Vulnerabilities

The Work The Flow File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jQuery-File-Upload-9.5.0 server and test files in versions up to, and including, 2.5.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.

A vulnerability, which was classified as problematic, was found in PHPGurukul Apartment Visitors Management System 1.0. Affected is an unknown function of the file /visitor-detail.php of the component HTTP POST Request Handler. The manipulation of the argument visname leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

A vulnerability, which was classified as problematic, has been found in PHPGurukul Apartment Visitors Management System 1.0. This issue affects some unknown processing of the file /manage-newvisitors.php of the component HTTP POST Request Handler. The manipulation of the argument visname leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.

The Subscribe to Comments for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.1.2 via the Path to header value. This allows authenticated attackers, with administrative privileges and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. This same function can also be used to execute arbitrary PHP code.

The Simple Backup plugin for WordPress is vulnerable to Arbitrary File Download in versions up to, and including, 2.7.10. via the download_backup_file function. This is due to a lack of capability checks and file type validation. This makes it possible for attackers to download sensitive files such as the wp-config.php file from the affected site.

The WP Mobile Detector plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in resize.php file in versions up to, and including, 3.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.

The GI-Media Library plugin for WordPress is vulnerable to Directory Traversal in versions before 3.0 via the 'fileid' parameter. This allows unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajaxUpload function in versions before 1.3.9.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.

The Front End Editor plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the upload.php file in versions before 2.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.

The ThemeREX Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.35.1.1 due to insufficient input sanitization and output escaping. The plugin’s SVG rendering routine calls the trx_addons_get_svg_from_file() function on an unvalidated 'svg' parameter supplied via the shortcode or Elementor widget settings, then outputs it via the trx_addons_show_layout() function. Because there is no check on the URL’s origin, scheme, or the SVG content itself, authenticated attackers, with Contributor-level access and above, can supply a remote SVG and inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: Always pass notifications when child class becomes empty<br /> <br /> Certain classful qdiscs may invoke their classes&amp;#39; dequeue handler on an<br /> enqueue operation. This may unexpectedly empty the child qdisc and thus<br /> make an in-flight class passive via qlen_notify(). Most qdiscs do not<br /> expect such behaviour at this point in time and may re-activate the<br /> class eventually anyways which will lead to a use-after-free.<br /> <br /> The referenced fix commit attempted to fix this behavior for the HFSC<br /> case by moving the backlog accounting around, though this turned out to<br /> be incomplete since the parent&amp;#39;s parent may run into the issue too.<br /> The following reproducer demonstrates this use-after-free:<br /> <br /> tc qdisc add dev lo root handle 1: drr<br /> tc filter add dev lo parent 1: basic classid 1:1<br /> tc class add dev lo parent 1: classid 1:1 drr<br /> tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1<br /> tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0<br /> tc qdisc add dev lo parent 2:1 handle 3: netem<br /> tc qdisc add dev lo parent 3:1 handle 4: blackhole<br /> <br /> echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888<br /> tc class delete dev lo classid 1:1<br /> echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888<br /> <br /> Since backlog accounting issues leading to a use-after-frees on stale<br /> class pointers is a recurring pattern at this point, this patch takes<br /> a different approach. Instead of trying to fix the accounting, the patch<br /> ensures that qdisc_tree_reduce_backlog always calls qlen_notify when<br /> the child qdisc is empty. This solves the problem because deletion of<br /> qdiscs always involves a call to qdisc_reset() and / or<br /> qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing<br /> the following qdisc_tree_reduce_backlog() to report to the parent. Note<br /> that this may call qlen_notify on passive classes multiple times. This<br /> is not a problem after the recent patch series that made all the<br /> classful qdiscs qlen_notify() handlers idempotent.

The Vchasno Kasa plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the clear_all_log() function in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to clear log files.