Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

Cross Site Scripting vulnerability in Wordpress Plugin

 

Systems Affected


WordPress Wordfence Firewall plugin prior to version 5.1.8
WordPress Web Dorado Spider Video Player plugin prior to version 1.5.2

Threat Level


Medium


Overview


Multiple vulnerabilities have been reported in the various Plugins for WordPress which allows a remote attacker to conduct Cross Site Scripting (XSS) attacks.


Description


1. WordPress Wordfence Firewall plugin cross-site scripting vulnerability (CVE-2014-4664)
This vulnerability exists due to improper validation of user-supplied input via whoisval parameter on the WordfenceWhois page to wp-admin/admin.php. A remote attacker could exploit this vulnerability by enticing the user to visit the specially crafted URL to execute arbitrary HTML and script code in victims browser in context of the vulnerable website. Successful exploitation of the vulnerability could allow an attacker to steal sensitive information and gain complete access over the web application.

2. Wordpress Web Dorado Spider video player plugin cross-site scripting vulnerability (CVE-2014-8584)
This vulnerability exists due to improper validation of user-supplied input via unspecified vectors which could allow an attacker to execute arbitrary HTML and script code in victims browser in context of the vulnerable website. Successful exploitation could lead to unauthorized access and modifications on the targeted system.


Impact



Solution/ Workarounds


Upgrade to the latest versions as mentioned in the following links
https://wordpress.org/plugins/wordfence/changelog/
https://wordpress.org/plugins/player/changelog


References


http://www.cert-in.org.in/


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.