Wordpress Multiple Third Party Plugins Multiple Vulnerabilities


Description   Several vulnerabilities have been identified in plugins for WordPress:
- Slimstat: cross-site scripting
- Statistics: SQL injection
- Flash Player: several cross-site scripting located in POST parameters "plfilter" and "search" of "wp-admin/admin.php?page=hdflv" web page
- Unite Gallery Lite: cross-site request forgery and SQL injection via parameters "data[galleryID]" of "wp-admin/admin-ajax.php" web page, as well as "galleryid" and "id" of "wp-admin/admin.php" web page
- Music Store: open redirect by adding HTTP referer to "ms-core/ms-submit.php"
- Welcart e-Commerce: cross-site scripting in management screen of the product list screen (CVE-2015-2973)
- Welcart e-Commerce: SQL injection in management screen of the order list screen
- Flickr Justified Gallery: cross-site scripting located in POST parameter "fjgwpp_userID" of "wp-admin/options-general.php?page=fjgwpp.php" web page
- Hide My WP: stored cross-site scripting
- qTranslate: cross-site scripting via "edit" parameter of "/wp-admin/options-general.php" web page
- The Holiday Calendar: cross-site scripting via "thc-month" parameter
Proofs of concept are available.
     
Vulnerable Products   Vulnerable Software:
WordPress (WordPress)
     
Solution   Version 1.11.3 of "The Holiday Calendar" fixes the vulnerability impacting it.
     
