic
        *   List View – Standard
        *   List View – Modern
        *   List View – Minimal
        *   List View – Toggle
        *   List View – With MapPro
        *   List View – Fluent
        
        **Grid View**
        
        *   Grid View – Simple
        *   Grid View – Modern
        *   Grid View – Minimal
        *   Grid View – Clean
        *   Grid View – Classic
        *   Grid View – Colorful
        *   Grid View – Novel Style
        *   Grid View – With MapPro
        *   Tile View
        *   Grid View – Fluent
        
        **Other Views**
        
        *   Agenda ViewPro
        *   Masonry ViewPro
        *   Available SpotPro
        *   Map ViewPro
        *   Advanced MapAddon
        *   Search Bar
        *   Widgets View
        *   Single Event
        *   Single Event – Fluent
        *   Booking Shortcode
        *   FrontEnd Submission Form
        *   Available Spot – Fluent
        
        **Slider View**
        
        *   Slider View – Type 1
        *   Slider View – Type 2
        *   Slider View – Type 3
        *   Slider View – Type 4
        *   Slider View – Type 5
        *   Slider View – Fluent
        
*   Features
*   AddonsNew
*   Resources
    *   Help
    *   Changelog
    *   Feature Request
    *   Support
    *   Covid-19
    *   Blog
    *   Services
    *   Themes

*   Demo
    *   **Calendar View**
        
        *   Full Calendar
        *   General CalendarNew
        *   Yearly ViewPro
        *   Monthly View – Modern
        *   Monthly View – Clean
        *   Monthly View – Classic
        *   Monthly View – Simple
        *   Monthly View – Novel
        *   Weekly View
        *   Daily View
        *   Full Calendar – Fluent
        
        **List View**
        
        *   List View – Classic
        *   List View – Standard
        *   List View – Modern
        *   List View – Minimal
        *   List View – Toggle
        *   List View – With MapPro
        *   List View – Fluent
        
        **Grid View**
        
        *   Grid View – Simple
        *   Grid View – Modern
        *   Grid View – Minimal
        *   Grid View – Clean
        *   Grid View – Classic
        *   Grid View – Colorful
        *   Grid View – Novel Style
        *   Grid View – With MapPro
        *   Tile View
        *   Grid View – Fluent
        
        **Other Views**
        
        *   Agenda ViewPro
        *   Masonry ViewPro
        *   Available SpotPro
        *   Map ViewPro
        *   Advanced MapAddon
        *   Search Bar
        *   Widgets View
        *   Single Event
        *   Single Event – Fluent
        *   Booking Shortcode
        *   FrontEnd Submission Form
        *   Available Spot – Fluent
        
        **Slider View**
        
        *   Slider View – Type 1
        *   Slider View – Type 2
        *   Slider View – Type 3
        *   Slider View – Type 4
        *   Slider View – Type 5
        *   Slider View – Fluent
        
*   Features
*   AddonsNew
*   Resources
    *   Help
    *   Changelog
    *   Feature Request
    *   Support
    *   Covid-19
    *   Blog
    *   Services
    *   Themes

**Free Download**

Our account has been suspended by WordPress.org for a breach of community guidelines (We asked a user for his credentials to be able to check on the issue and resolve it) and there aren’t any other problems. If you have been using MEC Lite you have nothing to be worried about. The product will be supported and will receive updates just like before on our own website. To get the regular auto-update for your plugin, if you are using versions older than 6.5.8, you need to update the plugin manually once.

**Support**

We will be supporting our plugins indefinitely. You only need to contact us through the designated support channels.

CVE-2022-30533: Lite – Modern Events Calendar

Authenticated (editor or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Export All URLs plugin <= 4.1 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

**Description**

This plugin will add a page called “Export All URLs” under Tools. You can navigate there and can extract data from your site. You can export Posts:

*   IDs
*   Titles
*   URLs
*   And Categories

The data can be categorized before extraction, by their post types.

