CVE-2022-3477 The tagDiv Composer WordPress plugin before 3.5, required by the Newspaper and Newsmag WordPress themes, doesn't properly implement Facebook login, which allows attackers to login as any use.
This issue was addressed by Facebook in its security update on April 18th, 2018. More details on this issue can be found in the linked advisory. There is another similar issue with the Twitter login in Newsmag WordPress theme before 5.2.2. In order to login to Twitter using the Newsmag WordPress theme, the user must be redirected to the Twitter login page from the Twitter signup page. If the user is redirected from the Twitter signup page, the Newsmag WordPress theme does not have the Twitter login feature activated, allowing unauthenticated attackers to login as any user by just knowing their email address. This issue was also addressed in the Twitter security update on April 18th, 2018. A security researcher discovered a cross-site scripting (XSS) vulnerability in the tagDiv Composer WordPress plugin before 3.5, required by the Newspaper WordPress theme before 12.1 and Newsmag WordPress theme before 5.2.2. An attacker can exploit this XSS vulnerability to perform arbitrary actions on behalf of the user, such as changing their password, deleting their account, etc. This issue was resolved by patching the application by WordPress. The tagDiv Composer WordPress plugin before 3.5, required by the Newspaper WordPress theme before 12.1 and Newsmag WordPress theme before 5.2.2, does not properly implement the Facebook login feature, allowing unauthenticated attackers to login as any user by just knowing their email address. This issue was addressed by Facebook in its
Facebook Login XSS Vulnerability
This issue was addressed by Facebook in its security update on April 18th, 2018. More details on this issue can be found in the linked advisory. This vulnerability affects the tagDiv Composer WordPress plugin before 3.5, required by the Newspaper WordPress theme before 12.1 and Newsmag WordPress theme before 5.2.2 as well as some plugins that used to work with it, such as latest version of Event Calendar Pro plugin from EventPro website, which is no longer supported since 2011 (and was not updated in 2018). An attack might be able to steal or reset passwords of other users through a cross-site request forgery (CSRF) vulnerability in the tagDiv Composer WordPress plugin before 3.5, required by the Newspaper WordPress theme before 12.1 and Newsmag WordPress theme before 5.2.2: http://wordpress/wp-admin/admin-ajax.php?action=loggedout&mode=login
RSS Feeds WordPress Plugin Vulnerability
A cross-site scripting (XSS) vulnerability was found in the RSS Feeds WordPress plugin before 2.4.1. An attacker can exploit this XSS vulnerability to perform arbitrary actions on behalf of the user, such as changing their password, deleting their account, etc. This issue was resolved by patching the application by WordPress. The RSS Feeds WordPress plugin before 2.4.1 does not properly implement the Facebook login feature, allowing unauthenticated attackers to login as any user by just knowing their email address. This issue was addressed by Facebook in its security update on April 18th, 2018.
Timeline
Published on: 11/14/2022 15:15:00 UTC
Last modified on: 11/16/2022 19:04:00 UTC