WordPress Plotly 1.0.2 Cross Site Scripting

16 luglio 2015 - Fonte: http://www.mondounix.com
Details
================
Software: Plotly
Version: 1.0.2
Homepage: http://wordpress.org/plugins/wp-plotly/
Advisory report: https://security.dxw.com/advisories/stored-xss-in-plotly-allows-less-privileged-users-to-insert-arbitrary-javascript-into-posts/
CVE: CVE-2015-5484
CVSS: 6.5 (Medium; AV:N/AC:L/Au:S/C:P/I:P/A:P)
 
Description
================
Stored XSS in Plotly allows less privileged users to insert arbitrary JavaScript into posts
 
Vulnerability
================
This plugin allows users who do not have the unfiltered_html capability to insert JavaScript into posts/pages which gets executed by the browsers of other users.
On single sites, only Administrators have the unfiltered_html capability, and on multisite,...

Leggi il seguito »

WordPress Floating Social Bar 1.1.5 Cross Site Scripting

16 luglio 2015 - Fonte: http://www.mondounix.com
# Exploit Title: Floating Social Bar 1.1.5 XSS
# Date: 09-01-2015
# Software Link: https://wordpress.org/plugins/floating-social-bar/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
 
1. Description
 
Everyone can access save_order().
 
File: floating-social-bar\class-floating-social-bar.php
 
add_action( 'wp_ajax_nopriv_fsb_save_order', array( $this, 'save_order' ) );
 
$_REQUEST['items'] is not escaped.
 
http://security.szurek.pl/floating-social-bar-115-xss.html
 
2. Proof of Concept
 
http://wordpress-url/wp-admin/admin-ajax.php?action=fsb_save_order&items[1]="><script>alert("XSS");</script>
 
XSS...

Leggi il seguito »

WordPress Twenty Fifteen 4.2.1 Cross Site Scripting

13 luglio 2015 - Fonte: http://www.mondounix.com
Information
--------------------
Advisory by Netsparker.
Name: DOM XSS Vulnerability in Twenty Fifteen WordPress Theme
Affected Software : WordPress
Affected Versions: 4.2.1 and probably below
Vendor Homepage : https://wordpress.org/ and
https://wordpress.org/themes/twentyfifteen/
Vulnerability Type : DOM based Cross-site Scripting
Severity : Important
CVE-ID: CVE-2015-3429
Netsparker Advisory Reference : NS-15-007
 
Description
--------------------
By exploiting a Cross-site scripting vulnerability the attacker can
hijack a logged in user’s session. This means that the malicious
hacker can change the logged in user’s password and invalidate the
session of the victim while the hacker maintains access. As seen from
the...

Leggi il seguito »

WordPress PictoBrowser 0.3.1 CSRF / XSS

13 luglio 2015 - Fonte: http://www.mondounix.com
**************************************************************************************
# Title: CSRF / Stored XSS Vulnerability in PictoBrowser Wordpress Plugin 
# Author: Manideep K  
# CVE-ID: CVE-2014-9392
# Plugin Homepage: https://wordpress.org/plugins/pictobrowser-gallery/
# Version Affected: 0.3.1 (probably lower versions)
# Severity: High 
 
# Description: 
Vulnerable Parameter: all text boxes, to name one - pictoBrowserFlickrUser
Vulnerability Class: 
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)) 
 
# About Vulnerability:  This plugin is vulnerable to a combination of CSRF/XSS attack meaning...

Leggi il seguito »

WordPress GD bbPress Attachments 2.1 Cross Site Scripting

13 luglio 2015 - Fonte: http://www.mondounix.com
Details
================
Software: GD bbPress Attachments
Version: 2.1
Homepage: http://wordpress.org/plugins/gd-bbpress-attachments/
Advisory report: https://security.dxw.com/advisories/reflected-xss-in-gd-bbpress-attachments-allows-an-attacker-to-do-almost-anything-an-admin-can/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)
 
Description
================
Reflected XSS in GD bbPress Attachments allows an attacker to do almost anything an admin can
 
Vulnerability
================
This plugin outputs the value of $_GET[‘tab’] without escaping (see forms/panels.php lines 3 and 39). An attacker could easily construct an URL which performs virtually any action an admin is able to perform, including...