**When we need this plugin?**

*   To check all URLs of your website
*   During migration
*   During security audit
*   Need to share All URLs with SEO guy
*   301 Redirects handling using htaccess

**Customizable Features**

*   Filter by Author
*   Filter by Date Range
*   Exclude domain URL (very helpful in comparing results after migration)
*   Set post range (very beneficial in case of timeout/memory out error)
*   Generates CSV file name randomly (sensitive data protection for security reasons)
*   Set preferred CSV file name (provides more control)

**System requirements**

*   PHP version 5.4 or higher
*   WordPress version 3.1.0 or higher

If you found any bug then report me, I’ll try to fix it as soon as possible!

**Contact**

For further information please send me an email.

**Screenshots**

**Installation****From your WordPress dashboard**

1.  Visit ‘Plugins > Add New’
2.  Search for ‘Export All URLs’
3.  Activate Export All URLs from your Plugins page.

**From WordPress.org**

1.  Download Export All URLs.
2.  Unzip plugin.
3.  Upload the ‘Export All URLs’ directory to your ‘/wp-content/plugins/’ directory, using your favorite method (ftp, sftp, scp, etc…)
4.  Activate Export All URLs from your Plugins page.

**Usage**

1.  Go to Tools > Export All URLs to export URLs of your website.
2.  Select Post Type
3.  Choose Data (e.g Post ID, Title, URLs, Categories)
4.  Apply Filters (e.g Post Status, Author, Post Range)
5.  Configure advance options (e.g exclude domain url, number of posts)
6.  Finally Select Export type and click on Export Now.

**Uninstalling:**

1.  In the Admin Panel, go to “Plugins” and deactivate the plugin.
2.  Go to the “plugins” folder of your WordPress directory and delete the files/folder for this plugin.

**FAQ**

**About Plugin Support?**

Post your question on support forum and we will try to answer your question as quick as possible.

**Why did you make this plugin?**

We couldn’t find a plugin that would export all URLs, titles and categories in a simplest possible way. So, we decided to take step further to fill this gap.

**Why the file name is randomly generated?**

Exporting the file with static name can be easily found by malicious attacker, and may result in sensitive information leakage. So we decided to generate random name, which is harder to guess. However plugin provides complete control over file name.

**Can I delete generated CSV file?**

Yes, absolutely. It is highly recommended, once the file is generated, there is a direct link to delete the generated file.

**Does Export All URLs make changes to the database?**

No. It has no settings/configurations to store so it does not touch the database.

**How can I check out if the plugin works for me?**

Install and activate. Go to Tools / Export All URLs. Select all options and download CSV file.

**Which PHP version do I need?**

This plugin has been tested and works with PHP versions 5.4 and greater. WordPress itself recommends using PHP version 7.3 or greater. If you’re using a PHP version lower than 5.4 please upgrade your PHP version or contact your Server administrator.

**Are there any known incompatibilities?**

Nope, there were some issues in past, but they were fixed in version 4.0.

**Are there any server requirements?**

Yes. The plugin requires a PHP version 5.4 or higher and WordPress version 3.1.0 or higher.

**Reviews**

This plugin is seriously awesome. When I rebuild a site from scratch I use this to export URLs from the old site and the new site to make sure all URLs match up or create URL redirection rules which I later import in the Redirection plugin.

Does not export pages/posts... it says "Invalid token" or something alongst those lines all the way at the bottom, it just refreshes the page.

Very Easy to Use, and it just works!

Support is also great for this plugin! I wish all of the developers could provide this type of service. Definitely using on our other websites. Thank you Atlas!

Brilliant! 3 clicks -- and problem solved 🙂

Read all 56 reviews

**Contributors & Developers**

“Export All URLs” is open source software. The following people have contributed to this plugin.

