Cross Site Scripting vulnerability in Wordpress Plugin

Systems Affected

Threat Level

Overview

Multiple vulnerabilities have been reported in the various Plugins for WordPress which allows a remote attacker to conduct Cross Site Scripting (XSS) attacks.

Description

1. WordPress Wordfence Firewall plugin cross-site scripting vulnerability (CVE-2014-4664)
This vulnerability exists due to improper validation of user-supplied input via whoisval parameter on the WordfenceWhois page to wp-admin/admin.php. A remote attacker could exploit this vulnerability by enticing the user to visit the specially crafted URL to execute arbitrary HTML and script code in victims browser in context of the vulnerable website. Successful exploitation of the vulnerability could allow an attacker to steal sensitive information and gain complete access over the web application.

2. Wordpress Web Dorado Spider video player plugin cross-site scripting vulnerability (CVE-2014-8584)
This vulnerability exists due to improper validation of user-supplied input via unspecified vectors which could allow an attacker to execute arbitrary HTML and script code in victims browser in context of the vulnerable website. Successful exploitation could lead to unauthorized access and modifications on the targeted system.

Impact

Solution/ Workarounds

Upgrade to the latest versions as mentioned in the following links
https://wordpress.org/plugins/wordfence/changelog/
https://wordpress.org/plugins/player/changelog

References

http://www.cert-in.org.in/

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.