
Cross-site scripting in WordPress
Vulnerability: Cross-site scripting WordPress NextGEN Gallery
Danger: Low
If the Patch: None
Number of vulnerabilities: 1
Vector of operation: Remote
Impact: Cross Site Scripting
Affected products: WordPress NextGEN Gallery Plugin 1.x
Affected versions: WordPress NextGEN Gallery 1.9.7, possibly earlier.
Description:
The vulnerability allows malicious people to conduct XSS attacks.
The vulnerability is caused due to insufficient input validation in the parameter “movieName” in the script to swfupload.swf “ExternalInterface.call ()”. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Manufacturer URL: http://wordpress.org/extend/plugins/nextgen-gallery/
Solution: The way to eliminate the vulnerability does not exist at present.
Links:
http://wordpress.org/extend/plugins/nextgen-gallery/changelog/
Vulnerability: Cross-site scripting WordPress Buddystream
Danger: Low
Number of vulnerabilities: 2
Vector of operation: Remote
Impact: Cross Site Scripting
Affected products: WordPress BuddyStream Plugin 2.x
Affected versions: WordPress Buddystream 2.6.2, possibly earlier.
Description:
The vulnerability allows malicious people to conduct XSS attacks.
1. The vulnerability is caused due to insufficient input validation in the parameter “content” in the script wp-content/plugins/buddystream/extensions/default/templates/ShareBox.php. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
2. The vulnerability is caused due to insufficient input validation in the parameter “link” in the script wp-content/plugins/buddystream/extensions/default/templates/ShareBox.php (when the parameter “share” is “linkedin”). This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Manufacturer URL: http://wordpress.org/extend/plugins/buddystream/
Vulnerability: Cross-site scripting WordPress Amazon Associate
Danger: Low
Number of vulnerabilities: 1
Vector of operation: Remote
Impact: Cross Site Scripting
Affected products: WordPress Amazon Associate Plugin 2.x
Affected versions: WordPress Amazon Associate 2.0, maybe earlier.
Description:
The vulnerability allows malicious people to conduct XSS attacks.
The vulnerability is caused due to insufficient input validation in the parameter “callback” in the script wp-content/plugins/wordpress-amazon-associate/servlet/index.php. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
URL производителя: http://labs.mdbitz.com/wordpress/wordpress-amazon-associate-plugin