• Hi guys,

    Recently a site i delivered for a client had to go through Acunetix Security Test. The final result brought back this alert. I am sorry if this answer has been answered before but i wasn’t able to find anything. I am sorry aswell i could not share the link for my web cause the client doesnt want to get it public before these alerts are removed.

    Below is the full alert not.:

    /wp-admin/adminajax.
    php
    <strong>Alert group Cross site scripting
    Severity High</strong>
    Description
    <strong>Cross-site Scripting (XSS)</strong> refers to client-side code injection attack wherein an attacker can
    execute malicious scripts into a legitimate website or web application. XSS occurs when a
    web application makes use of unvalidated or unencoded user input within the output it
    generates.
    Recommendations Apply context-dependent encoding and/or validation to user input rendered on a page
    Alert variants
    Details
    URL encoded POST input atts[sk-options][monthly_view][sed_method] was set to
    09945();}]9213
    The input is reflected inside <script> tag.
    POST /wp-admin/admin-ajax.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Referer: https://smartkosova.rks-gov.net/
    Cookie: comment_author_c1938278c4773c3d9e17d609a75b3d97=1;
    comment_author_email_c1938278c4773c3d9e17d609a75b3d97=sample%40email.tst;
    comment_author_url_c1938278c4773c3d9e17d609a75b3d97=http%3A%2F%2F1;
    wordpress_test_cookie=WP%20Cookie%20check; privacy_embeds=consent,tracking
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Encoding: gzip,deflate
    Content-Length: 21867
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
    6

    Thank you so much in advance

    • This topic was modified 3 years, 2 months ago by Jan Dembowski. Reason: Moved to Fixing WordPress, this is not an Installing WordPress topic
Viewing 5 replies - 1 through 5 (of 5 total)
  • Anonymous User 14808221

    (@anonymized-14808221)

    That report is not useful to us without seeing the code, at least, not to me.

    It barely tells me what the report is.
    It should mention a line of code where the vulnerability supposedly exists, and then that code can be analysed and adequately corrected.

    You might want to hire an expert on this however, since security is a complex matter.

    But of course the community here is happy to take a look if you can share the offending code, perhaps we have an idea or suggestion as of how to improve it.

    It seems that something in the POSTed array either unescaped, or not encoded, not validated, not authorised, gets submitted and used as output.
    But it is not clear to me at all what the code actually looks like.

    It seems also in your report some things got encoded? Perhaps you can make usage of 3 backticks when posting code in your follow up reply (`) this helps delimiting code.

    Thread Starter glaukabazi

    (@glaukabazi)

    Sorry.

    1. Here is the full link with what acunetix provided for this problem
    https://ibb.co/C2Q6Mvp
    2. And here is the full code of /wp-admin/adminajax.php —

    — WP-ADMIN-AJAX—–

    <?php
    /**
     * WordPress Ajax Process Execution
     *
     * @package WordPress
     * @subpackage Administration
     *
     * @link https://codex.www.ads-software.com/AJAX_in_Plugins
     */
    
    /**
     * Executing Ajax process.
     *
     * @since 2.1.0
     */
    define( 'DOING_AJAX', true );
    if ( ! defined( 'WP_ADMIN' ) ) {
    	define( 'WP_ADMIN', true );
    }
    
    /** Load WordPress Bootstrap */
    require_once dirname( __DIR__ ) . '/wp-load.php';
    
    /** Allow for cross-domain requests (from the front end). */
    send_origin_headers();
    
    header( 'Content-Type: text/html; charset=' . get_option( 'blog_charset' ) );
    header( 'X-Robots-Tag: noindex' );
    
    // Require an action parameter.
    if ( empty( $_REQUEST['action'] ) ) {
    	wp_die( '0', 400 );
    }
    
    /** Load WordPress Administration APIs */
    require_once ABSPATH . 'wp-admin/includes/admin.php';
    
    /** Load Ajax Handlers for WordPress Core */
    require_once ABSPATH . 'wp-admin/includes/ajax-actions.php';
    
    send_nosniff_header();
    nocache_headers();
    
    /** This action is documented in wp-admin/admin.php */
    do_action( 'admin_init' );
    
    $core_actions_get = array(
    	'fetch-list',
    	'ajax-tag-search',
    	'wp-compression-test',
    	'imgedit-preview',
    	'oembed-cache',
    	'autocomplete-user',
    	'dashboard-widgets',
    	'logged-in',
    	'rest-nonce',
    );
    
