WordPress YouTube Embed plugin Stored XSS

27 agosto 2015 - Fonte: http://www.mondounix.com
 
Details
================
Software: YouTube Embed
Version: 3.3.2
Homepage: https://wordpress.org/plugins/youtube-embed/
CVE ID: CVE-2015-6535 (Pending)
CWE ID: CWE-79
CVSS: 5.5 (Medium; AV:N/AC:L/Au:S/C:P/I:P/A:N)
 
Description
================
A stored XSS vulnerability in YouTube Embed 3.3.2 (and possibly earlier versions) allows admin users to compromise 
other admins and super admins.  
 
YouTube Embed is a WordPress plugin with over 30,000 active installs.
 
Vulnerability
================
Admins on multisite installs can inject arbitrary JavaScript into pages visible to super admins via the plugin's 
unsanitized profile name field. 
 
Note: Admins on multisite installs lack the unfiltered_html...

Leggi il seguito »

WordPress Paid Memberships Pro 1.8.4.2 Cross Site Scripting

14 agosto 2015 - Fonte: http://www.mondounix.com
Advisory ID: HTB23264
Product: Paid Memberships Pro WordPress plugin
Vendor: Stranger Studios 
Vulnerable Version(s): 1.8.4.2 and probably prior
Tested Version: 1.8.4.2
Advisory Publication:  July 1, 2015  [without technical details]
Vendor Notification: July 1, 2015 
Vendor Patch: July 8, 2015 
Public Disclosure: July 22, 2015 
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2015-5532
Risk Level: Medium 
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
 
-----------------------------------------------------------------------------------------------
 
Advisory...

Leggi il seguito »

WordPress Download Manager Free 2.7.94 / Pro 4 XSS

14 agosto 2015 - Fonte: http://www.mondounix.com
# WordPress Download Manager Free 2.7.94 & Pro 4 Authenticated Stored XSS
 
# Vendor Homepage: http://www.wpdownloadmanager.com
# Software Link: https://wordpress.org/plugins/download-manager
# Affected Versions: Free 2.7.94 & Pro 4
# Tested on: WordPress 4.2.2
 
# Discovered by Filippos Mastrogiannis
# Twitter: @filipposmastro
# LinkedIn: https://www.linkedin.com/pub/filippos-mastrogiannis/68/132/177
 
-- Description --
 
This stored XSS vulnerability allows any authenticated wordpress user
to inject malicious code via the name of the uploaded file:
e.g. <svg onload=alert(0)>.jpg
 
The vulnerability exists because the file name is not properly sanitized
and this can lead to malicious code...

Leggi il seguito »

WordPress Plotly 1.0.2 Cross Site Scripting

16 luglio 2015 - Fonte: http://www.mondounix.com
Details
================
Software: Plotly
Version: 1.0.2
Homepage: http://wordpress.org/plugins/wp-plotly/
Advisory report: https://security.dxw.com/advisories/stored-xss-in-plotly-allows-less-privileged-users-to-insert-arbitrary-javascript-into-posts/
CVE: CVE-2015-5484
CVSS: 6.5 (Medium; AV:N/AC:L/Au:S/C:P/I:P/A:P)
 
Description
================
Stored XSS in Plotly allows less privileged users to insert arbitrary JavaScript into posts
 
Vulnerability
================
This plugin allows users who do not have the unfiltered_html capability to insert JavaScript into posts/pages which gets executed by the browsers of other users.
On single sites, only Administrators have the unfiltered_html capability, and on multisite,...

Leggi il seguito »

WordPress Floating Social Bar 1.1.5 Cross Site Scripting

16 luglio 2015 - Fonte: http://www.mondounix.com
# Exploit Title: Floating Social Bar 1.1.5 XSS
# Date: 09-01-2015
# Software Link: https://wordpress.org/plugins/floating-social-bar/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
 
1. Description
 
Everyone can access save_order().
 
File: floating-social-bar\class-floating-social-bar.php
 
add_action( 'wp_ajax_nopriv_fsb_save_order', array( $this, 'save_order' ) );
 
$_REQUEST['items'] is not escaped.
 
http://security.szurek.pl/floating-social-bar-115-xss.html
 
2. Proof of Concept
 
http://wordpress-url/wp-admin/admin-ajax.php?action=fsb_save_order&items[1]="><script>alert("XSS");</script>
 
XSS...

