Cross-site scripting in WordPress 11152012

Posted: November 16, 2012 in Vulnerabilities
Tags: , , , ,

Wordpress Vulnerability

Cross-site scripting in WordPress

Vulnerability: Cross-site scripting WordPress NextGEN Gallery

Danger: Low
If the Patch: None
Number of vulnerabilities: 1

Vector of operation: Remote
Impact: Cross Site Scripting

Affected products: WordPress NextGEN Gallery Plugin 1.x

Affected versions: WordPress NextGEN Gallery 1.9.7, possibly earlier.

Description:

The vulnerability allows malicious people to conduct XSS attacks.

The vulnerability is caused due to insufficient input validation in the parameter “movieName” in the script to swfupload.swf “ExternalInterface.call ()”. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Manufacturer URL: http://wordpress.org/extend/plugins/nextgen-gallery/

Solution: The way to eliminate the vulnerability does not exist at present.

Links:

http://wordpress.org/extend/plugins/nextgen-gallery/changelog/

Vulnerability: Cross-site scripting WordPress Buddystream

Danger: Low
Number of vulnerabilities: 2
Vector of operation: Remote
Impact: Cross Site Scripting

Affected products: WordPress BuddyStream Plugin 2.x

Affected versions: WordPress Buddystream 2.6.2, possibly earlier.

Description:

The vulnerability allows malicious people to conduct XSS attacks.

1. The vulnerability is caused due to insufficient input validation in the parameter “content” in the script wp-content/plugins/buddystream/extensions/default/templates/ShareBox.php. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

2. The vulnerability is caused due to insufficient input validation in the parameter “link” in the script wp-content/plugins/buddystream/extensions/default/templates/ShareBox.php (when the parameter “share” is “linkedin”). This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Manufacturer URL: http://wordpress.org/extend/plugins/buddystream/

Vulnerability: Cross-site scripting WordPress Amazon Associate

Danger: Low
Number of vulnerabilities: 1

Vector of operation: Remote
Impact: Cross Site Scripting

Affected products: WordPress Amazon Associate Plugin 2.x

Affected versions: WordPress Amazon Associate 2.0, maybe earlier.

Description:

The vulnerability allows malicious people to conduct XSS attacks.

The vulnerability is caused due to insufficient input validation in the parameter “callback” in the script wp-content/plugins/wordpress-amazon-associate/servlet/index.php. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

URL производителя: http://labs.mdbitz.com/wordpress/wordpress-amazon-associate-plugin

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s