The method Lowerer::LowerSetConcatStrMultiItem is used to generate machine code to concatenate strings. At (a), there's no check for integer overflow. Chakra uses string chains to handle concatenated strings(the ConcatString class). So it doesn't require much memory to trigger the bug. The proof of concept code creates a string of length 0x10000 and then concatenates it with a string of length 0x10000, resulting in an integer overflow.
Whenever a user edits a message with <extarea> inside the body, everything after the <extarea> will be executed in the user’s browser. Works with every version up to 4.0.20
Plugin implements the AJAX action `wpdm-install-addon` which calls the function `wpdm_install_addon`. This function doesn't take any anti-CSRF measures thus making it susceptible to those kind of attacks. What is interesting about this function though, is the fact that it provides plugin installation functionality for admin users. The origin of the package is defined by the `$_REQUEST['addon']` if is set without any validation. A malicious actor can exploit this to install a malicious plugin in the vulnerable site. In fact the install package doesn't need to be a valid plugin, it could just contain malicious code. Because the package is extracted in the `/wp-content/plugins/` dir without changing it's original folder structure, an attacker could leverage the CSRF to upload malicious code and execute the code on the infected server.
Plugin implements AJAX action `admin_menu_tree_page_view_add_page` which calls back the function `admin_menu_tree_page_view_add_page`. The later does not implement any anti-CSRF controls or security checks. Leveraging a CSRF attack an attacker could perform a Persistent XSS attack if the victim has administrative rights (see PoC). The AJAX action is a privileged one so it's only available for registered users. Even so it doesn't implement any capabilities checks so it's available to all users no matter the access level. This could allow any registered user to create arbitrary posts no matter the access level.
Plugin implements AJAX action `cms_tpv_add_page` which calls back the function `cms_tpv_add_page`. The later does not implement any anti-CSRF controls or security checks. Leveraging a CSRF attack an attacker could perform a Persistent XSS attack if the victim has administrative rights (see PoC). The AJAX action is a privileged one so it's only available for registered users. Even so it doesn't implement any capabilities checks so it's available to all users no matter the access level. This could allow any registered user to create arbitrary posts no matter the access level.
Plugin implements AJAX action `acx_asmw_saveorder` which calls back the function `acx_asmw_saveorder_callback`. The later does not implement any anti-CSRF controls thus allowing a malicious actor to perform an attack that could update plugin specific option `social_widget_icon_array_order`. Leveraging a CSRF could lead to a Persistent XSS (see PoC). Payload will be served when a user with the right privileges visits plugin's settings page (`wp-admin/admin.php?page=Acurax-Social-Widget-Settings`).
The Wachipi WP Events Calendar plugin 1.0 for WordPress has SQL Injection via the event_id parameter to event.php. To exploit, union select 29 columns. User can use 2 or 25 for information gathering.
Unauthenticated user can access downloads.php, and can disclosure file in server through downloads.php, using method get on 'file=', user/attacker also can disclosure wp-config, or else file.
A vulnerability in the nt!NtQuerySystemInformation system call with the 138 information class can be exploited to disclose portions of uninitialized kernel pool memory to user-mode clients. The issue is caused by the internal nt!ExpQueryMemoryTopologyInformation function not properly initializing the output buffer. On Windows 10 version 1709 32-bit systems, the output size is 0x70 (112) bytes and 12 bytes in three 4-byte chunks of consecutive memory are not properly initialized and contain leftover data from the kernel pool. The issue can be reproduced by running a proof-of-concept program on a system with the Special Pools mechanism enabled for ntoskrnl.exe.
Chakra fails to detect if "tmp" escapes the scope, allocates it to the stack. This may lead to dereference uninitialized stack values. The proof of concept code shows that when the function opt() is called, the variable tmp is allocated to the stack and when the function main() is called, the variable tmp is dereferenced which leads to uninitialized stack values.