    $core_actions_post = array(
    	'oembed-cache',
    	'image-editor',
    	'delete-comment',
    	'delete-tag',
    	'delete-link',
    	'delete-meta',
    	'delete-post',
    	'trash-post',
    	'untrash-post',
    	'delete-page',
    	'dim-comment',
    	'add-link-category',
    	'add-tag',
    	'get-tagcloud',
    	'get-comments',
    	'replyto-comment',
    	'edit-comment',
    	'add-menu-item',
    	'add-meta',
    	'add-user',
    	'closed-postboxes',
    	'hidden-columns',
    	'update-welcome-panel',
    	'menu-get-metabox',
    	'wp-link-ajax',
    	'menu-locations-save',
    	'menu-quick-search',
    	'meta-box-order',
    	'get-permalink',
    	'sample-permalink',
    	'inline-save',
    	'inline-save-tax',
    	'find_posts',
    	'widgets-order',
    	'save-widget',
    	'delete-inactive-widgets',
    	'set-post-thumbnail',
    	'date_format',
    	'time_format',
    	'wp-remove-post-lock',
    	'dismiss-wp-pointer',
    	'upload-attachment',
    	'get-attachment',
    	'query-attachments',
    	'save-attachment',
    	'save-attachment-compat',
    	'send-link-to-editor',
    	'send-attachment-to-editor',
    	'save-attachment-order',
    	'media-create-image-subsizes',
    	'heartbeat',
    	'get-revision-diffs',
    	'save-user-color-scheme',
    	'update-widget',
    	'query-themes',
    	'parse-embed',
    	'set-attachment-thumbnail',
    	'parse-media-shortcode',
    	'destroy-sessions',
    	'install-plugin',
    	'update-plugin',
    	'crop-image',
    	'generate-password',
    	'save-wporg-username',
    	'delete-plugin',
    	'search-plugins',
    	'search-install-plugins',
    	'activate-plugin',
    	'update-theme',
    	'delete-theme',
    	'install-theme',
    	'get-post-thumbnail-html',
    	'get-community-events',
    	'edit-theme-plugin-file',
    	'wp-privacy-export-personal-data',
    	'wp-privacy-erase-personal-data',
    	'health-check-site-status-result',
    	'health-check-dotorg-communication',
    	'health-check-is-in-debug-mode',
    	'health-check-background-updates',
    	'health-check-loopback-requests',
    	'health-check-get-sizes',
    	'toggle-auto-updates',
    	'send-password-reset',
    );
    
    // Deprecated.
    $core_actions_post_deprecated = array(
    	'wp-fullscreen-save-post',
    	'press-this-save-post',
    	'press-this-add-category',
    	'health-check-dotorg-communication',
    	'health-check-is-in-debug-mode',
    	'health-check-background-updates',
    	'health-check-loopback-requests',
    );
    $core_actions_post            = array_merge( $core_actions_post, $core_actions_post_deprecated );
    
    // Register core Ajax calls.
    if ( ! empty( $_GET['action'] ) && in_array( $_GET['action'], $core_actions_get, true ) ) {
    	add_action( 'wp_ajax_' . $_GET['action'], 'wp_ajax_' . str_replace( '-', '_', $_GET['action'] ), 1 );
    }
    
    if ( ! empty( $_POST['action'] ) && in_array( $_POST['action'], $core_actions_post, true ) ) {
    	add_action( 'wp_ajax_' . $_POST['action'], 'wp_ajax_' . str_replace( '-', '_', $_POST['action'] ), 1 );
    }
    
    add_action( 'wp_ajax_nopriv_generate-password', 'wp_ajax_nopriv_generate_password' );
    
    add_action( 'wp_ajax_nopriv_heartbeat', 'wp_ajax_nopriv_heartbeat', 1 );
    
    $action = ( isset( $_REQUEST['action'] ) ) ? $_REQUEST['action'] : '';
    
    if ( is_user_logged_in() ) {
    	// If no action is registered, return a Bad Request response.
    	if ( ! has_action( "wp_ajax_{$action}" ) ) {
    		wp_die( '0', 400 );
    	}
    
    	/**
    	 * Fires authenticated Ajax actions for logged-in users.
    	 *
    	 * The dynamic portion of the hook name, <code>$action</code>, refers
    	 * to the name of the Ajax action callback being fired.
    	 *
    	 * @since 2.1.0
    	 */
    	do_action( "wp_ajax_{$action}" );
    } else {
    	// If no action is registered, return a Bad Request response.
    	if ( ! has_action( "wp_ajax_nopriv_{$action}" ) ) {
    		wp_die( '0', 400 );
    	}
    
    	/**
    	 * Fires non-authenticated Ajax actions for logged-out users.
    	 *
    	 * The dynamic portion of the hook name, <code>$action</code>, refers
    	 * to the name of the Ajax action callback being fired.
    	 *
    	 * @since 2.8.0
    	 */
    	do_action( "wp_ajax_nopriv_{$action}" );
    }
    // Default status.
    wp_die( '0' );

    —- the end – wp – admin -ajax —

    thank you guys

    Anonymous User 14808221

    (@anonymized-14808221)

    You pasted WordPress core code.
    If that’s flagged and they think this unsafe they might as well report it to WordPress security portal since roughly 50 million websites would be vulnerable if said code would be “unsafe”

    I’m pretty sure you can ignore this as a false alarm.

