Systems Affected
• WordPress Wordfence Firewall plugin prior to version 5.1.8
• WordPress Web Dorado Spider Video Player plugin prior to version 1.5.2
Threat Level
Overview
Multiple vulnerabilities have been reported in the various Plugins for WordPress which allows a remote attacker to conduct Cross Site Scripting (XSS) attacks.
Description
1. WordPress Wordfence Firewall plugin cross-site scripting vulnerability (CVE-2014-4664)
This vulnerability exists due to improper validation of user-supplied input via whoisval parameter on the WordfenceWhois page to wp-admin/admin.php. A remote attacker could exploit this vulnerability by enticing the user to visit the specially crafted URL to execute arbitrary HTML and script code in victims browser in context of the vulnerable website.
Successful exploitation of the vulnerability could allow an attacker to steal sensitive information and gain complete access over the web application.
2. Wordpress Web Dorado Spider video player plugin cross-site scripting vulnerability (CVE-2014-8584)
This vulnerability exists due to improper validation of user-supplied input via unspecified vectors which could allow an attacker to execute arbitrary HTML and script code in victims browser in context of the vulnerable website.
Successful exploitation could lead to unauthorized access and modifications on the targeted system.
Impact
Solution/ Workarounds
✻ Update the latest version of the Mozilla's Firefox on Windows, Linux and Mac.
References
http://www.cert-in.org.in/
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
|