Vulnerabilities

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'service_list[0][service_id]' parameter of the get_widget_payment_options AJAX action in all versions up to, and including, 3.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: ipset: add missing range check in bitmap_ip_uadt<br /> <br /> When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,<br /> the values of ip and ip_to are slightly swapped. Therefore, the range check<br /> for ip should be done later, but this part is missing and it seems that the<br /> vulnerability occurs.<br /> <br /> So we should add missing range checks and remove unnecessary range checks.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> initramfs: avoid filename buffer overrun<br /> <br /> The initramfs filename field is defined in<br /> Documentation/driver-api/early-userspace/buffer-format.rst as:<br /> <br /> 37 cpio_file := ALGN(4) + cpio_header + filename + "\0" + ALGN(4) + data<br /> ...<br /> 55 ============= ================== =========================<br /> 56 Field name Field size Meaning<br /> 57 ============= ================== =========================<br /> ...<br /> 70 c_namesize 8 bytes Length of filename, including final \0<br /> <br /> When extracting an initramfs cpio archive, the kernel&amp;#39;s do_name() path<br /> handler assumes a zero-terminated path at @collected, passing it<br /> directly to filp_open() / init_mkdir() / init_mknod().<br /> <br /> If a specially crafted cpio entry carries a non-zero-terminated filename<br /> and is followed by uninitialized memory, then a file may be created with<br /> trailing characters that represent the uninitialized memory. The ability<br /> to create an initramfs entry would imply already having full control of<br /> the system, so the buffer overrun shouldn&amp;#39;t be considered a security<br /> vulnerability.<br /> <br /> Append the output of the following bash script to an existing initramfs<br /> and observe any created /initramfs_test_fname_overrunAA* path. E.g.<br /> ./reproducer.sh | gzip &gt;&gt; /myinitramfs<br /> <br /> It&amp;#39;s easiest to observe non-zero uninitialized memory when the output is<br /> gzipped, as it&amp;#39;ll overflow the heap allocated @out_buf in __gunzip(),<br /> rather than the initrd_start+initrd_size block.<br /> <br /> ---- reproducer.sh ----<br /> nilchar="A" # change to "\0" to properly zero terminate / pad<br /> magic="070701"<br /> ino=1<br /> mode=$(( 0100777 ))<br /> uid=0<br /> gid=0<br /> nlink=1<br /> mtime=1<br /> filesize=0<br /> devmajor=0<br /> devminor=1<br /> rdevmajor=0<br /> rdevminor=0<br /> csum=0<br /> fname="initramfs_test_fname_overrun"<br /> namelen=$(( ${#fname} + 1 )) # plus one to account for terminator<br /> <br /> printf "%s%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%s" \<br /> $magic $ino $mode $uid $gid $nlink $mtime $filesize \<br /> $devmajor $devminor $rdevmajor $rdevminor $namelen $csum $fname<br /> <br /> termpadlen=$(( 1 + ((4 - ((110 + $namelen) &amp; 3)) % 4) ))<br /> printf "%.s${nilchar}" $(seq 1 $termpadlen)<br /> ---- reproducer.sh ----<br /> <br /> Symlink filename fields handled in do_symlink() won&amp;#39;t overrun past the<br /> data segment, due to the explicit zero-termination of the symlink<br /> target.<br /> <br /> Fix filename buffer overrun by aborting the initramfs FSM if any cpio<br /> entry doesn&amp;#39;t carry a zero-terminator at the expected (name_len - 1)<br /> offset.

The The Pojo Forms plugin for WordPress is vulnerable to arbitrary shortcode execution via form_preview_shortcode AJAX action in all versions up to, and including, 1.4.7. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes. This was partially fixed in version 1.4.8.

The Soledad theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.5.9 via several functions like penci_archive_more_post_ajax_func, penci_more_post_ajax_func, and penci_more_featured_post_ajax_func. This makes it possible for unauthenticated attackers to include and execute PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included. The exploitability of this is limited to Windows.

The Verowa Connect plugin for WordPress is vulnerable to SQL Injection via the &amp;#39;search_string&amp;#39; parameter in all versions up to, and including, 3.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

The KiviCare – Clinic &amp; Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the &amp;#39;visit_type[service_id]&amp;#39; parameter of the tax_calculated_data AJAX action in all versions up to, and including, 3.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

The The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile &amp; User signup plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.0.51. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute arbitrary shortcodes.

The Online Booking &amp; Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcita_save_user_data_callback() function in all versions up to, and including, 4.5.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject malicious web scripts and update settings.

The WP Media Optimizer (.webp) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘wpmowebp-css-resources’ and &amp;#39;wpmowebp-js-resources&amp;#39; parameters in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

The Gold Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activate() and deactivate() functions in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate and deactivate licenses.

The SV100 Companion plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the settings_import() function in all versions up to, and including, 2.0.02. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.