Cross-site scripting WordPress Multisite Plugin Manager

Posted: October 2, 2012 in Vulnerabilities
Tags: , ,

Wordpress VulnerabilityVulnerability: Cross-site scripting WordPress Multisite Plugin Manager

Danger: Low
Impact: Cross Site Scripting
Affected products: WordPress Multisite Plugin Manager 3.x

Affected versions: WordPress Multisite Plugin Manager 3.1.1, possibly earlier.

Description:

The vulnerability allows malicious people to conduct XSS attacks.

The vulnerability is caused due to insufficient input validation in the parameters “mass_activate” and “mass_deactivate” in script wp-admin/network/plugins.php (when the parameter “page” is “plugin-management”). This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Manufacturer URL: http://wordpress.org/extend/plugins/multisite-plugin-manager/

Solution: Install the latest version 3.1.2 from the manufacturer.
rel=”nofollow”
links:

http://wordpress.org/extend/plugins/multisite-plugin-manager/changelog/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s