Multiple Vulnerabilities
Latest vulnerabilities in popular plugins for WordPress: Covert VideoPress, Digg Digg, Video Gallery and Related Posts.
- Cross-site scripting WordPress Covert VideoPress
Danger level: Low
The presence of fixes: No
The number of vulnerabilities: 1
Vector of operation: Remote
Impact: Cross Site Scripting
Affected products: WordPress Covert VideoPress Theme
Affected versions: WordPress Covert VideoPress
Description:
Exploited by malicious people to conduct XSS attacks.
Manufacturer URL: http://covertvideopress.com/
Solution: Ways to address the vulnerability does not exist at present.
- CSRF attack in WordPress Digg Digg
Danger level: Low
The presence of fixes: Yes
The number of vulnerabilities: 1
CVE ID: CVE-2013-3258
Vector of operation: Remote
Impact: Cross Site Scripting
Affected products: WordPress Digg Digg Plugin 5.x
Affected versions: WordPress Digg Digg 5.3.4, possibly earlier.
Description:
Exploited by malicious people to conduct XSS attacks.
The vulnerability is caused due to the lack of authentication of HTTP requests when you perform some action. This can produce a CSRF attack and manipulate the settings plugin.
Manufacturer URL: http://wordpress.org/plugins/digg-digg/
Solution: Update to version 5.3.5 with the manufacturer’s website.
- SQL-injection in WordPress Video Gallery
Danger level: Average
The presence of fixes: Yes
The number of vulnerabilities: 1
CVE ID: CVE-2013-3478
Vector of operation: Remote
Impact: The unauthorized change of data
Affected products: WordPress Video Gallery Plugin 1.x
WordPress Video Gallery Plugin 2.x
Affected versions:
WordPress Video Gallery 1.6, maybe earlier
WordPress Video Gallery 2.0, maybe earlier
Description:
The vulnerability allows a remote user to execute arbitrary SQL commands in the application database.
The vulnerability is caused due to lack of processing the input data in the parameter “playid” in the script index.php (when the parameter “page_id” is the page [videohome], and “more” equal “category”). This can be exploited to execute arbitrary SQL commands in the application database.
Manufacturer URL: http://wordpress.org/plugins/contus-video-gallery/
Solution: Install the latest version 2.1 from the manufacturer.
- CSRF attack in the WordPress Related Posts
Danger level: Low
The presence of fixes: Yes
The number of vulnerabilities: 1
CVE ID: CVE-2013-3257
Vector of operation: Remote
Impact: Cross Site Scripting
Affected products: WordPress Related Posts Plugin 2.x
Affected versions: WordPress Related Posts 2.7.1, possibly earlier.
Description:
Exploited by malicious people to conduct XSS attacks.
The vulnerability is caused due to the lack of authentication of HTTP requests when you perform some action. This can produce a CSRF attack and manipulate the settings plugin.
Manufacturer URL: http://wordpress.org/plugins/wordpress-23-related-posts-plugin/
Solution: Update to version 2.7.2 with the manufacturer’s website.