    If they think this is a real issue then it’d be a core issue and would need to be reported as described here https://make.www.ads-software.com/core/handbook/testing/reporting-security-vulnerabilities/

    I think there’s even a bounty for such things, see https://hackerone.com/wordpress?type=team

    • This reply was modified 3 years, 2 months ago by Anonymous User 14808221.
    Thread Starter glaukabazi

    (@glaukabazi)

    This is the code

    POST /wp-admin/admin-ajax.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Referer: *
    Cookie: privacy_embeds=consent
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Encoding: gzip,deflate
    Content-Length: 21867
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
    Gecko) Chrome/92.0.4512.0 Safari/537.36
    Host: *
    Connection: Keep-alive

    action=mec_monthly_view_load_month&apply_sf_date=0&atts[_edit_last]=1&atts[_edit_lock]=16
    26242756:1&atts[author]=&atts[category]=&atts[html-class]=mecwidget%
    20&atts[id]=587&atts[label]=&atts[location]=&atts[organizer]=&atts[rs_page_bg_colo
    r]=&atts[sf-options][agenda][address_search][placeholder]=&atts[sf-options][agenda]
    [address_search][type]=0&atts[sf-options][agenda][category][type]=0&atts[sf-options]
    [agenda][event_cost][type]=0&atts[sf-options][agenda][label][type]=0&atts[sf-options]
    [agenda][location][type]=0&atts[sf-options][agenda][month_filter][type]=0&atts[sfoptions][
    agenda][organizer][type]=0&atts[sf-options][agenda][speaker][type]=0&atts[sfoptions][
    agenda][tag][type]=0&atts[sf-options][agenda][text_search]
    [placeholder]=&atts[sf-options][agenda][text_search][type]=0&atts[sf-options][agenda]
    [time_filter][type]=0&atts[sf-options][daily_view][address_search][placeholder]=&atts[sfoptions][
    daily_view][address_search][type]=0&atts[sf-options][daily_view][category]
    [type]=0&atts[sf-options][daily_view][event_cost][type]=0&atts[sf-options][daily_view]
    [label][type]=0&atts[sf-options][daily_view][location][type]=0&atts[sf-options]
    [daily_view][month_filter][type]=0&atts[sf-options][daily_view][organizer]
    [type]=0&atts[sf-options][daily_view][speaker][type]=0&atts[sf-options][daily_view][tag]
    [type]=0&atts[sf-options][daily_view][text_search][placeholder]=&atts[sf-options]
    [daily_view][text_search][type]=0&atts[sf-options][daily_view][time_filter]
    4
    [type]=0&atts[sf-options][full_calendar][address_search][placeholder]=&atts[sf-options]
    [full_calendar][address_search][type]=0&atts[sf-options][full_calendar][category]
    [type]=0&atts[sf-options][full_calendar][event_cost][type]=0&atts[sf-options]
    [full_calendar][label][type]=0&atts[sf-options][full_calendar][location][type]=0&atts[sfoptions][
    full_calendar][month_filter][type]=0&atts[sf-options][full_calendar][organizer]
    [type]=0&atts[sf-options][full_calendar][speaker][type]=0&atts[sf-options][full_calendar]
    [tag][type]=0&atts[sf-options][full_calendar][text_search][placeholder]=&atts[sf-options]
    [full_calendar][text_search][type]=0&atts[sf-options][full_calendar][time_filter]
    [type]=0&atts[sf-options][grid][address_search][placeholder]=&atts[sf-options][grid]
    [address_search][type]=0&atts[sf-options][grid][category][type]=0&atts[sf-options][grid]
    [event_cost][type]=0&atts[sf-options][grid][label][type]=0&atts[sf-options][grid]
    [location][type]=0&atts[sf-options][grid][month_filter][type]=0&atts[sf-options][grid]
    [organizer][type]=0&atts[sf-options][grid][speaker][type]=0&atts[sf-options][grid][tag]
    [type]=0&atts[sf-options][grid][text_search][placeholder]=&atts[sf-options][grid]
    [text_search][type]=0&atts[sf-options][grid][time_filter][type]=0&atts[sf-options][list]
    [address_search][placeholder]=&atts[sf-options][list][address_search][type]=0&atts[sfoptions][
    list][category][type]=0&atts[sf-options][list][event_cost][type]=0&atts[sfoptions][
    list][label][type]=0&atts[sf-options][list][location][type]=0&atts[sf-options]
    [list][month_filter][type]=0&atts[sf-options][list][organizer][type]=0&atts[sf-options]