Leggi il seguito »

WordPress Twenty Fifteen 4.2.1 Cross Site Scripting

13 luglio 2015 - Fonte: http://www.mondounix.com
Information
--------------------
Advisory by Netsparker.
Name: DOM XSS Vulnerability in Twenty Fifteen WordPress Theme
Affected Software : WordPress
Affected Versions: 4.2.1 and probably below
Vendor Homepage : https://wordpress.org/ and
https://wordpress.org/themes/twentyfifteen/
Vulnerability Type : DOM based Cross-site Scripting
Severity : Important
CVE-ID: CVE-2015-3429
Netsparker Advisory Reference : NS-15-007
 
Description
--------------------
By exploiting a Cross-site scripting vulnerability the attacker can
hijack a logged in user’s session. This means that the malicious
hacker can change the logged in user’s password and invalidate the
session of the victim while the hacker maintains access. As seen from
the...

Leggi il seguito »

WordPress PictoBrowser 0.3.1 CSRF / XSS

13 luglio 2015 - Fonte: http://www.mondounix.com
**************************************************************************************
# Title: CSRF / Stored XSS Vulnerability in PictoBrowser Wordpress Plugin 
# Author: Manideep K  
# CVE-ID: CVE-2014-9392
# Plugin Homepage: https://wordpress.org/plugins/pictobrowser-gallery/
# Version Affected: 0.3.1 (probably lower versions)
# Severity: High 
 
# Description: 
Vulnerable Parameter: all text boxes, to name one - pictoBrowserFlickrUser
Vulnerability Class: 
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)) 
 
# About Vulnerability:  This plugin is vulnerable to a combination of CSRF/XSS attack meaning...

Leggi il seguito »

WordPress GD bbPress Attachments 2.1 Cross Site Scripting

13 luglio 2015 - Fonte: http://www.mondounix.com
Details
================
Software: GD bbPress Attachments
Version: 2.1
Homepage: http://wordpress.org/plugins/gd-bbpress-attachments/
Advisory report: https://security.dxw.com/advisories/reflected-xss-in-gd-bbpress-attachments-allows-an-attacker-to-do-almost-anything-an-admin-can/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)
 
Description
================
Reflected XSS in GD bbPress Attachments allows an attacker to do almost anything an admin can
 
Vulnerability
================
This plugin outputs the value of $_GET[‘tab’] without escaping (see forms/panels.php lines 3 and 39). An attacker could easily construct an URL which performs virtually any action an admin is able to perform, including...

Leggi il seguito »

WordPress CP Contact Form With Paypal 1.1.5 CSRF / XSS / SQL Injection

13 luglio 2015 - Fonte: http://www.mondounix.com
# Title: Cross-Site Request Forgery, Cross-Site Scripting and SQL Injection
in CP Contact Form with Paypal Wordpress Plugin v1.1.5
# Submitter: Nitin Venkatesh
# Product: CP Contact Form with Paypal Wordpress Plugin
# Product URL: https://wordpress.org/plugins/cp-contact-form-with-paypal/
# Vulnerability Type: Cross-site Request Forgery [CWE-352], Cross-site
scripting[CWE-79], Improper Neutralization of Special Elements used in an
SQL Command ('SQL Injection')[CWE-89]
# Affected Versions: v1.1.5 and possibly below.
# Tested versions: v1.1.5
# Fixed Version: v1.1.6
# Link to code diff:
https://plugins.trac.wordpress.org/changeset?new=1166955%40cp-contact-form-with-paypal&old=1162550%40cp-contact-form-with-paypal
# Changelog:
https://wordpress.org/plugins/cp-contact-form-with-paypal/changelog/
#...

Leggi il seguito »

WordPress Vulcan Theme XSS / Disclosure/ DoS

13 luglio 2015 - Fonte: http://www.mondounix.com
-------------------------
Affected products:
-------------------------
 
Vulnerable are all versions of Vulcan theme for WordPress (in last versions 
there were fixed only vulnerabilities in TimThumb, but there are still FPD 
in other php-files).
 
Since version TimThumb 2.8 all vulnerabilities are fixed (in timthumb.php). 
But AoF and DoS holes are fixed by disabling external hosts by default. If 
to change settings (to allow individual or all external hosts), which is 
allowed by software, then it's possible to conduct attacks on other sites. 
E.g. with using of DAVOSET.
 
WAF bypass:
 
At many sites unfixed version of TimThumb in theme is used, but they protect 
themselves using WAF (such as ModSecurity)....

Leggi il seguito »