The latest vulnerabilities in WordPress plugins (December 28, 2014)

Posted: December 28, 2014 in Vulnerabilities
Tags: , , ,

Wordpress VulnerabilitiesHere three vulnerabilities found in plugins of Content Management System WordPress: Disclosure of sensitive data in XCloner, SQL-injection in WP Symposium Plugin, and Cross-site scripting (CSRF-attack) in W3 Total Cache Plugin.

1. Disclosure of sensitive data in WordPress XCloner

Danger level: Low
Availability correction: None
The number of vulnerabilities: 1
CVSSv2 rating: (AV: L / AC: L / Au: N / C: P / I: N / A: N / E: U / RL: U / RC: C) = Base: 2.1 / Temporal: 1.8

Vector of operation: Local
Impact: Arbitrary command execution, Disclosure of sensitive data

Affected products: WordPress XCloner Plugin 3.x
Affected versions: WordPress XCloner 3.1.1, possibly other versions

Description:
The vulnerability could allow a local user to gain access to sensitive data.

The vulnerability is due to the fact that the application discloses the user credentials through parameters in the command line of the process “mysqldump”. This can be exploited to disclose the credentials of another user.

Manufacturer URL: http://wordpress.org/extend/plugins/xcloner-backup-and-restore/

Solution: At present, the hotfix is not released.

References: http://seclists.org/fulldisclosure/2014/Nov/8

2. SQL-injection in WordPress WP Symposium Plugin

Danger level: Low
Availability of correction: None
The number of vulnerabilities: 1
CVSSv2 rating: (AV: N / AC: L / Au: N / C: N / I: P / A: N / E: U / RL: U / RC: C) = Base: 5 / Temporal: 4.3

Vector of operation: Remote
Impact: SQL-injection, Unauthorized modification of data

Affected products: WordPress WP Symposium Plugin
Affected versions: WordPress WP Symposium Plugin 14.12, possibly earlier versions

Description:
The vulnerability allows a remote user to execute SQL-injection.

The vulnerability exists due to insufficient input data processing in the GET-parameter “post” in the script wp-symposium / ajax / mail_functions.php (when the parameter “action” is “getMailMessage”, and “mid” is equal to the correct message identifier). This can be exploited to execute arbitrary SQL commands in the application database.

Manufacturer URL: http://wordpress.org/extend/plugins/wp-symposium/

Solution: Currently, the correction has not been released.

References: http://security.szurek.pl/wp-symposium-1410-multiple-xss-and-sql-injection.html

3. Cross-site scripting (CSRF-attack) in WordPress W3 Total Cache Plugin

Danger level: Low
The presence of fixes: Yes
The number of vulnerabilities: 1
CVSSv2 rating: (AV: N / AC: M / Au: N / C: N / I: P / A: N / E: U / RL: OF / RC: C) = Base: 4.3 / Temporal: 3.2

Vector of operation: Remote
Impact: Cross-site scripting, CSRF-attack

Affected products: WordPress W3 Total Cache Plugin 0.x
Affected versions: WordPress W3 Total Cache Plugin to 0.9.4.1

Description:
The vulnerability allows a remote user to CSRF-attack (XSS-attack).

The vulnerability is caused due to insufficient authentication HTTP-requests. This can be exploited via a specially crafted link implement CSRF-attack and perform certain actions if a victim with administrative privileges to visit a malicious web-site.

Manufacturer URL: http://wordpress.org/extend/plugins/w3-total-cache/

Solution: Install the hotfix from the manufacturer.

References: https://wordpress.org/plugins/w3-total-cache/changelog/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s