Blog

DescriptionContact Form Clean and Simple is vulnerable to Authenticated stored XSS. When a user has admin capabilities, malicious code can be submitted through the plugin's options. This code will then be executed on every page with the contact form on the front-end....

Proof of Concept Vulnerable code is from like 68 to 84. The code gets the value of option `bm_row_amount` from database and matches it with the GET request `row_amount`. If they do not match then it updates the option `bm_row_amount` with the provided GET value. If...

<html> <form action="https://[WP]/wp-admin/admin.php?page=marketo_fat" method="POST" id="csrf"> <input type="text" name="marketo_save" value="true"> <input type="text" name="marketo[marketo_id]"...

Proof of Concept It is possible to login as any administrator on the site due to logical mistakes in the code. The issue resides in the function iwp_mmb_set_request which is located in the init.php file. This checks if the request_params array of the core class is not...

DescriptionReflected Cross Site Scripting (XSS) issue on the [ld_profile] search field. First reported to Learndash on January 14, 2020, and update 3.1.2 to fix it was released same day. This report is based on an email LearnDash sent out to their users on January 14,...

Proof of Concept It is possible to login as an administrator on the site due to logical mistakes in the code. The issue resides in wptc-cron-functions.php line 12 where it parses the request. This parse_request function calls the function decode_server_request_wptc...

DescriptionThe export_users_csv function, registered as an authenticated AJAX call and allowing to export users, was missing the authorisation/capability check. CSRF check was in place, reducing the severity of the issue. Only version 1.15 seems to be affected as the...

Description"A code injection vulnerability was discovered by our team during a routine code audit that could allow logged in contributors, authors and editors to execute a small set of PHP functions." Affected: Divi version 3.23 and above, Extra 2.23 and above Divi...

DescriptionThe gdpr_cookie_compliance_reset_settings AJAX action registered for authenticated users lacks authorisation and CSRF checks, allowing unauthorised authenticated users to call it, which would result in the settings being reset.