GD bbPress Attachments 2.5 ‚Äď Authenticated stored XSS

INFO Product:¬†GD bbPress Attachments Version:¬†2.5 Active installations:¬†10,000+ Product page:¬†https://it.wordpress.org/plugins/gd-bbpress-attachments/ DESCRIPTION An authenticated user of a bbPress forum, who can attach a file,¬†can inject arbitrary javascript code via filename.¬†The arbitrary code runs both on the topic page and in the admin panel, and¬†it only affects the administrators, moderators and the attacker. The variable¬†$error[‘file’] in¬†/code/attachments/front.php¬†(line 349)¬†is not Continue reading GD bbPress Attachments 2.5 ‚Äď Authenticated stored XSS

My Calendar 2.5.16 – Authenticated stored XSS

INFO Product: My Calendar Version: 2.5.16 Active installations: 30,000+ Product page: https://it.wordpress.org/plugins/my-calendar/ DESCRIPTION An authenticated user, who can add new events,  can inject arbitrary javascript code via event_time_label input. The arbitrary code runs both on the event page and in the admin panel. In my-calendar-event-manager.php, line 1873, the variable $eventTime is not sanitized. PROOF OF CONCEPT My Calendar 2.5.16 is Continue reading My Calendar 2.5.16 РAuthenticated stored XSS

WP Live Chat Support 8.0.05 – Stored XSS

INFO Product: WP Live Chat Support Version: 8.0.05 Active installations:¬†50,000+ Product page:¬†https://wordpress.org/plugins/wp-live-chat-support/ CVE: 2018-9864 1. DESCRIPTION An unauthenticated user could inject arbitrary javascript code in the admin panel by using the text field “Name”¬†of WP Live Chat Support. Using a single input point it was possible to inject javascript code into two different output points Continue reading WP Live Chat Support 8.0.05 – Stored XSS

Events Manager – Stored XSS

INFO Product: Events Manager Version: Active installations: 100,000+ Product page: https://it.wordpress.org/plugins/events-manager/ CVE: 2018-9020 DESCRIPTION An unauthenticated user or a user without privileges, who can submit an event, can inject javascript code in the Google Maps miniature. The malicious code runs in the admin panel when a user with privileges opens the submitted event. The problem Continue reading Events Manager РStored XSS

Bookly #1 WordPress Booking Plugin (Lite) 13.2 – Blind Stored XSS

INFO Product: Bookly #1 WordPress Booking Plugin (Lite Version) Version: 13.2 Active installations: 10,000+ Product page: https://wordpress.org/plugins/bookly-responsive-appointment-booking-tool/ CVE: 2018-6891 DESCRIPTION An unauthenticated user can inject arbitrary persistent javascript code in the admin panel. PROOF OF CONCEPT Bookly Lite 13.2 and Bookly Pro 14.5 are affected, probably even earlier versions. I think the problem is that jQuery.ajax request is Continue reading Bookly #1 WordPress Booking Plugin (Lite) 13.2 РBlind Stored XSS