Contributors

*    Atlas\_Gondal

**Changelog****4.3**

*   Added – overall security and stability improvements
*   Compatibility – tested with wordpress 5.9.2

**4.2**

*   Fixed – patched a security vulnerability
*   Removed – file path customization option
*   Compatibility – tested with wordpress 5.9.1 & PHP 8.1

**4.1**

*   Added – option to remove woo commerce extra attributes from categories
*   Tweak – bit of formatting adjustments
*   Added – some default settings
*   Compatibility – tested with wordpress 5.4.2

**4.0**

*   Added – export post IDs
*   Added – exclude domain URL
*   Added – complete support of custom post type categories
*   Tweak – small dashboard design improvements
*   Added – enables user to delete the file once downloaded
*   Compatibility – wordpress 5.4 and php 7.3
*   Tweak – migrated under tools options, instead of settings
*   Added – displays total number of links
*   Added – new easy ways to report problem or bug
*   Fixed – conflict with “Security Header” & “Elementor” plugin
*   Fixed – typo on settings page
*   Added – extra verification checks

**3.6**

*   Added – filter data by date range
*   Tweak – some general activation improvements
*   Compatibility – tested with 5.1.1

**3.5**

*   Added – allow users to customize file path and file name
*   Fixed – grammatical mistake
*   Compatibility – tested with 4.9.7

**3.0**

*   Added – filter data by author
*   Added – specify post range for extraction
*   Added – generates random file name
*   Compatibility – tested with 4.9.2

**2.6**

*   Fixed – variable initialization errors
*   Compatibility – tested with 4.9

**2.5**

*   Added – support for selecting post status
*   Compatibility – tested with 4.7.5

**2.4**

*   Fixed – fatal error bug fixed
*   Compatibility – tested with wordpress 4.7.2

**2.3**

*   Fixed – categories export, (only first category was exporting)
*   Compatibility – tested with wordpress 4.7

**2.2**

*   Added – support for wordpress 4.6.1

**2.1**

*   Fixed – special character exporting for Polish Language

**2.0**

*   Added – support for exporting title and categories

**1.0**

*   initial release

CVE-2022-29452: Export All URLs

Improper Access Control vulnerability leading to multiple Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerabilities in Muneeb's Custom Popup Builder plugin <= 1.3.1 at WordPress.

 Verified

 Not fixed

**5.4**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Software

Popup | Custom Popup Builder

Vulnerable versions

<= 1.3.1

PSID 

be2775a50917

Classification 

Cross Site Scripting (XSS)

OWASP Top 10 

A7: Cross-Site Scripting (XSS)

Required privilege 

Requires contributor or higher role user authentication.

Publicly disclosed

2022-06-14

**Details**

Improper Access Control vulnerability leading to multiple Authenticated Stored XSS discovered by Ngo Van Thien (Patchstack Alliance) in WordPress Custom Popup Builder plugin (versions <= 1.3.1).

**Solution**

Deactivate and delete. This plugin has been closed as of May 26, 2022 and is not available for download. This closure is temporary, pending a full review.

**References**

CVE-2022-28612: WordPress Custom Popup Builder plugin <= 1.3.1 - Improper Access Control vulnerability leading to multiple Authenticated Stored XSS - Patchstack

Local privilege vulnerability in Yandex Browser for Windows prior to 22.3.3.801 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating temporary files in directory with insecure permissions during Yandex Browser update process.

Security WiFi bypass in Yandex Browser from version 15.10 to 15.12 allows remote attacker to sniff traffic in open or WEP-protected wi-fi networks despite of special security mechanism is enabled.

Yandex Protect Anti-phishing warning in Yandex Browser for desktop from version 15.12.0 to 16.2 could be used by remote attacker for brute-forcing passwords from important web-resource with special JavaScript.

Yandex Protect Anti-phishing warning in Yandex Browser for desktop from version 16.7 to 16.9 could be used by remote attacker for brute-forcing passwords from important web-resource with special JavaScript.

CSRF of synchronization form in Yandex Browser for desktop before version 16.6 could be used by remote attacker to steal saved data in browser profile.

XSS in Yandex Browser BookReader in Yandex browser for desktop for versions before 16.6. could be used by remote attacker for evaluation arbitrary javascript code.