    [list][speaker][type]=0&atts[sf-options][list][tag][type]=0&atts[sf-options][list]
    [text_search][placeholder]=&atts[sf-options][list][text_search][type]=0&atts[sf-options]
    [list][time_filter][type]=0&atts[sf-options][map][address_search][placeholder]=&atts[sfoptions][
    map][address_search][type]=0&atts[sf-options][map][category][type]=0&atts[sfoptions][
    map][event_cost][type]=0&atts[sf-options][map][label][type]=0&atts[sf-options]
    [map][location][type]=0&atts[sf-options][map][month_filter][type]=0&atts[sf-options][map]
    [organizer][type]=0&atts[sf-options][map][speaker][type]=0&atts[sf-options][map][tag]
    [type]=0&atts[sf-options][map][text_search][placeholder]=&atts[sf-options][map]
    [text_search][type]=0&atts[sf-options][monthly_view][address_search]
    [placeholder]=&atts[sf-options][monthly_view][address_search][type]=0&atts[sf-options]
    [monthly_view][category][type]=dropdown&atts[sf-options][monthly_view][event_cost]
    [type]=0&atts[sf-options][monthly_view][label][type]=0&atts[sf-options][monthly_view]
    [location][type]=0&atts[sf-options][monthly_view][month_filter][type]=0&atts[sf-options]
    [monthly_view][organizer][type]=0&atts[sf-options][monthly_view][speaker]
    [type]=0&atts[sf-options][monthly_view][tag][type]=0&atts[sf-options][monthly_view]
    [text_search][placeholder]=&atts[sf-options][monthly_view][text_search]
    [type]=text_input&atts[sf-options][monthly_view][time_filter][type]=0&atts[sf-options]
    [tile][address_search][placeholder]=&atts[sf-options][tile][address_search]
    [type]=0&atts[sf-options][tile][category][type]=0&atts[sf-options][tile][event_cost]
    [type]=0&atts[sf-options][tile][label][type]=0&atts[sf-options][tile][location]
    [type]=0&atts[sf-options][tile][month_filter][type]=0&atts[sf-options][tile][organizer]
    [type]=0&atts[sf-options][tile][speaker][type]=0&atts[sf-options][tile][tag]
    [type]=0&atts[sf-options][tile][text_search][placeholder]=&atts[sf-options][tile]
    [text_search][type]=0&atts[sf-options][tile][time_filter][type]=0&atts[sf-options]
    [timetable][address_search][placeholder]=&atts[sf-options][timetable][address_search]
    [type]=0&atts[sf-options][timetable][category][type]=0&atts[sf-options][timetable]
    [event_cost][type]=0&atts[sf-options][timetable][label][type]=0&atts[sf-options]
    [timetable][location][type]=0&atts[sf-options][timetable][month_filter][type]=0&atts[sfoptions][
    timetable][organizer][type]=0&atts[sf-options][timetable][speaker]
    [type]=0&atts[sf-options][timetable][tag][type]=0&atts[sf-options][timetable]
    [text_search][placeholder]=&atts[sf-options][timetable][text_search][type]=0&atts[sfoptions][
    timetable][time_filter][type]=0&atts[sf-options][weekly_view][address_search]
    [placeholder]=&atts[sf-options][weekly_view][address_search][type]=0&atts[sf-options]
    [weekly_view][category][type]=0&atts[sf-options][weekly_view][event_cost]
    [type]=0&atts[sf-options][weekly_view][label][type]=0&atts[sf-options][weekly_view]
    [location][type]=0&atts[sf-options][weekly_view][month_filter][type]=0&atts[sf-options]
    [weekly_view][organizer][type]=0&atts[sf-options][weekly_view][speaker][type]=0&atts[sfoptions][
    weekly_view][tag][type]=0&atts[sf-options][weekly_view][text_search]
    [placeholder]=&atts[sf-options][weekly_view][text_search][type]=0&atts[sf-options]
    [weekly_view][time_filter][type]=0&atts[sf-options][yearly_view][address_search]
    [placeholder]=&atts[sf-options][yearly_view][address_search][type]=0&atts[sf-options]
    [yearly_view][category][type]=0&atts[sf-options][yearly_view][event_cost]
    5
    [type]=0&atts[sf-options][yearly_view][label][type]=0&atts[sf-options][yearly_view]
    [location][type]=0&atts[sf-options][yearly_view][month_filter][type]=0&atts[sf-options]
    [yearly_view][organizer][type]=0&atts[sf-options][yearly_view][speaker][type]=0&atts[sfoptions][
    yearly_view][tag][type]=0&atts[sf-options][yearly_view][text_search]
    [placeholder]=&atts[sf-options][yearly_view][text_search][type]=0&atts[sf-options]
    [yearly_view][time_filter]
