The latest Cross-site scripting vulnerabilities in WordPress plugins
Five Cross-site scripting vulnerabilities in WordPress plugins: Profile Builder, Photo Gallery, EWWW Image Optimizer, Contact Form DB, and Google Calendar Events.
1. Cross-site scripting in WordPress Profile Builder Plugin
Danger: Low
Availability Corrections: Yes
Number of vulnerabilities: 1
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: N / I: P / A: N / E: U / RL: O / RC: C) = Base: 5 / Temporal: 3.7
Vector operation: Remote
Impact: Cross-site scripting (XSS attack)
Affected products: WordPress Profile Builder Plugin 1.x
Affected versions: WordPress Profile Builder version to 1.1.66
Description:
The vulnerability allows a remote user produce XSS attack.
The vulnerability is caused due to insufficient processing of the input data associated with forms. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Solution: Install the latest version 1.1.66 from the manufacturer.
Link: https://wordpress.org/plugins/profile-builder/changelog/
2. Cross-site scripting in WordPress Photo Gallery Plugin
Danger: Low
Availability Corrections: Yes
Number of vulnerabilities: 1
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: N / I: P / A: N / E: U / RL: O / RC: C) = Base: 5 / Temporal: 3.7
CVE ID: CVE-2014-6315
Vector operation: Remote
Impact: Cross-site scripting (XSS attack)
Affected products: WordPress PICA Photo Gallery Plugin 1.x
Affected: WordPress Photo Gallery version to 1.1.31
Description:
The vulnerability make possible for the remote user to produce XSS attack.
The vulnerability is caused due to insufficient input data processing in the GET parameter “callback”, “dir” and “extensions” in the script wp-admin / admin-ajax.php. A remote user can with the help of a specially formed links to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Solution: Install the latest version 1.1.31 from the manufacturer.
Link: https://www.htbridge.com/advisory/HTB23232
3. Cross-site scripting in WordPress EWWW Image Optimizer
Danger: Low
Availability Corrections: Yes
Number of vulnerabilities: 1
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: N / I: P / A: N / E: U / RL: O / RC: C) = Base: 5 / Temporal: 3.7
CVE ID: CVE-2014-6243
Vector operation: Remote
Impact: Cross-site scripting (XSS attack)
Affected products: WordPress EWWW Image Optimizer 2.x
Affected versions: WordPress EWWW Image Optimizer 2.0.1, possibly earlier versions
Description:
The vulnerability make possible for the remote user to produce XSS attack.
The vulnerability is caused due to insufficient processing of the input data in HTTP GET parameter “page” in the script /wp-admin/options-general.php. This can be exploited via a specially crafted link to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Note: Successful exploitation of this vulnerability requires that a function JavaScript “alert ()” displayed the manager’s cookies.
Solution: Install the latest version 2.0.2 from the manufacturer.
Links: https://www.htbridge.com/advisory/HTB23234
4. Cross-site scripting in WordPress Contact Form DB
Danger: Low
Availability Corrections: Yes
Number of vulnerabilities: 1
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: N / I: P / A: N / E: U / RL: O / RC: C) = Base: 5 / Temporal: 3.7
CVE ID: CVE-2014-7139
Vector operation: Remote
Impact: Cross-site scripting
Affected products: WordPress Contact Form DB 2.x
Affected versions: WordPress Contact Form DB 2.8.13, possibly earlier versions
Description:
The vulnerability allows a remote user produce XSS attack.
The vulnerability is caused due to insufficient processing of the input data in HTTP GET parameter “form” in the script /wp-admin/admin.php, as well as HTTP GET parameter “enc” in the script /wp-admin/admin.php. This can be exploited via a specially crafted link to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Solution: Install the latest version 2.8.16 from the manufacturer.
Link: https://www.htbridge.com/advisory/HTB23233
5. Cross-site scripting in WordPress Google Calendar Events
Danger: Low
Availability Corrections: Yes
Number of vulnerabilities: 1
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: N / I: P / A: N / E: U / RL: O / RC: C) = Base: 5 / Temporal: 3.7
CVE ID: CVE-2014-7138
Vector operation: Remote
Impact: Cross-site scripting
Affected products: WordPress Google Calendar Events 2.x
Affected versions: WordPress Google Calendar Events 2.0.1, possibly earlier versions
Description:
The vulnerability allows a remote user to XXS-attack.
The vulnerability is caused due to insufficient processing of the input data in HTTP GET parameter “gce_feed_ids” in the script /wp-admin/admin-ajax.php. This can be exploited via a specially crafted link to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Solution: Install the latest version 2.0.4 from the manufacturer.
Links: https://www.htbridge.com/advisory/HTB23235
Manufacturers URLs:
WordPress Contact Form DB
WordPress Profile Builder
WordPress EWWW Image Optimizer
WordPress Google Calendar Events
WordPress Photo Gallery