WordPress vulnerabilities
1. Security Bypass WordPress WP-Ban
Danger level: Low
Availability Corrections: Yes
Number of vulnerabilities: 1
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: N / I: N / A: P / E: U / RL: O / RC: C) = Base: 5 / Temporal: 3.7
CVE ID: CVE-2014-6230
Vector operation: Remote
Impact: Security Bypass
Affected products: WordPress WP-Ban Plugin 1.x
Affected versions: WordPress WP-Ban version to 1.64
Description:
The Vulnerability allows malicious people to bypass certain security restrictions and compromise a user’s system.
The vulnerability is due to the fact that the application does not properly handle requests an IP address, use the headers X-Forwarded-For. A remote user can bypass a blocked IP blacklist.
Solution: Install the latest version (1.64 or later) from the manufacturer.
Links:
https://security.dxw.com/advisories/
https://wordpress.org/plugins/wp-ban/changelog/
2. Cross-site scripting in WordPress Profile Builder
Danger level: Low
Availability Corrections: Yes
Number of vulnerabilities: 1
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: N / I: P / A: N / E: U / RL: O / RC: C) = Base: 5 / Temporal: 3.7
Vector operation: Remote
Impact: Cross-site scripting (XSS attack)
Affected products: WordPress Profile Builder Plugin 1.x
Affected versions: WordPress Profile Builder version to 1.1.66
Description:
The discovered vulnerability make possible for the remote user to produce XSS attack.
The vulnerability is caused due to insufficient processing of the input data associated with forms. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Solution: Install the latest version 1.1.66 from the manufacturer.
Link: https: //wordpress.org/plugins/profile-builder/changelog/
Manufacturer URLs:
https://wordpress.org/plugins/wp-ban/
http://wordpress.org/extend/plugins/profile-builder/