    [type]=0&atts[sf_display_label]=0&atts[sf_status]=0&atts[show_ongoing_events]=0&atts[show
    _only_one_occurrence]=0&atts[show_only_ongoing_events]=0&atts[show_only_past_events]=0&at
    ts[show_past_events]=1&atts[sk-options][agenda][clean_date_format1]=l&atts[sk-options]
    [agenda][clean_date_format2]=F%20j&atts[sk-options][agenda][custom_data]=0&atts[skoptions][
    agenda][display_label]=0&atts[sk-options][agenda][end_date_type]=date&atts[skoptions][
    agenda][image_popup]=0&atts[sk-options][agenda][include_local_time]=0&atts[skoptions][
    agenda][limit]=&atts[sk-options][agenda][load_more_button]=1&atts[sk-options]
    [agenda][maximum_date_range]=&atts[sk-options][agenda][month_divider]=0&atts[sk-options]
    [agenda][reason_for_cancellation]=0&atts[sk-options][agenda][sed_method]=0&atts[skoptions][
    agenda][start_date]=&atts[sk-options][agenda][start_date_type]=today&atts[skoptions][
    agenda][style]=clean&atts[sk-options][available_spot][date_format1]=j&atts[skoptions][
    available_spot][date_format2]=F&atts[sk-options][available_spot]
    [display_label]=0&atts[sk-options][available_spot][event_id]=-1&atts[sk-options]
    [available_spot][include_local_time]=0&atts[sk-options][available_spot]
    [reason_for_cancellation]=0&atts[sk-options][carousel][archive_link]=&atts[sk-options]
    [carousel][autoplay]=&atts[sk-options][carousel][autoplay_status]=1&atts[sk-options]
    [carousel][count]=2&atts[sk-options][carousel][custom_data]=0&atts[sk-options][carousel]
    [display_label]=0&atts[sk-options][carousel][head_text]=&atts[sk-options][carousel]
    [image_popup]=0&atts[sk-options][carousel][include_events_times]=0&atts[sk-options]
    [carousel][include_local_time]=0&atts[sk-options][carousel][limit]=&atts[sk-options]
    [carousel][loop_status]=1&atts[sk-options][carousel][reason_for_cancellation]=0&atts[skoptions][
    carousel][sed_method]=0&atts[sk-options][carousel][start_date]=&atts[sk-options]
    [carousel][start_date_type]=today&atts[sk-options][carousel][style]=type1&atts[skoptions][
    carousel][type1_date_format1]=d&atts[sk-options][carousel]
    [type1_date_format2]=F&atts[sk-options][carousel][type1_date_format3]=Y&atts[sk-options]
    [carousel][type2_date_format1]=M%20d%2C%20Y&atts[sk-options][carousel]
    [type3_date_format1]=M%20d%2C%20Y&atts[sk-options][countdown]
    [bg_color]=%23437df9&atts[sk-options][countdown][date_format_style11]=j%20F%20Y&atts[skoptions][
    countdown][date_format_style21]=j%20F%20Y&atts[sk-options][countdown]
    [date_format_style31]=j&atts[sk-options][countdown][date_format_style32]=F&atts[skoptions][
    countdown][date_format_style33]=Y&atts[sk-options][countdown]
    [display_label]=0&atts[sk-options][countdown][event_id]=-1&atts[sk-options][countdown]
    [include_local_time]=0&atts[sk-options][countdown][reason_for_cancellation]=0&atts[skoptions][
    countdown][style]=style1&atts[sk-options][cover]
    [date_format_classic1]=F%20d&atts[sk-options][cover][date_format_classic2]=l&atts[skoptions][
    cover][date_format_clean1]=d&atts[sk-options][cover]
    [date_format_clean2]=M&atts[sk-options][cover][date_format_clean3]=Y&atts[sk-options]
    [cover][date_format_modern1]=l%2C%20F%20d%20Y&atts[sk-options][cover]
    [display_label]=0&atts[sk-options][cover][event_id]=4475&atts[sk-options][cover]
    [include_local_time]=0&atts[sk-options][cover][reason_for_cancellation]=0&atts[skoptions][
    cover][style]=classic&atts[sk-options][daily_view][custom_data]=0&atts[skoptions][
    daily_view][display_categories]=0&atts[sk-options][daily_view]
    [display_label]=0&atts[sk-options][daily_view][display_organizer]=0&atts[sk-options]
    [daily_view][image_popup]=0&atts[sk-options][daily_view][include_local_time]=0&atts[skoptions][
    daily_view][limit]=&atts[sk-options][daily_view]
    [next_previous_button]=1&atts[sk-options][daily_view][reason_for_cancellation]=0&atts[skoptions][
    daily_view][sed_method]=0&atts[sk-options][daily_view][start_date]=&atts[skoptions][
    daily_view][start_date_type]=today&atts[sk-options][full_calendar]
    [activate_current_day]=1&atts[sk-options][full_calendar][activate_first_date]=0&atts[skoptions][
