Notification: New Vulnerability in WordPress – September 24, 2014

Posted: September 24, 2014 in Vulnerability News
Tags: , , , , ,

Wordpress Vulnerability

WordPress vulnerabilities

1. Security Bypass WordPress WP-Ban

Danger level: Low
Availability Corrections: Yes
Number of vulnerabilities: 1

CVSSv2 Rating: (AV: N / AC: L / Au: N / C: N / I: N / A: P / E: U / RL: O / RC: C) = Base: 5 / Temporal: 3.7
CVE ID: CVE-2014-6230

Vector operation: Remote
Impact: Security Bypass

Affected products: WordPress WP-Ban Plugin 1.x
Affected versions: WordPress WP-Ban version to 1.64

Description:

The Vulnerability allows malicious people to bypass certain security restrictions and compromise a user’s system.

The vulnerability is due to the fact that the application does not properly handle requests an IP address, use the headers X-Forwarded-For. A remote user can bypass a blocked IP blacklist.

Solution: Install the latest version (1.64 or later) from the manufacturer.

Links:
https://security.dxw.com/advisories/
https://wordpress.org/plugins/wp-ban/changelog/

2. Cross-site scripting in WordPress Profile Builder

Danger level: Low
Availability Corrections: Yes
Number of vulnerabilities: 1

CVSSv2 Rating: (AV: N / AC: L / Au: N / C: N / I: P / A: N / E: U / RL: O / RC: C) = Base: 5 / Temporal: 3.7

Vector operation: Remote
Impact: Cross-site scripting (XSS attack)

Affected products: WordPress Profile Builder Plugin 1.x
Affected versions: WordPress Profile Builder version to 1.1.66

Description:

The discovered vulnerability make possible for the remote user to produce XSS attack.

The vulnerability is caused due to insufficient processing of the input data associated with forms. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Solution: Install the latest version 1.1.66 from the manufacturer.

Link: https: //wordpress.org/plugins/profile-builder/changelog/


 

wordpress.orgManufacturer URLs:
https://wordpress.org/plugins/wp-ban/
http://wordpress.org/extend/plugins/profile-builder/

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s