WordPress WP-Instance-Rename 1.0 File Download

28 giugno 2015 - Fonte: http://www.mondounix.com
Title: Arbitrary File download in wordpress plugin wp-instance-rename v1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-12
Download Site: https://wordpress.org/plugins/wp-instance-rename/
Vendor: Vlajo
Vendor Notified: 2015-06-12
Advisory: http://www.vapid.dhs.org/advisory.php?v=127
Vendor Contact:
Description: WordPress Rename plugin allows you to easily rename the complete WordPress installation. This plugin allows you to rename WordPress database, WordPress directory, change every necessary configuration file, easily from one page.
Vulnerability:
The code in mysqldump_download.php doesn't check that the requested file is within the intended download directory:
 
try{
  $dbname   = $_GET["dbname"];
  $dumpfname...

Leggi il seguito »

WordPress Nextend Twitter Connect 1.5.1 Cross Site Scripting

28 giugno 2015 - Fonte: http://www.mondounix.com
Wordpress “Nextend Twitter Connect”
===================================
Document Title:
===============
WordPress “Nextend Twitter Connect” Plugin Version: 1.5.1 is vulnerable to Reflected XSS (Cross Site Scripting)
 
Download URL:
 
=============
 
https://wordpress.org/plugins/nextend-twitter-connect/
 
Release Date:
 
=============
2015-06-20
 
Vulnerability CVE ID:
 
=====================
CVE-2015-4557
 
Vulnerability Disclosure Timeline:
 
==================================
2015 – 06 – 15 First notified to WordPress.
2015 – 06 – 15 First notified to plugin vendor .
2015 – 06 – 15 First notified to Mitre for CVE number.
2015 – 06 – 16 Vendor publish update...

Leggi il seguito »

WordPress Revslider 4.2.2 XSS / Information Disclosure

24 giugno 2015 - Fonte: http://www.mondounix.com
| # Title    : WordPress Revslider 4.2.2 Multi Vulnerability
| # Author   : indoushka                                                               
| # email  :indoushka4ever@gmail.com                                                                                                                                                                 
| # Dork     : inurl:admin-ajax.php?action=revslider_show_image -intext:"revslider_show_image"
| # Tested on: windows 8.1 Français V.(Pro)        
| # Download : http://revolution.themepunch.com/                                                  
=======================================
 
XSS :
 
http://www.codekom.com//wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka..Give%20me%20your%20wp-config.php
 
information...

Leggi il seguito »

WordPress Google Analyticator 6.4.9.3 CSRF

24 giugno 2015 - Fonte: http://www.mondounix.com
# Title: Cross-Site Request Forgery in Google Analyticator Wordpress Plugin
v6.4.9.3 before rev @1183563
# Submitter: Nitin Venkatesh
# Product: Google Analyticator Wordpress Plugin
# Product URL: https://wordpress.org/plugins/google-analyticator/
# Vulnerability Type: Cross-Site Request Forgery [CWE-352]
# Affected Versions: v6.4.9.3 before rev @1183563 and possibly earlier
# Tested versions: v6.4.9.3 rev @1168849
# Fixed Version: v6.4.9.3 rev @1183563
# Link to code diff: https://plugins.trac.wordpress.org/changeset/1183563/
# CVE Status: None/Unassigned/Fresh
 
## Product Information:
 
Google Analyticator makes it super easy to view Google Analytics within your WordPress dashboard. This eliminates the need to edit your...

Leggi il seguito »

WordPress NewStatPress 0.9.8 Cross Site Scripting / SQL Injection

19 giugno 2015 - Fonte: http://www.mondounix.com
# Title: Multiple vulnerabilities in WordPress plugin "NewStatPress"
# Author: Adrián M. F. - adrimf85[at]gmail[dot]com
# Date: 2015-05-25
# Vendor Homepage: https://wordpress.org/plugins/newstatpress/
# Active installs: 20,000+
# Vulnerable version: 0.9.8
# Fixed version: 0.9.9
# CVE: CVE-2015-4062, CVE-2015-4063
 
 Vulnerabilities (2)
=====================
 
(1) Authenticated SQLi [CWE-89] (CVE-2015-4062)
-----------------------------------------------
 
* CODE:
includes/nsp_search.php:94
+++++++++++++++++++++++++++++++++++++++++
for($i=1;$i<=3;$i++) {
    if(($_GET["what$i"] != '') && ($_GET["where$i"] != '')) {
        $where.=" AND ".$_GET["where$i"]."...

