WordPress Third Party Modules Multiple Vulnerabilities


Description   (#Several vulnerabilities have been identified in third-party plugins for Wordpress:#- MailPoet Newsletters: cross-site scripting#- IWPAdminPanel: command injection and authorization bypass#- Woocommerce: persistent cross-site scripting#- Meteogalicia Wordpress Widget: local file inclusion#- Image Export: local file inclusion#- Cherry Plugin: arbitrary file upload##Proof of concepts are available.)
     
Vulnerable Products   Vulnerable Software:
WordPress (WordPress) -
     
Solution   - Woocommerce: 2.6.4
     
CVE  
     
References   - Full Disclosure: Persistent Cross-Site Scripting in Woocommerce WordPress plugin
http://seclists.org/fulldisclosure/2016/Sep/20
- CXSecurity : Image Export WordPress Plugin - Local File Disclosure
https://cxsecurity.com/issue/WLB-2016090075
- CXSecurity : Meteogalicia Wordpress Widget - Local File Disclosure
https://cxsecurity.com/issue/WLB-2016090077
- Full Disclosure: Command injection in InfiniteWP Admin Panel
http://seclists.org/fulldisclosure/2016/Sep/18
- Full Disclosure: Authorization bypass in InfiniteWP Admin Panel
http://seclists.org/fulldisclosure/2016/Sep/19
- 0day.today : WordPress Cherry Plugin - Arbitrary File Upload Vulnerability
http://0day.today/exploits/25408
- Full Disclosure: Reflected Cross-Site Scripting vulnerability in MailPoet Newsletters plugin
http://seclists.org/fulldisclosure/2016/Sep/17
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Directory traversal
3.2.0
Misc : Local File Inclusion - suspicious /etc/passwd found in URL
3.5.0
Upload of a PHP file in a vulnerable web application
5.0.0
InfiniteWP admin panel Authorization bypass
5.0.0
     


 
 
 
 
 Risk level 
High 

 Vulnerability First Public Report Date 
2016-09-10 

 Target Type 
Client + Server 

 Possible exploit 
Remote