WordPress Third-Party Plugins and Themes Multiple Vulnerabilities


Description   (#Multiple vulnerabilities have been reported in multiple third-party plugins and themes for WordPress:#- Another Wordpress Classifieds: cross-site scripting#- Another Wordpress Classifieds: time-based blind SQL injection via the POST parameter "keywordphrase" with a "page_id" GET parameter#- Contact Form Clean and Simple: cross-site scripting via parameter "cscf[name]" of the web page "contact-us/" (CVE-2014-8955)#- WP-DB-Backup: vulnerability allowing the download of a database backup#- SupportEzzy: cross-site scripting (CVE-2014-9179)#- CM Download Manager: arbitrary code injection via parameter "CMDsearch" of the page "cmdownloads/" (CVE-2014-8877)#- WP-Statistics: stored cross-site scripting#- SP Client Document Manager: several SQL injection via several parameters : "vendor_email" of the page "ajax.php?function=email-vendor", "id" of the page "/ajax.php?function=downloa#d-project", "id" of the page "ajax.php?function=download-archive" and "id" of the page "ajax.php?function=remove-category"#- YourMembers: SQL injection via parameter "ym_download_id"##Proofs of concept are available, except for plugin WP-Statistics.##An exploitation code is available for the vulnerability affecting WP-DB-Backup plugin.#Updated, 13/11/2015:#A detection code is available for the CVE-2014-8877 vulnerability.)
     
Vulnerable Products   Vulnerable Software:
WordPress (WordPress) - 1.5, 1.5.1.1, 2.0, 2.0.1, 2.0.3, ..., 3.9, 3.9.1, 3.9.2, 3.9.3,
     
Solution   Version 2.4.4 of the plugin SP Client Document Manager fixes vulnerabilities affecting it.
     
CVE   CVE-2014-9179
CVE-2014-8955
CVE-2014-8877
     
References   - PacketStormSecurity : Another WordPress Classifieds Cross Site Scripting / SQL Injection
http://packetstormsecurity.com/files/129035/wpawpclassifieds-sqlxss.txt
- WordPress : Contact Form Clean and Simple 4.4.0
https://wordpress.org/plugins/clean-and-simple-contact-form-by-meg-nicholas/changelog/
- oss-sec : Wordpress WP-DB-Backup v2.2.4 Plugin Remote Database Backup Download Vulnerability
http://seclists.org/oss-sec/2014/q4/657
- oss-sec : CVE-2014-8877 - Code Injection in Wordpress CM Download Manager plugin
http://seclists.org/bugtraq/2014/Nov/103
- Securi : WP-Statistics WordPress Plugin
http://blog.sucuri.net/2014/11/security-advisory-high-severity-wp-statistics-wordpress-plugin.html
- Cdminds : CM Download Manager Free Edition Changelog
https://downloadsmanager.cminds.com/cm-download-manager-free-edition-release-notes/
- WordPress : SP Project & Document Manager 2.4.4
https://wordpress.org/plugins/sp-client-document-manager/changelog/
- nmap : File http-vuln-cve2014-8877
https://nmap.org/nsedoc/scripts/http-vuln-cve2014-8877.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
XSS - Prevention - GET : suspicious 'iframe' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'meta' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious tag with event found in URL
3.2.0
XSS - Prevention - GET : suspicious 'applet' tag found in URL
3.2.0
XSS - Phishing : suspicious 'div' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'style' attribute found in URL
3.2.0
XSS - Prevention - GET : suspicious 'img' tag found in URL
3.2.0
XSS - Phishing : suspicious 'a' tag found in URL
3.2.0
XSS - Prevention - GET : cookie access attempt using script language found in URL
3.2.0
XSS - Prevention - GET : suspicious 'embed' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'object' tag found in URL
3.2.0
XSS - Phishing : suspicious 'form' tag found in URL
3.2.0
XSS - Prevention - GET : javascript code found in URL
3.2.0
XSS - Prevention - GET : evasion attempt using tag characters encoding in URL
3.2.0
XSS - Prevention - GET : suspicious 'style' tag found in URL
3.2.0
XSS - Phishing : suspicious 'link' tag found in URL
3.2.0
XSS - Prevention - GET : 'script' tag found in URL
3.2.0
XSS - Prevention - GET : 'location' javascript object found in URL
3.2.0
XSS - Prevention - GET : suspicious 'div' tag found in URL
3.2.0
SQL injection Prevention - POST : suspicious UPDATE statement in data
5.0.0
Attempt to access to SQL backup folder
5.0.0
SQL injection Prevention - POST : suspicious SELECT statement in data
5.0.0
SQL injection Prevention - POST : suspicious DECLARE statement in data
5.0.0
SQL injection Prevention - POST : suspicious OPENROWSET statement in data
5.0.0
SQL injection Prevention - POST : suspicious OPENQUERY statement in data
5.0.0
SQL injection Prevention - POST : suspicious CAST statement in data
5.0.0
SQL injection Prevention - POST : suspicious EXEC statement in data
5.0.0
SQL injection Prevention - POST : suspicious CREATE statement in data
5.0.0
SQL injection Prevention - POST : suspicious INSERT statement in data
5.0.0
SQL injection Prevention - POST : suspicious DROP statement in data
5.0.0
SQL injection Prevention - POST : suspicious HAVING statement in data
5.0.0
SQL injection Prevention - POST : suspicious UNION statement in data
5.0.0
SQL injection Prevention - POST : suspicious OR statement in data
5.0.0
SQL injection Prevention - POST : possible version probing in data
5.0.0
Code Injection in Wordpress CM Download Manager plugin
5.0.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2014-11-22 

 Target Type 
Server 

 Possible exploit 
Remote