    full_calendar][custom_data]=0&atts[sk-options][full_calendar][daily]=1&atts[skoptions][
    full_calendar][date_format_list]=d%20M&atts[sk-options][full_calendar]
    [date_format_yearly_1]=l&atts[sk-options][full_calendar]
    [date_format_yearly_2]=F%20j&atts[sk-options][full_calendar][default_view]=list&atts[skoptions][
    full_calendar][display_label]=0&atts[sk-options][full_calendar]
    [display_price]=0&atts[sk-options][full_calendar][end_date_type_grid]=date&atts[sk6
    options][full_calendar][end_date_type_list]=date&atts[sk-options][full_calendar]
    [grid]=0&atts[sk-options][full_calendar][image_popup]=0&atts[sk-options][full_calendar]
    [include_local_time]=0&atts[sk-options][full_calendar][limit]=&atts[sk-options]
    [full_calendar][list]=1&atts[sk-options][full_calendar]
    [maximum_date_range_grid]=&atts[sk-options][full_calendar]
    [maximum_date_range_list]=&atts[sk-options][full_calendar][monthly]=1&atts[sk-options]
    [full_calendar][monthly_style]=clean&atts[sk-options][full_calendar]
    [reason_for_cancellation]=0&atts[sk-options][full_calendar][sed_method]=0&atts[skoptions][
    full_calendar][start_date]=&atts[sk-options][full_calendar]
    [start_date_type]=today&atts[sk-options][full_calendar][tile]=0&atts[sk-options]
    [full_calendar][weekly]=1&atts[sk-options][full_calendar][yearly]=0&atts[sk-options]
    [grid][classic_date_format1]=d%20F%20Y&atts[sk-options][grid]
    [clean_date_format1]=d&atts[sk-options][grid][clean_date_format2]=F&atts[sk-options]
    [grid][colorful_date_format1]=d&atts[sk-options][grid][colorful_date_format2]=F&atts[skoptions][
    grid][colorful_date_format3]=l&atts[sk-options][grid][count]=1&atts[sk-options]
    [grid][custom_data]=0&atts[sk-options][grid][display_categories]=0&atts[sk-options][grid]
    [display_label]=0&atts[sk-options][grid][display_organizer]=0&atts[sk-options][grid]
    [end_date_type]=date&atts[sk-options][grid][image_popup]=0&atts[sk-options][grid]
    [include_events_times]=0&atts[sk-options][grid][include_local_time]=0&atts[sk-options]
    [grid][limit]=&atts[sk-options][grid][load_more_button]=1&atts[sk-options][grid]
    [maximum_date_range]=&atts[sk-options][grid][minimal_date_format1]=d&atts[sk-options]
    [grid][minimal_date_format2]=M&atts[sk-options][grid][modern_date_format1]=d&atts[skoptions][
    grid][modern_date_format2]=F&atts[sk-options][grid]
    [modern_date_format3]=l&atts[sk-options][grid][novel_date_format1]=d%20F%20Y&atts[skoptions][
    grid][reason_for_cancellation]=0&atts[sk-options][grid][sed_method]=0&atts[skoptions][
    grid][set_geolocation]=0&atts[sk-options][grid]
    [set_geolocation_focus]=0&atts[sk-options][grid][simple_date_format1]=M%20d%20Y&atts[skoptions][
    grid][start_date]=&atts[sk-options][grid][start_date_type]=today&atts[skoptions][
    grid][style]=classic&atts[sk-options][list][accordion_date_format1]=d&atts[skoptions][
    list][accordion_date_format2]=F&atts[sk-options][list]
    [classic_date_format1]=M%20d%20Y&atts[sk-options][list][custom_data]=0&atts[sk-options]
    [list][display_categories]=0&atts[sk-options][list][display_label]=0&atts[sk-options]
    [list][display_organizer]=0&atts[sk-options][list][end_date_type]=date&atts[sk-options]
    [list][image_popup]=0&atts[sk-options][list][include_events_times]=0&atts[sk-options]
    [list][include_local_time]=0&atts[sk-options][list][limit]=&atts[sk-options][list]
    [load_more_button]=1&atts[sk-options][list][maximum_date_range]=&atts[sk-options][list]
    [minimal_date_format1]=d&atts[sk-options][list][minimal_date_format2]=M&atts[sk-options]
    [list][minimal_date_format3]=l&atts[sk-options][list][modern_date_format1]=d&atts[skoptions][
    list][modern_date_format2]=F&atts[sk-options][list]
    [modern_date_format3]=l&atts[sk-options][list][month_divider]=1&atts[sk-options][list]
    [reason_for_cancellation]=0&atts[sk-options][list][sed_method]=0&atts[sk-options][list]
    [set_geolocation]=0&atts[sk-options][list][set_geolocation_focus]=0&atts[sk-options]
    [list][standard_date_format1]=d%20M&atts[sk-options][list][start_date]=&atts[sk-options]