Leggi il seguito »

WordPress CP Contact Form With Paypal 1.1.5 CSRF / XSS / SQL Injection

13 luglio 2015 - Fonte: http://www.mondounix.com
# Title: Cross-Site Request Forgery, Cross-Site Scripting and SQL Injection
in CP Contact Form with Paypal Wordpress Plugin v1.1.5
# Submitter: Nitin Venkatesh
# Product: CP Contact Form with Paypal Wordpress Plugin
# Product URL: https://wordpress.org/plugins/cp-contact-form-with-paypal/
# Vulnerability Type: Cross-site Request Forgery [CWE-352], Cross-site
scripting[CWE-79], Improper Neutralization of Special Elements used in an
SQL Command ('SQL Injection')[CWE-89]
# Affected Versions: v1.1.5 and possibly below.
# Tested versions: v1.1.5
# Fixed Version: v1.1.6
# Link to code diff:
https://plugins.trac.wordpress.org/changeset?new=1166955%40cp-contact-form-with-paypal&old=1162550%40cp-contact-form-with-paypal
# Changelog:
https://wordpress.org/plugins/cp-contact-form-with-paypal/changelog/
#...

Leggi il seguito »

WordPress Vulcan Theme XSS / Disclosure/ DoS

13 luglio 2015 - Fonte: http://www.mondounix.com
-------------------------
Affected products:
-------------------------
 
Vulnerable are all versions of Vulcan theme for WordPress (in last versions 
there were fixed only vulnerabilities in TimThumb, but there are still FPD 
in other php-files).
 
Since version TimThumb 2.8 all vulnerabilities are fixed (in timthumb.php). 
But AoF and DoS holes are fixed by disabling external hosts by default. If 
to change settings (to allow individual or all external hosts), which is 
allowed by software, then it's possible to conduct attacks on other sites. 
E.g. with using of DAVOSET.
 
WAF bypass:
 
At many sites unfixed version of TimThumb in theme is used, but they protect 
themselves using WAF (such as ModSecurity)....

Leggi il seguito »

WordPress Nextend Twitter Connect 1.5.1 Cross Site Scripting

28 giugno 2015 - Fonte: http://www.mondounix.com
Wordpress “Nextend Twitter Connect”
===================================
Document Title:
===============
WordPress “Nextend Twitter Connect” Plugin Version: 1.5.1 is vulnerable to Reflected XSS (Cross Site Scripting)
 
Download URL:
 
=============
 
https://wordpress.org/plugins/nextend-twitter-connect/
 
Release Date:
 
=============
2015-06-20
 
Vulnerability CVE ID:
 
=====================
CVE-2015-4557
 
Vulnerability Disclosure Timeline:
 
==================================
2015 – 06 – 15 First notified to WordPress.
2015 – 06 – 15 First notified to plugin vendor .
2015 – 06 – 15 First notified to Mitre for CVE number.
2015 – 06 – 16 Vendor publish update...

Leggi il seguito »

WordPress Revslider 4.2.2 XSS / Information Disclosure

24 giugno 2015 - Fonte: http://www.mondounix.com
| # Title    : WordPress Revslider 4.2.2 Multi Vulnerability
| # Author   : indoushka                                                               
| # email  :indoushka4ever@gmail.com                                                                                                                                                                 
| # Dork     : inurl:admin-ajax.php?action=revslider_show_image -intext:"revslider_show_image"
| # Tested on: windows 8.1 Français V.(Pro)        
| # Download : http://revolution.themepunch.com/                                                  
=======================================
 
XSS :
 
http://www.codekom.com//wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka..Give%20me%20your%20wp-config.php
 
information...

Leggi il seguito »

WordPress NewStatPress 0.9.8 Cross Site Scripting / SQL Injection

19 giugno 2015 - Fonte: http://www.mondounix.com
# Title: Multiple vulnerabilities in WordPress plugin "NewStatPress"
# Author: Adrián M. F. - adrimf85[at]gmail[dot]com
# Date: 2015-05-25
# Vendor Homepage: https://wordpress.org/plugins/newstatpress/
# Active installs: 20,000+
# Vulnerable version: 0.9.8
# Fixed version: 0.9.9
# CVE: CVE-2015-4062, CVE-2015-4063
 
 Vulnerabilities (2)
=====================
 
(1) Authenticated SQLi [CWE-89] (CVE-2015-4062)
-----------------------------------------------
 
* CODE:
includes/nsp_search.php:94
+++++++++++++++++++++++++++++++++++++++++
for($i=1;$i<=3;$i++) {
    if(($_GET["what$i"] != '') && ($_GET["where$i"] != '')) {
        $where.=" AND ".$_GET["where$i"]."...

Leggi il seguito »