Here three vulnerabilities found in plugins of Content Management System WordPress: Disclosure of sensitive data in XCloner, SQL-injection in WP Symposium Plugin, and Cross-site scripting (CSRF-attack) in W3 Total Cache Plugin.
1. Disclosure of sensitive data in WordPress XCloner
Danger level: Low
Availability correction: None
The number of vulnerabilities: 1
CVSSv2 rating: (AV: L / AC: L / Au: N / C: P / I: N / A: N / E: U / RL: U / RC: C) = Base: 2.1 / Temporal: 1.8
Vector of operation: Local
Impact: Arbitrary command execution, Disclosure of sensitive data
Affected products: WordPress XCloner Plugin 3.x
Affected versions: WordPress XCloner 3.1.1, possibly other versions
Description:
The vulnerability could allow a local user to gain access to sensitive data.
The vulnerability is due to the fact that the application discloses the user credentials through parameters in the command line of the process “mysqldump”. This can be exploited to disclose the credentials of another user.
Manufacturer URL: http://wordpress.org/extend/plugins/xcloner-backup-and-restore/
Solution: At present, the hotfix is not released.
References: http://seclists.org/fulldisclosure/2014/Nov/8
2. SQL-injection in WordPress WP Symposium Plugin
Danger level: Low
Availability of correction: None
The number of vulnerabilities: 1
CVSSv2 rating: (AV: N / AC: L / Au: N / C: N / I: P / A: N / E: U / RL: U / RC: C) = Base: 5 / Temporal: 4.3
Vector of operation: Remote
Impact: SQL-injection, Unauthorized modification of data
Affected products: WordPress WP Symposium Plugin
Affected versions: WordPress WP Symposium Plugin 14.12, possibly earlier versions
Description:
The vulnerability allows a remote user to execute SQL-injection.
The vulnerability exists due to insufficient input data processing in the GET-parameter “post” in the script wp-symposium / ajax / mail_functions.php (when the parameter “action” is “getMailMessage”, and “mid” is equal to the correct message identifier). This can be exploited to execute arbitrary SQL commands in the application database.
Manufacturer URL: http://wordpress.org/extend/plugins/wp-symposium/
Solution: Currently, the correction has not been released.
References: http://security.szurek.pl/wp-symposium-1410-multiple-xss-and-sql-injection.html
3. Cross-site scripting (CSRF-attack) in WordPress W3 Total Cache Plugin
Danger level: Low
The presence of fixes: Yes
The number of vulnerabilities: 1
CVSSv2 rating: (AV: N / AC: M / Au: N / C: N / I: P / A: N / E: U / RL: OF / RC: C) = Base: 4.3 / Temporal: 3.2
Vector of operation: Remote
Impact: Cross-site scripting, CSRF-attack
Affected products: WordPress W3 Total Cache Plugin 0.x
Affected versions: WordPress W3 Total Cache Plugin to 0.9.4.1
Description:
The vulnerability allows a remote user to CSRF-attack (XSS-attack).
The vulnerability is caused due to insufficient authentication HTTP-requests. This can be exploited via a specially crafted link implement CSRF-attack and perform certain actions if a victim with administrative privileges to visit a malicious web-site.
Manufacturer URL: http://wordpress.org/extend/plugins/w3-total-cache/
Solution: Install the hotfix from the manufacturer.
References: https://wordpress.org/plugins/w3-total-cache/changelog/
