The latest Cross-site scripting vulnerabilities in WordPress plugins
Three new Cross-site scripting vulnerabilities in WordPress plugins: MaxButtons (vulnerability CVE-2014-7181), WP Google Maps(vulnerabiliy CVE-2014-7182), and WooCommerce(vulnerability CVE-2014-6313).
1. Cross-site scripting in WordPress MaxButtons
Danger of level: Low
Availability of corrections: Yes
Quantity of vulnerabilities: 1
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: N / I: P / A: N / E: U / RL: O / RC: C) = Base: 5 / Temporal: 3.7
CVE ID: CVE-2014-7181
Vector of operation: Remote
Impact: Cross-site scripting
Affected products: WordPress MaxButtons: WordPress Button Generator Plugin 1.x
Affected versions: MaxButtons WordPress 1.26.0, possibly earlier versions
Description:
WordPress MaxButtons plugin version 1.26.0 suffers from a cross site scripting vulnerability. The vulnerability allows a remote user to implement XSS-attack.
The vulnerability is due to an error during processing of input data in the parameter “id”, of the script /wp-admin/admin.php. A remote user can with the help of a specially formed link, to execute arbitrary HTML and script code in the user’s browser session in context of an affected site.
Solution: Install the latest version 1.26.1 from the manufacturer.
Link: https://www.htbridge.com/advisory/HTB23237
2. Cross-site scripting in WordPress WP Google Maps
Total Views: 170
Danger of level: Low
Availability of corrections: Yes
Quantity of vulnerabilities: 1
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: N / I: P / A: N / E: U / RL: O / RC: C) = Base: 5 / Temporal: 3.7
CVE ID: CVE-2014-7182
Vector of operation: Remote
Impact: Cross-site scripting
Affected products: WP Google Maps WordPress 6.x
Affected versions: WP Google Maps WordPress 6.0.26, possibly earlier versions
Description:
WordPress WP Google Maps plugin version 6.0.26 suffers from a cross site scripting vulnerability. The vulnerability allows a remote attackers to implement XSS-attack.
The vulnerability is caused due to an error in the processing of the input parameter “poly_id”, of the script /wp-admin/admin.php. This can be exploited via a specially crafted link to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Solution: Install the latest version 6.0.27 from the manufacturer.
Link: https://www.htbridge.com/advisory/HTB23236
3. Cross-site scripting in WordPress WooCommerce
Danger level: Low
Availability of corrections: Yes
Quantity of vulnerabilities: 1
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: N / I: P / A: N / E: U / RL: O / RC: C) = Base: 5 / Temporal: 3.7
CVE ID: CVE-2014-6313
Vector of operation: Remote
Impact: Cross-site scripting
Affected products: WordPress WooCommerce Plugin 2.x
Affected versions: WordPress WooCommerce version to 2.2.3
Description:
Cross-site scripting vulnerability in the WooCommerce plugin before 2.2.3 for WordPress allows remote attackers to inject arbitrary web script or HTML. The vulnerability allows a remote user to implement XSS-attack.
The vulnerability is caused due to an unspecified error in the processing of the input data. This can be exploited via a specially crafted link to execute arbitrary script code in a user’s browser session in context of an affected site.
Solution: Install the latest version 2.2.3 from the manufacturer.
links:
https://wordpress.org/plugins/woocommerce/changelog/
https://security.dxw.com/advisories/reflected-xss-in-woocommerce-excelling-ecommerce-allows-attackers-ability-to-do-almost-anything-an-admin-user-can-do/
Manufacturer URLs:
http://maxfoundry.com/
http://www.wpgmaps.com/
http://wordpress.org/plugins/woocommerce/