CVE   CVE-2015-2973
     
References   - WPVulnDB : WP Slimstat <= 4.1.5.2
Referer Header Cross-Site Scripting (XSS)
https://wpvulndb.com/vulnerabilities/8117
WPVulnDB : WP Statistics <= 9.4
SQL Injection
https://wpvulndb.com/vulnerabilities/8116
netsparker : Multiple XSS Vulnerabilities in WP Flash Player 1.3
https://www.netsparker.com/ns-15-009-multiple-xss-vulnerabilities-identified-in-wp-flash-player/
FullDisclosure : Cross-Site Request Forgery & SQL Injection Vulnerabilities in Unite Gallery Lite Wordpress Plugin v1.4.6
http://seclists.org/fulldisclosure/2015/Jul/114
MusicStore : Open Redirect Vulnerability in Music Store Wordpress Plugin v1.0.14
http://seclists.org/fulldisclosure/2015/Jul/113
WPVulnDB : Welcart e-Commerce <= 1.4.17
Multiple Vulnerabilities
https://wpvulndb.com/vulnerabilities/8114
dxwsecurity : Reflected XSS in Flickr Justified Gallery could allows unauthenticated attackers to do almost anything an admin can do
https://security.dxw.com/advisories/reflected-xss-in-flickr-justified-gallery-could-allows-unauthenticated-attackers-to-do-almost-anything-an-admin-can-do/
WPVulnDB : Hide My WP <= 4.51.1
Stored Cross-Site Scripting (XSS)
https://wpvulndb.com/vulnerabilities/8119
BugTraq : Cross-Site Scripting (XSS) in qTranslate WordPress Plugin
http://seclists.org/bugtraq/2015/Jul/139
FullDisclosure : Fwd: CVE_for_Vulnerability_theholidaycalendar
http://seclists.org/fulldisclosure/2015/Jul/125
- Wordpress : Changeset 1212155
https://plugins.trac.wordpress.org/changeset/1212155
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
XSS - Prevention - POST : suspicious tag with event found in data
3.2.0
XSS - Prevention - POST : suspicious 'meta' tag found in data
3.2.0
SQL injection Prevention - POST : suspicious SELECT statement in data
3.2.0
XSS - Prevention - POST : suspicious 'object' tag found in data
3.2.0
SQL injection Prevention - POST : possible version probing in data
3.2.0
XSS - Prevention - POST : suspicious 'applet' tag found in data
3.2.0
SQL injection Prevention - POST : suspicious OPENQUERY statement in data
3.2.0
SQL injection Prevention - POST : suspicious CREATE statement in data
3.2.0
XSS - Prevention - POST : 'location' javascript object found in data
3.2.0
SQL injection Prevention - POST : suspicious UPDATE statement in data
3.2.0
XSS - Prevention - POST : javascript code found in data
3.2.0
XSS - Prevention - POST : suspicious 'iframe' tag found in data
3.2.0
SQL injection Prevention - POST : suspicious UNION statement in data
3.2.0
XSS - Prevention - POST : code allowing cookie access found in data
3.2.0
XSS - Prevention - POST : suspicious 'img' attribute found in data
3.2.0
SQL injection Prevention - POST : suspicious DROP statement in data
3.2.0
SQL injection Prevention - POST : suspicious INSERT statement in data
3.2.0
SQL injection Prevention - POST : suspicious OR statement in data
3.2.0
SQL injection Prevention - POST : suspicious EXEC statement in data
3.2.0
XSS - Prevention - POST : suspicious 'embed' tag found in data
3.2.0
XSS - Prevention - POST : suspicious 'style' tag found in data
3.2.0
SQL injection Prevention - POST : suspicious OPENROWSET statement in data
3.2.0
XSS - Prevention - POST : suspicious 'div' tag found in data
3.2.0
SQL injection Prevention - POST : suspicious DECLARE statement in data
3.2.0
XSS - Prevention - POST : 'script' tag found in data
3.2.0
XSS - Prevention - POST : suspicious 'style' attribute found in data
3.2.0
SQL injection Prevention - POST : suspicious HAVING statement in data
3.2.0
SQL injection Prevention - POST : suspicious CAST statement in data
3.2.0
XSS - Prevention - POST : suspicious 'style' tag found in data
5.0.0
XSS - Prevention - POST : javascript code found in data
5.0.0
XSS - Prevention - POST : suspicious tag with event found in data
5.0.0
SQL injection Prevention - POST : suspicious UPDATE statement in data
5.0.0
XSS - Prevention - POST : suspicious 'embed' tag found in data
5.0.0
SQL injection Prevention - POST : suspicious SELECT statement in data
5.0.0
XSS - Prevention - POST : 'location' javascript object found in data
5.0.0
SQL injection Prevention - POST : suspicious DECLARE statement in data
5.0.0
SQL injection Prevention - POST : suspicious OPENROWSET statement in data
5.0.0
SQL injection Prevention - POST : suspicious OPENQUERY statement in data
5.0.0
XSS - Prevention - POST : code allowing cookie access found in data
5.0.0
SQL injection Prevention - POST : suspicious CAST statement in data
5.0.0
SQL injection Prevention - POST : suspicious EXEC statement in data
5.0.0
SQL injection Prevention - POST : suspicious CREATE statement in data
5.0.0
SQL injection Prevention - POST : suspicious INSERT statement in data
5.0.0
XSS - Prevention - POST : 'script' tag found in data
5.0.0
SQL injection Prevention - POST : suspicious DROP statement in data
5.0.0
XSS - Prevention - POST : suspicious 'style' attribute found in data
5.0.0
SQL injection Prevention - POST : suspicious HAVING statement in data
5.0.0
XSS - Prevention - POST : suspicious 'applet' tag found in data
5.0.0
SQL injection Prevention - POST : suspicious UNION statement in data
5.0.0
XSS - Prevention - POST : suspicious 'div' tag found in data
5.0.0
SQL injection Prevention - POST : suspicious OR statement in data
5.0.0
XSS - Prevention - POST : suspicious 'img' attribute found in data
5.0.0
XSS - Prevention - POST : suspicious 'meta' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'object' tag found in data
5.0.0
SQL injection Prevention - POST : possible version probing in data
5.0.0
XSS - Prevention - POST : suspicious 'iframe' tag found in data
5.0.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2015-07-29 

 Target Type 
Server 

 Possible exploit 
Remote