XSS in Yandex Browser Translator in Yandex browser for desktop for versions from 15.12 to 16.2 could be used by remote attacker for evaluation arbitrary javascript code.

Yandex Browser for iOS before 16.10.0.2357 does not properly restrict processing of facetime:// URLs, which allows remote attackers to initiate facetime-call without user's approval and obtain video and audio data from a device via a crafted web site.

Yandex Browser for desktop before 17.1.1.227 does not show Protect (similar to Safebrowsing in Chromium) warnings in web-sites with special content-type, which could be used by remote attacker for prevention Protect warning on own malicious web-site.

Yandex Browser before 16.9.0 allows remote attackers to spoof the address bar via window.open.

Race condition issue in Yandex Browser for Android before 17.4.0.16 allowed a remote attacker to potentially exploit memory corruption via a crafted HTML page.

Yandex Browser installer for Desktop before 17.4.1 has a DLL Hijacking Vulnerability because an untrusted search path is used for dnsapi.dll, winmm.dll, ntmarta.dll, cryptbase.dll or profapi.dll.

Yandex Browser before 20.8.4 allows remote attackers to spoof the address bar.

Kirtikumar Anandrao Ramchandani

Yandex Browser Lite before 20.10.0 allows remote attackers to spoof the address bar.

Kirtikumar Anandrao Ramchandani

Yandex Browser Lite for Android before 21.1.0 allows remote attackers to spoof the address bar.

Kirtikumar Anandrao Ramchandani

Yandex Browser Lite for Android prior to version 21.1.0 allows remote attackers to cause a denial of service.

Kirtikumar Anandrao Ramchandani

Yandex Browser for Android prior to version 21.3.0 allows remote attackers to perform IDN homograph attack.

Kirtikumar Anandrao Ramchandani

An elevation of privilege vulnerability exists in Yandex Browser prior to 22.5.0.826.

An elevation of privilege vulnerability exists in Yandex Browser prior to 21.9.0.390.

An elevation of privilege vulnerability exists in Yandex Browser prior to 22.3.3.801.

An elevation of privilege vulnerability exists in Yandex Browser prior to 22.3.3.684.

CVE-2022-28226: Яндекс Охота в Браузере

Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Xakuro's XO Slider plugin <= 3.3.2 at WordPress.

 Verified

 Fixed

**5.4**

CVSS 3.1 score Medium severity

Monitoring Coming soon

PSID 

680aa33be28a

Classification 

Cross Site Scripting (XSS)

OWASP Top 10 

A7: Cross-Site Scripting (XSS)

Required privilege 

Requires contributor or higher role user authentication.

Publicly disclosed

2022-06-14

**Details**

Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Ngo Van Thien (Patchstack Alliance) in WordPress XO Slider plugin (versions <= 3.3.2).

**Solution**

Update the WordPress XO Slider plugin to the latest available version (at least 3.3.3).

**References**

CVE-2022-32280: WordPress XO Slider plugin <= 3.3.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

Subscription-Manager v1.0 /main.js has a cross-site scripting (XSS) vulnerability in the machineDetail parameter.

