New Cross-site scripting Vulnerabilities in WordPress Plugins – October 16, 2014

Posted: October 16, 2014 in Vulnerabilities
Tags: , , ,


Wordpress VulnerabilitiesThe latest Cross-site scripting vulnerabilities in WordPress plugins

Three new Cross-site scripting vulnerabilities in WordPress plugins: MaxButtons (vulnerability CVE-2014-7181), WP Google Maps(vulnerabiliy CVE-2014-7182), and WooCommerce(vulnerability CVE-2014-6313).

1. Cross-site scripting in WordPress MaxButtons

Danger of level: Low
Availability of corrections: Yes
Quantity of vulnerabilities: 1
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: N / I: P / A: N / E: U / RL: O / RC: C) = Base: 5 / Temporal: 3.7
CVE ID: CVE-2014-7181

Vector of operation: Remote
Impact: Cross-site scripting

Affected products: WordPress MaxButtons: WordPress Button Generator Plugin 1.x
Affected versions: MaxButtons WordPress 1.26.0, possibly earlier versions

Description:
WordPress MaxButtons plugin version 1.26.0 suffers from a cross site scripting vulnerability. The vulnerability allows a remote user to implement XSS-attack.

The vulnerability is due to an error during processing of input data in the parameter “id”, of the script /wp-admin/admin.php. A remote user can with the help of a specially formed link, to execute arbitrary HTML and script code in the user’s browser session in context of an affected site.

Solution: Install the latest version 1.26.1 from the manufacturer.

Link: https://www.htbridge.com/advisory/HTB23237

2. Cross-site scripting in WordPress WP Google Maps

Total Views: 170
Danger of level: Low
Availability of corrections: Yes
Quantity of vulnerabilities: 1
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: N / I: P / A: N / E: U / RL: O / RC: C) = Base: 5 / Temporal: 3.7
CVE ID: CVE-2014-7182

Vector of operation: Remote
Impact: Cross-site scripting

Affected products: WP Google Maps WordPress 6.x
Affected versions: WP Google Maps WordPress 6.0.26, possibly earlier versions

Description:
WordPress WP Google Maps plugin version 6.0.26 suffers from a cross site scripting vulnerability. The vulnerability allows a remote attackers to implement XSS-attack.

The vulnerability is caused due to an error in the processing of the input parameter “poly_id”, of the script /wp-admin/admin.php. This can be exploited via a specially crafted link to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Solution: Install the latest version 6.0.27 from the manufacturer.

Link: https://www.htbridge.com/advisory/HTB23236

3. Cross-site scripting in WordPress WooCommerce

Danger level: Low
Availability of corrections: Yes
Quantity of vulnerabilities: 1
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: N / I: P / A: N / E: U / RL: O / RC: C) = Base: 5 / Temporal: 3.7
CVE ID: CVE-2014-6313

Vector of operation: Remote
Impact: Cross-site scripting

Affected products: WordPress WooCommerce Plugin 2.x
Affected versions: WordPress WooCommerce version to 2.2.3

Description:
Cross-site scripting vulnerability in the WooCommerce plugin before 2.2.3 for WordPress allows remote attackers to inject arbitrary web script or HTML. The vulnerability allows a remote user to implement XSS-attack.

The vulnerability is caused due to an unspecified error in the processing of the input data. This can be exploited via a specially crafted link to execute arbitrary script code in a user’s browser session in context of an affected site.

Solution: Install the latest version 2.2.3 from the manufacturer.

links:
https://wordpress.org/plugins/woocommerce/changelog/
https://security.dxw.com/advisories/reflected-xss-in-woocommerce-excelling-ecommerce-allows-attackers-ability-to-do-almost-anything-an-admin-user-can-do/


wordpress.orgManufacturer URLs:
http://maxfoundry.com/
http://www.wpgmaps.com/
http://wordpress.org/plugins/woocommerce/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s