Notification: New Security Bypass Vulnerabilities in WordPress plugins – October 9, 2014

Posted: October 9, 2014 in Vulnerability News
Tags: , , , , , ,

Wordpress VulnerabilitiesThe latest vulnerabilities in WordPress plugins

Three Security Bypass vulnerabilities in WordPress plugins: Access Areas, Download Manager, and DukaPress.

1. Security Bypass in WordPress Access Areas Plugin

Danger: Low
Availability of Corrections: Yes
Number of vulnerabilities: 1
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: P / I: P / A: P / E: U / RL: O / RC: C) = Base: 7.5 / Temporal: 5.5

Vector operation: Remote
Impact: Security Bypass

Affected products: WordPress Access Areas Plugin 1.x
Affected versions: WordPress Access Areas version to 1.3.1

Description:
Vulnerabilities allow malicious people to bypass certain security restrictions.

The vulnerability is caused due to improper access restriction to publications. A remote user can change these settings.

Solution: Install the latest version 1.3.1 from the manufacturer.

Link: https://wordpress.org/plugins/wp-access-areas/changelog/

2. Security Bypass in WordPress Download Manager Plugin

Danger: Low
Availability of Corrections: Yes
Number of vulnerabilities: 1
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: N / I: P / A: N / E: U / RL: O / RC: C) = Base: 5 / Temporal: 3.7

Vector operation: Remote
Impact: Security Bypass

Affected products: WordPress Download Manager Plugin 2.x
Affected versions: WordPress Download Manager to version 6.2.93

Description:
The vulnerability can be exploited by malicious people to conduct  XSS attacks.

The vulnerability is caused due to insufficient input data processing in functions: “wpdm_delete_file ()” and “wpdm_save_file ()” in the download-manager.php. The remote user can be exploited via a specially crafted request to execute arbitrary script code in a user’s browser session in context of an affected site.

Solution: Install the latest version 2.6.93 from the manufacturer.

Link: https: //wordpress.org/plugins/download-manager/changelog/

3. Security Bypass in WordPress DukaPress Plugin

Danger: Average
Availability of Corrections: Yes
Number of vulnerabilities: 1
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: P / I: P / A: P / E: U / RL: O / RC: C) = Base: 7.5 / Temporal: 5.5

Vector operation: Remote
Impact: Security Bypass

Affected products: WordPress DukaPress Plugin 2.x
Affected versions: WordPress DukaPress version to 2.4

Description:
The vulnerability allow malicious people to bypass certain security restrictions.

The vulnerability is caused due to an unspecified error. Details were not disclosed.

Solution: Install the latest version 2.4 from the manufacturer.

Link: https: //wordpress.org/plugins/dukapress/changelog/


Manufacturers URLs:

wordpress.orgWordPress Access Areas Plugin
WordPress Download Manager Plugin
WordPress DukaPress Plugin

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s