**Vulnerability file:**

/main.js

let machine\_edit\_component \= Vue.component('Machine\_edit\_component',{
    template:\`
        <div class="container">
            <div id="machine-edit">
                <h2>✍ 正在编辑-{{machineDetail.name}} <span @click="goBack">🔙 返回</span><span @click="goDelete">🗑️ 删除</span></h2>
                <br/>
                <h3>基本信息</h3>
                <br/>
                <div class="form-input-material">
                    <input
                        class="form-control-material"
                        type="text"
                        name="name"
                        id="name"
                        placeholder=" "
                        autocomplete="off"
                        v-model="machineDetail.name"
                    />
                    <label for="name">小鸡名</label>
                </div>    
                <br/><br/>
                <div class="form-input-material">    
                    <input
                        class="form-control-material"
                        type="text"
                        name="fee"
                        id="fee"
                        placeholder=" "
                        autocomplete="off"
                        v-model="machineDetail.fee"
                    />
                    <label for="fee">每月费用</label>
                </div>  
                <br/><br/>  
                <div class="form-input-material">      
                    <input
                        class="form-control-material"
                        type="text"
                        name="host"
                        id="host"
                        placeholder=" "
                        autocomplete="off"
                        v-model="machineDetail.HOST"
                    />
                    <label for="host">主机商</label>
                </div>   
                <br/><br/> 
                <div class="form-input-material">      
                    <input
                        class="form-control-material"
                        type="text"
                        name="location"
                        id="location"
                        placeholder=" "
                        autocomplete="off"
                        v-model="machineDetail.location"
                    />
                    <label for="location">位置</label>
                </div>    
                <br/><br/>
                <div class="form-input-material">       
                    <input
                        class="form-control-material"
                        type="text"
                        name="ip"
                        id="ip"
                        placeholder=" "
                        autocomplete="off"
                        v-model="machineDetail.ip"
                    />
                    <label for="ip">IP</label>
                </div>    
                <br/><br/>
                <div class="form-input-material">       
                    <input
                        class="form-control-material"
                        type="text"
                        name="panel"
                        id="panel"
                        placeholder=" "
                        autocomplete="off"
                        v-model="machineDetail.panel"
                    />
                    <label for="panel">面板地址</label>
                </div>    
                <br/>
                <br/>
                <div class="form-input-material">       
                    <input
                        class="form-control-material"
                        type="text"
                        name="deadline"
                        id="deadline"
                        placeholder=" "
                        autocomplete="off"
                        v-model="machineDetail.deadline"
                    />
                    <label for="deadline">过期日期(yyyy-mm-dd)</label>
                </div> 
                <br/>
                <br/>
                <div class="form-input-material">       
                    <input
                        class="form-control-material"
                        type="text"
                        name="cycle"
                        id="cycle"
                        placeholder=" "
                        autocomplete="off"
                        v-model="machineDetail.cycle"
                    />
                    <label for="cycle">付款周期(天)</label>
                </div>
                <br/>
                <h3>自动续费开关</h3>
                    <div class="form-check">
                        <input type="radio" class="form-check-input bounce" id="auto-true" value="1" v-model="machineDetail.auto"/>
                        <label class="form-check-label" for="auto">自动续费</label>
                    </div>
                    <div class="form-check">
                        <input type="radio" class="form-check-input bounce" id="auto-false" value="0" v-model="machineDetail.auto"/>
                        <label class="form-check-label" for="auto">算了</label>
                    </div>
                <h3>加入收藏</h3>
                    <div class="form-check">
                        <input type="radio"  class="form-check-input bounce" value="1" v-model="machineDetail.liked"/>
                        <label class="form-check-label" for="liked">这必须收藏</label>
                    </div>
                    <div class="form-check">
                        <input type="radio" class="form-check-input bounce" value="0" v-model="machineDetail.liked"/>
                        <label class="form-check-label" for="liked">算了</label>
                    </div>
                    <br/>
                    <h3>备注</h3>
                    <textarea name="info" id="" cols="30" rows="10" v-model="machineDetail.info"></textarea>
                    <br><br>
                <button class="btn btn-primary" @click="update">保存</button>
                </div>
            </div>
        </div>
    \`,
    data:function (){
        return {
            machineDetail : \[\],
            logged: false
        }
    },
    methods:{
        getDetail: function(){
            let url \= window.location.href.replace(window.location.hash,'');
            axios.get(url + 'X/index.php?action=getMachineDetail&id=' + this.$route.params.id)
                .then((response)\=>{
                    this.machineDetail \= response.data\[0\]
               })
        },
        goBack: function(){
            this.$router.go(\-1)
        },
        goDelete: function(){
            this.$router.push({path:'/machine/'+this.$route.params.id+'/delete'})
        },
        update: function(){
            if(this.machineDetail\['name'\] !== '' && this.machineDetail\['liked'\] !== '' && this.machineDetail\['deadline'\] !== '' && this.machineDetail\['location'\] !== '' && this.machineDetail\['fee'\] !== '' && this.machineDetail\['cycle'\] !== '' && this.machineDetail\['auto'\] !== '' && this.machineDetail\['panel'\] !== ''  && this.machineDetail\['info'\] !== '' && this.machineDetail\['HOST'\] !== '' && this.machineDetail\['ip'\] !== ''){
                let url \= window.location.href.replace(window.location.hash,'');
                axios.get(url + 'X/index.php?action=updateMachineDetail&id='+this.$route.params.id + '&name='+this.machineDetail\['name'\]+'&liked='+this.machineDetail\['liked'\]+'&deadline='+this.machineDetail\['deadline'\]+'&location='+this.machineDetail\['location'\]+'&fee='+this.machineDetail\['fee'\]+'&cycle='+this.machineDetail\['cycle'\]+'&auto='+this.machineDetail\['auto'\]+'&panel='+this.machineDetail\['panel'\]+'&info='+this.machineDetail\['info'\]+'&HOST='+this.machineDetail\['HOST'\]+'&ip='+this.machineDetail\['ip'\])
                    .then((response)\=>{
                        if(response.data \=== 1){
                            alert("编辑成功")
                            this.$router.go(\-1)
                        }
                    })
            }else{
                alert('有什么东西没填完？');
            }
        }
    },
    mounted(){
        this.logged \= Cookies.get('UserStatus')
        if (this.logged !== 'true') {
            this.$router.push({path: '/u'})
        }
        this.getDetail();
    }
})

