Vulnerabilities

The ThemeREX Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.35.1.1 due to insufficient input sanitization and output escaping. The plugin’s SVG rendering routine calls the trx_addons_get_svg_from_file() function on an unvalidated 'svg' parameter supplied via the shortcode or Elementor widget settings, then outputs it via the trx_addons_show_layout() function. Because there is no check on the URL’s origin, scheme, or the SVG content itself, authenticated attackers, with Contributor-level access and above, can supply a remote SVG and inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: Always pass notifications when child class becomes empty<br /> <br /> Certain classful qdiscs may invoke their classes&amp;#39; dequeue handler on an<br /> enqueue operation. This may unexpectedly empty the child qdisc and thus<br /> make an in-flight class passive via qlen_notify(). Most qdiscs do not<br /> expect such behaviour at this point in time and may re-activate the<br /> class eventually anyways which will lead to a use-after-free.<br /> <br /> The referenced fix commit attempted to fix this behavior for the HFSC<br /> case by moving the backlog accounting around, though this turned out to<br /> be incomplete since the parent&amp;#39;s parent may run into the issue too.<br /> The following reproducer demonstrates this use-after-free:<br /> <br /> tc qdisc add dev lo root handle 1: drr<br /> tc filter add dev lo parent 1: basic classid 1:1<br /> tc class add dev lo parent 1: classid 1:1 drr<br /> tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1<br /> tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0<br /> tc qdisc add dev lo parent 2:1 handle 3: netem<br /> tc qdisc add dev lo parent 3:1 handle 4: blackhole<br /> <br /> echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888<br /> tc class delete dev lo classid 1:1<br /> echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888<br /> <br /> Since backlog accounting issues leading to a use-after-frees on stale<br /> class pointers is a recurring pattern at this point, this patch takes<br /> a different approach. Instead of trying to fix the accounting, the patch<br /> ensures that qdisc_tree_reduce_backlog always calls qlen_notify when<br /> the child qdisc is empty. This solves the problem because deletion of<br /> qdiscs always involves a call to qdisc_reset() and / or<br /> qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing<br /> the following qdisc_tree_reduce_backlog() to report to the parent. Note<br /> that this may call qlen_notify on passive classes multiple times. This<br /> is not a problem after the recent patch series that made all the<br /> classful qdiscs qlen_notify() handlers idempotent.

The Vchasno Kasa plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the clear_all_log() function in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to clear log files.

The Vchasno Kasa plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the mrkv_vchasno_kasa_wc_do_metabox_action() function in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to generate invoices for arbitrary orders.

An incorrect authorisation check in the the &amp;#39;plant transfer&amp;#39; function of the Growatt cloud service allowed a malicous attacker with a valid account to transfer any plant into his/her account.

The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.3 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.

The Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.1 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.

The EPay.bg Payments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s &amp;#39;epay&amp;#39; shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Live Stream Badger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s &amp;#39;livestream&amp;#39; shortcode in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Temporarily Hidden Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s &amp;#39;temphc-start&amp;#39; shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Partnerský systém Martinus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s &amp;#39;martinus&amp;#39; shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Avishi WP PayPal Payment Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0. This is due to missing or incorrect nonce validation on the &amp;#39;avishi-wp-paypal-payment-button/index.php&amp;#39; page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.