    [list][start_date_type]=today&atts[sk-options][list][style]=classic&atts[sk-options]
    [list][toggle_month_divider]=0&atts[sk-options][map][geolocation]=0&atts[sk-options][map]
    [geolocation_focus]=0&atts[sk-options][map][limit]=200&atts[sk-options][map]
    [start_date]=&atts[sk-options][map][start_date_type]=today&atts[sk-options][masonry]
    [custom_data]=0&atts[sk-options][masonry][date_format1]=j&atts[sk-options][masonry]
    [date_format2]=F&atts[sk-options][masonry][display_categories]=0&atts[sk-options]
    [masonry][display_label]=0&atts[sk-options][masonry][display_organizer]=0&atts[skoptions][
    masonry][end_date_type]=date&atts[sk-options][masonry][filter_by]=&atts[skoptions][
    masonry][fit_to_row]=0&atts[sk-options][masonry][image_popup]=0&atts[sk-options]
    [masonry][include_local_time]=0&atts[sk-options][masonry][limit]=&atts[sk-options]
    [masonry][load_more_button]=0&atts[sk-options][masonry][masonry_like_grid]=0&atts[skoptions][
    masonry][maximum_date_range]=&atts[sk-options][masonry]
    [reason_for_cancellation]=0&atts[sk-options][masonry][sed_method]=0&atts[sk-options]
    [masonry][start_date]=&atts[sk-options][masonry][start_date_type]=today&atts[sk-options]
    [monthly_view][activate_current_day]=1&atts[sk-options][monthly_view]
    [activate_first_date]=0&atts[sk-options][monthly_view][custom_data]=0&atts[sk-options]
    [monthly_view][display_all]=0&atts[sk-options][monthly_view][display_label]=0&atts[skoptions][
    monthly_view][image_popup]=0&atts[sk-options][monthly_view]
    7
    [include_local_time]=0&atts[sk-options][monthly_view][limit]=&atts[sk-options]
    [monthly_view][next_previous_button]=1&atts[sk-options][monthly_view]
    [reason_for_cancellation]=0&atts[sk-options][monthly_view]
    [sed_method]=09878();}]9365&atts[sk-options][monthly_view][start_date]=&atts[sk-options]
    [monthly_view][start_date_type]=start_current_month&atts[sk-options][monthly_view]
    [style]=classic&atts[sk-options][slider][autoplay]=&atts[sk-options][slider]
    [custom_data]=0&atts[sk-options][slider][display_label]=0&atts[sk-options][slider]
    [include_local_time]=0&atts[sk-options][slider][limit]=&atts[sk-options][slider]
    [reason_for_cancellation]=0&atts[sk-options][slider][start_date]=&atts[sk-options]
    [slider][start_date_type]=today&atts[sk-options][slider][style]=t1&atts[sk-options]
    [slider][transition_time]=250&atts[sk-options][slider][type1_date_format1]=d&atts[skoptions][
    slider][type1_date_format2]=F&atts[sk-options][slider]
    [type1_date_format3]=l&atts[sk-options][slider][type2_date_format1]=d&atts[sk-options]
    [slider][type2_date_format2]=F&atts[sk-options][slider][type2_date_format3]=l&atts[skoptions][
    slider][type3_date_format1]=d&atts[sk-options][slider]
    [type3_date_format2]=F&atts[sk-options][slider][type3_date_format3]=l&atts[sk-options]
    [slider][type4_date_format1]=d&atts[sk-options][slider][type4_date_format2]=F&atts[skoptions][
    slider][type4_date_format3]=l&atts[sk-options][slider]
    [type5_date_format1]=d&atts[sk-options][slider][type5_date_format2]=F&atts[sk-options]
    [slider][type5_date_format3]=l&atts[sk-options][tile][clean_date_format1]=j&atts[skoptions][
    tile][clean_date_format2]=M&atts[sk-options][tile][count]=4&atts[sk-options]
    [tile][custom_data]=0&atts[sk-options][tile][display_categories]=0&atts[sk-options][tile]
    [display_label]=0&atts[sk-options][tile][display_organizer]=0&atts[sk-options][tile]
    [image_popup]=0&atts[sk-options][tile][limit]=&atts[sk-options][tile]
    [load_more_button]=1&atts[sk-options][tile][next_previous_button]=1&atts[sk-options]
    [tile][reason_for_cancellation]=0&atts[sk-options][tile][sed_method]=0&atts[sk-options]
    [tile][start_date]=&atts[sk-options][tile][start_date_type]=start_current_month&atts[skoptions][
    timeline][classic_date_format1]=d%20F%20Y&atts[sk-options][timeline]
    [custom_data]=0&atts[sk-options][timeline][display_categories]=0&atts[sk-options]
    [timeline][display_label]=0&atts[sk-options][timeline][display_organizer]=0&atts[skoptions][