In the main.js file, the machineDetail parameter and the machineDetail parameter under the machineDetail.info method are controllable, and the machineDetail parameter is not strictly filtered, causing XSS injection vulnerabilities!

POC

    /X/index.php?action=updateMachineDetail&id=1&name=测试机&liked=1&deadline=2020-12-10&location=深圳&fee=10&cycle=30&auto=0&panel=baidu.com&info=<img src="x" onerror="alert(1);">&HOST=阿里云&ip=1.1.1.1

CVE-2021-41415: Subscription-Manager v1.0 /main.js hava a XSS Vulnerability · Issue #2 · youranreus/Subscription-Manager

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in ProjectGeneral/edit_project_settings.php in REDCap 12.0.11. This issue allows any user with project management permissions to inject arbitrary code into the project title (app_title) field when editing an existing project. The payload is then reflected within the title tag of the page.

CVE-2022-24127: REDCap Change Log - Eastern Virginia Medical School (EVMS), Norfolk, Hampton Roads

Multiple Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerabilities in Nicdark's Hotel Booking plugin <= 3.0 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

**Welcome to Hotel Booking WP plugin**

This plugin is an useful system to manage all your booking.

1.  Install and activate the plugin.

This plugin works fine as he promised, but have the worst html I've ever seen. All classes have a generic name, css customizations are impossible.

Sorry to say but html outputs from this plugin have the worst code quality I've ever seen. Everything have same class, no way to select specific element to apply custom css. If they want to apply 10px height, they have a class for that. Background white, another class for that and bla bla bla. This is the way this plugin shows button: <a style="border:2px solid #78635a; color:#78635a;" href=".." class="nd\_booking\_padding\_15\_30\_important nd\_options\_second\_font\_important nd\_booking\_border\_radius\_0\_important nd\_booking\_background\_color\_transparent\_important nd\_booking\_cursor\_pointer nd\_booking\_display\_inline\_block nd\_booking\_font\_size\_11 nd\_booking\_font\_weight\_bold nd\_booking\_letter\_spacing\_2" target="\_self">BOOK NOW FROM 25 $</a> Every element have same classes but not a single unique class to identify what the element is. This makes it impossible to customize elements

Excellent, but missing possibility to set up accommodation for children. For example: Room for two adults + one child (free).

a good plugin with great potential

Easy to use plugin, very good / luxury looking , you can see it there \[ link redacted \] Unfortunately it doesn't suit my particular needs so i had to uninstall it. Thank for your job.

