CVE-2024-3210
published 2024-04-10CVE-2024-3210: The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to…
PriorityP424medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.43%
34.8th percentile
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'reg-single-checkbox' shortcode in all versions up to, and including, 4.15.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lobehub | chat | >= 0 < 1.19.13 | 1.19.13 |
| lobehub | chat | >= 0 < 0.122.4 | 0.122.4 |
| properfraction | profilepress | < 4.15.6 | 4.15.6 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
ghsa9.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
lobe-chat implemented an insufficient fix for GHSA-mxhq-xw3g-rphc (CVE-2024-32964)
ghsa·2024-09-23·CVSS 9.0
CVE-2024-47066 [CRITICAL] CWE-918 lobe-chat implemented an insufficient fix for GHSA-mxhq-xw3g-rphc (CVE-2024-32964)
lobe-chat implemented an insufficient fix for GHSA-mxhq-xw3g-rphc (CVE-2024-32964)
### Summary
SSRF protection implemented in https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts does not consider redirect and could be bypassed when attacker provides external malicious url which redirects to internal resources like private network or loopback address.
### PoC
1. Run lobe-chat in docker container. In my setup lobe-chat runs on 0.0.0.0:3210;
2. Create file dummy-server.js with the following content:
```
var http = require('http');
console.log("running server");
http.createServer(function (req, res) {
console.log(req.url);
res.writeHead(200, {'Content-Type': 'text/html'});
res.end();
}).listen(3001, 'localhost');
```
And run
```
node dummy-server.js
```
as an example
GHSA
GHSA-8h65-qg72-4ffh: The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vuln
ghsa_unreviewed·2024-04-10
CVE-2024-3210 [MEDIUM] CWE-79 GHSA-8h65-qg72-4ffh: The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vuln
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'reg-single-checkbox' shortcode in all versions up to, and including, 4.15.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
GHSA
@lobehub/chat vulnerable to unauthorized access to plugins
ghsa·2024-01-31
CVE-2024-24566 [MEDIUM] CWE-284 @lobehub/chat vulnerable to unauthorized access to plugins
@lobehub/chat vulnerable to unauthorized access to plugins
### Description:
When the application is password-protected (deployed with the `ACCESS_CODE` option), it is possible to access plugins without proper authorization (without password).
### Proof-of-Concept:
Let’s suppose that application has been deployed with following command:
```sudo docker run -d -p 3210:3210 -e OPENAI_API_KEY=sk-[REDACTED] -e ACCESS_CODE=TEST123 --name lobe-chat lobehub/lobe-chat```
Due to the utilization of the `ACCESS_CODE`, access to the chat is possible only after entering the password:
However, it is possible to interact with chat plugins without entering the `ACCESS_CODE`.
Example HTTP request:
```
POST /api/plugin/gateway HTTP/1.1
Host: localhost:3210
Content-Length: 1276
{"apiName":"checkWeatherUsi
Suricata
ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30
suricata·2016-11-30·CVSS 8.8
CVE-2016-3210 [HIGH] ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30
ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30"; flow:established,to_client; file.data; content:"|43 6f 6c 6c 65 63 74 47 61 72 62 61 67 65|"; nocase; content:"|73 70 72 61 79 48 65 61 70|"; nocase; content:"|73 65 74 41 64 64 72 65 73 73|"; nocase; content:"|30 78 63 36 62 65 63|"; nocase; content:"|30 78 46 46 46 46 30 30 30 30|"; nocase; classtype:attempted-admin; sid:2023568; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_30, cve CVE_2016_3210, deployment Perimeter, confidence High, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2024_0
Suricata
ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30
suricata·2016-11-30·CVSS 8.8
CVE-2016-3210 [HIGH] ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30
ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30"; flow:established,to_client; file.data; content:"|77 72 69 74 65 4e 28 72 6f 70 61 64 64 72 20 2b 20 69 20 2a 20 34 2c 20 72 6f 70 5b 69 5d 2c 20 34 29 3b|"; classtype:attempted-admin; sid:2023569; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_30, cve CVE_2016_3210, deployment Perimeter, confidence High, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2024_03_14;)
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/changeset/3067520/wp-user-avatar/trunk/src/ShortcodeParser/Builder/FieldsShortcodeCallback.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/f4986bc3-ee34-43a6-bad2-9f6665adb35c?source=cvehttps://plugins.trac.wordpress.org/changeset/3067520/wp-user-avatar/trunk/src/ShortcodeParser/Builder/FieldsShortcodeCallback.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/f4986bc3-ee34-43a6-bad2-9f6665adb35c?source=cve
2024-04-10
Published