Leggi il seguito »

WordPress WP Photo Album Plus 6.1.2 Cross Site Scripting

19 giugno 2015 - Fonte: http://www.mondounix.com
Advisory ID: HTB23257
Product: WP Photo Album Plus WordPress Plugin
Vendor: J.N. Breetvelt
Vulnerable Version(s): 6.1.2 and probably prior
Tested Version: 6.1.2
Advisory Publication:  April 29, 2015  [without technical details]
Vendor Notification: April 29, 2015 
Vendor Patch: April 29, 2015 
Public Disclosure: May 20, 2015 
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2015-3647
Risk Level: Medium 
CVSSv2 Base Score: 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
 
-----------------------------------------------------------------------------------------------
 
Advisory Details:
 
High-Tech...

Leggi il seguito »

WordPress Encrypted Contact Form 1.0.4 CSRF / XSS

19 giugno 2015 - Fonte: http://www.mondounix.com
# Title: Cross-site Request Forgery & Cross-site Scripting in Encrypted
Contact Form Wordpress Plugin v1.0.4
# Submitter: Nitin Venkatesh
# Product: Encrypted Contact Form Wordpress Plugin
# Product URL: https://wordpress.org/plugins/encrypted-contact-form/
# Vulnerability Type: Cross-site Request Forgery [CWE-352], Cross-site
scripting[CWE-79]
# Affected Versions: v1.0.4 and possibly below.
# Tested versions: v1.0.4
# Fixed Version: v1.1
# Link to code diff: https://plugins.trac.wordpress.org/changeset/1125443/
# Changelog: https://wordpress.org/plugins/encrypted-contact-form/changelog/
# CVE Status: None/Unassigned/Fresh
 
## Product Information:
 
Secure contact form for WordPress. Uses end-to-end encryption to...

Leggi il seguito »

WordPress Media File Manager Advanced 1.1.5 XSS / SQL Injection

19 giugno 2015 - Fonte: http://www.mondounix.com
Description
 
"media-file-manager-advanced" suffers from executing administrator actions by any authenticated user due to weak permissions checking.
An attacker can delete/update posts, Creating/Removing/Listing Directories, Moving/Renaming/Deleting Files, Blind SQL Injection and Cross-SiteScripting.
 
Homepage
 
https://wordpress.org/plugins/media-file-manager-advanced/
 
Affected Version
 
<= 1.1.5
 
Description
 
Vulnerability Scope
 
LFD,SQL,XSS,Site Ruining and Changing of Content.
 
Authorization Required
 
User
 
Proof of Concept
 
 
Post Delete
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_delete
post: id=17
 
MKDIR
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_mkdir
newdir=EVEXFOLDER
 
folder...

Leggi il seguito »

WordPress Booking Calendar Contact Form 1.0.2 XSS / SQL Injection

19 giugno 2015 - Fonte: http://www.mondounix.com
# Exploit Title: WordPress Booking Calendar Contact Form 1.0.2[Multiple vulnerabilities]
# Date: 2015-05-01
# Google Dork: Index of /wordpress/wp-content/plugins/booking-calendar-contact-form/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Software Link: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
# Vendor: CodePeople.net
# Vebdor URI: http://codepeople.net
# Version: 1.0.2
# OWASP Top10: A1-Injection
# Tested on: windows 7 ultimate + firefox + sqlmap 0.9.

============================================
* Authenticated SQL injection
============================================

========================
Description
========================

In a site that...

Leggi il seguito »

WordPress Yet Another Related Posts 4.2.4 CSRF / XSS / Code Execution

19 giugno 2015 - Fonte: http://www.mondounix.com
Homepage
https://wordpress.org/plugins/yet-another-related-posts-plugin/
Affected Versions <= 4.2.4 Description 'Yet Another Related Posts Plugin'
options can be updated with no token/nonce protection which an attacker may
exploit via tricking website's administrator to enter a malformed page
which will change YARPP options, and since some options allow html the
attacker is able to inject malformed javascript code which can lead to *code
execution/administrator actions* when the injected code is triggered by an
admin user.
injected javascript code is triggered on any post page. Vulnerability Scope
XSS
RCE ( http://research.evex.pw/?vuln=14 ) Authorization Required None Proof
of Concept
 
<body onload="document.getElementById('payload_form').submit()"...

Leggi il seguito »