Read all 6 reviews

“Hotel Booking” is open source software. The following people have contributed to this plugin.

Contributors

*    nicdark

**3.3**

*   improved sanitation on POST requests

**3.2**

*   Improved plugin security ( added realpath(), Data Sanitization/Escaping variables )
*   Added wpdb::prepare() function on db query

**3.1**

*   added layout 2 on room post grid ( elementor )
*   added images size option on room post grid ( elementor )
*   fixed math.round night number in single room
*   fixed maj text on calendar

**3.0**

*   elementor compatibility 3.6

**2.9**

*   added order elementor component
*   added steps elementor component
*   added static shortcode room
*   added static shortcode branch

**2.8**

*   added 3rd color in plugin colors
*   added themes label in admin plugin options
*   created mtbs woo on integration room options for link the room to woo product
*   added nd\_booking\_qnt\_room\_bookable() function for add availability alert on search page room preview
*   added mandatory additional service ( example : cleaning fee )
*   added elementor search and rooms post grid component
*   added ical download reservations

**2.7**

*   added alert messages addons
*   added info price icon addons on room preview in the search page
*   added branch selector addons in the search page

**2.6**

*   updated metabox function for save all datas in db ( deleted all empty meta datas )
*   changed exceptions date format
*   changed single room layout

**2.5**

*   added nonce on ajax calls

**2.4.2**

*   sanitize POST and REQUEST calls
*   added wp\_remote\_get() function for external requests ( stripe,paypal )

**2.4.1**

*   sanitize, validate, and escape all datas on POST and GET requests
*   improved plugins\_url()
*   added nonce on ajax calls
*   removed import/export feature

**2.4**

*   added some IDs on elements

**2.3.9**

*   added compatibility with latest wp version

**2.3.8**

*   added the possibility to change the slug for custom post type 1
*   improved the export option feature

**2.3.7**

*   changed some 404 static link

**2.3.6**

*   fixed post\_id null variable on paypal payment

**2.3.5**

*   add new layout 5 on rooms component
*   add new layout 2 on search component
*   added new classes on style.css
*   implemented ajax services filter on search results shortcode
*   updated .pot file

**2.3.4**

*   added the possibility to blog the reservation on certain days
*   added minimum booking days option

**2.3.3**

*   updated languages .pot file
*   added Stripe payment methods addon
*   added VAT and City TAX management
*   added the possibility to add orders via admin panel

**2.3.2**

*   updated languages .pot file
*   added the possibility to link translated room with its default room when using WPML
*   fixed date format when user book a room in the current day

**2.3.1**

*   fixed special characters in order notification emails
*   added wp\_mail() function to send email notifications

**2.3.0**

*   show all rooms in calendar view dashboard feature
*   added new translations strings on email template
*   added new translations strings on thank you and order page
*   fixed week price problem on single room page
*   extended the custom link feature for single room page

**2.2.9**

*   direct booking access from the single room page

**2.2.8**

*   updated .pot language file
*   updated date picker language with date\_i18n function
*   added register and login alert on booking step

**2.2.7**

*   added calendar view for better orders management

**2.2.6**

*   added coupon management
*   added price guests options on plugin settings

**2.2.5**

*   added new quantity options on room settings metabox

**2.2.4**

*   added the possibility to set in plugin settings the price range values on the search archive page.

**2.2.3**

*   added translations for date picker
*   added action parameter on search visual composer component for WPML integration
*   updated nd-booking.pot file with new translations

**2.2.2**

*   added email notification templates
*   solved integer night number on search shortcode

**2.2.1**

*   update nd\_booking\_get\_room\_link() function

**2.2**

*   improve external booking integration implementation

**2.1**

*   added layout-2 for steps and orders components ( for better color management )
*   added ID in some elements
*   added some new css rules

**2.0**

*   create new cpt
*   create new metabox

**1.0**

*   Initial version

Tag

#xss