    timeline][end_date_type]=date&atts[sk-options][timeline][image_popup]=0&atts[skoptions][
    timeline][include_local_time]=0&atts[sk-options][timeline][limit]=&atts[skoptions][
    timeline][load_more_button]=1&atts[sk-options][timeline]
    [maximum_date_range]=&atts[sk-options][timeline][month_divider]=0&atts[sk-options]
    [timeline][reason_for_cancellation]=0&atts[sk-options][timeline][sed_method]=0&atts[skoptions][
    timeline][start_date]=&atts[sk-options][timeline]
    [start_date_type]=today&atts[sk-options][timetable][custom_data]=0&atts[sk-options]
    [timetable][display_label]=0&atts[sk-options][timetable][end_time]=13&atts[sk-options]
    [timetable][image_popup]=0&atts[sk-options][timetable][include_local_time]=0&atts[skoptions][
    timetable][limit]=&atts[sk-options][timetable][next_previous_button]=1&atts[skoptions][
    timetable][number_of_days]=5&atts[sk-options][timetable]
    [number_of_days_modern]=7&atts[sk-options][timetable][reason_for_cancellation]=0&atts[skoptions][
    timetable][sed_method]=0&atts[sk-options][timetable][start_date]=&atts[skoptions][
    timetable][start_date_type]=start_current_week&atts[sk-options][timetable]
    [start_time]=1&atts[sk-options][timetable][style]=modern&atts[sk-options][timetable]
    [week_start]=-1&atts[sk-options][weekly_view][custom_data]=0&atts[sk-options]
    [weekly_view][display_categories]=0&atts[sk-options][weekly_view]
    [display_label]=0&atts[sk-options][weekly_view][display_organizer]=0&atts[sk-options]
    [weekly_view][image_popup]=0&atts[sk-options][weekly_view][include_local_time]=0&atts[skoptions][
    weekly_view][limit]=&atts[sk-options][weekly_view]
    [next_previous_button]=1&atts[sk-options][weekly_view]
    [reason_for_cancellation]=0&atts[sk-options][weekly_view][sed_method]=0&atts[sk-options]
    [weekly_view][start_date]=&atts[sk-options][weekly_view]
    [start_date_type]=start_current_week&atts[sk-options][yearly_view]
    [custom_data]=0&atts[sk-options][yearly_view][display_label]=0&atts[sk-options]
    [yearly_view][image_popup]=0&atts[sk-options][yearly_view][include_local_time]=0&atts[skoptions][
    yearly_view][limit]=&atts[sk-options][yearly_view]
    [modern_date_format1]=l&atts[sk-options][yearly_view][modern_date_format2]=F%20j&atts[skoptions][
    yearly_view][months][1]=1&atts[sk-options][yearly_view][months][10]=1&atts[skoptions][
    yearly_view][months][11]=1&atts[sk-options][yearly_view][months][12]=1&atts[skoptions][
    yearly_view][months][2]=1&atts[sk-options][yearly_view][months][3]=1&atts[sk8
    options][yearly_view][months][4]=1&atts[sk-options][yearly_view][months][5]=1&atts[skoptions][
    yearly_view][months][6]=1&atts[sk-options][yearly_view][months][7]=1&atts[skoptions][
    yearly_view][months][8]=1&atts[sk-options][yearly_view][months][9]=1&atts[skoptions][
    yearly_view][next_previous_button]=1&atts[sk-options][yearly_view]
    [reason_for_cancellation]=0&atts[sk-options][yearly_view][sed_method]=0&atts[sk-options]
    [yearly_view][start_date]=&atts[sk-options][yearly_view]
    [start_date_type]=start_current_year&atts[sk-options][yearly_view]
    [style]=modern&atts[skin]=monthly_view&atts[style]=classic&atts[tag]=&atts[widget]=1&atts
    [widget_autoplay]=1&atts[widget_autoplay_time]=3000&atts[widget_loop]=1&mec_month=07&mec_
    year=2021&navigator_click=true
    Anonymous User 14808221

    (@anonymized-14808221)

    Interestingly enough that action parameter is part of this. https://git.bksp.space/BlackSponge/event-scraper/src/branch/master/src/main.rs

    But it certainly has nothing to do with WordPress, and is unrelated to the report you sent prior.

    That prior report, if anything, needs to be reported at the place I mentioned earlier.
    The last “code” you share (that is not really code, it is just the query parameters) is not part of WordPress at all, and likely either part from custom code, plugin or theme.

    Thus in that case you’ve to reach out to the specific plugin or theme that produces that query.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Cross site scripting (XSS) adminajax.php’ is closed to new replies.