WordPress Third-Party Modules Multiple Vulnerabilities


Description   (#Several vulnerabilities have been identified in plugins for WordPress:#- Booking Calendar: cross-site scripting and SQL injection#- WangGuard: cross-site scripting#- Contact Bank: cross-site scripting#- ALO EasyMail Newsletter: cross-site request forgery#- Live Chat Support: stored cross-site scripting#- Yoast SEO: stored cross-site scripting#- Uji Countdown: cross-site scripting#- Nofollow Links: cross-site scripting.##Proofs of concept are available.)
     
Vulnerable Products   Vulnerable Software:
WordPress (WordPress) -
     
Solution   - Nofollow Links: 1.0.11
     
CVE  
     
References   - SumofPwn : SQL injection vulnerability in Booking Calendar WordPress Plugin
https://sumofpwn.nl/advisory/2016/sql_injection_vulnerability_in_booking_calendar_wordpress_plugin.html
- SumofPwn : Cross-Site Scripting in WangGuard WordPress Plugin
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_wangguard_wordpress_plugin.html
- SumofPwn : Cross-Site Scripting in Contact Bank WordPress Plugin
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_contact_bank_wordpress_plugin.html
- SumofPwn : Cross-Site Request Forgery in ALO EasyMail Newsletter WordPress Plugin
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_alo_easymail_newsletter_wordpress_plugin.html
- SumofPwn : Stored Cross-Site Scripting vulnerability in WP Live Chat Support WordPress Plugin
https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_wp_live_chat_support_wordpress_plugin.html
- WPVulnDB : Yoast SEO <= 3.4.0 - Authenticated Stored Cross-Site Scripting (XSS)
https://wpvulndb.com/vulnerabilities/8583
- SumofPwn : Cross-Site Scripting in Uji Countdown WordPress Plugin
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_uji_countdown_wordpress_plugin.html
- WPVulnDB : Nofollow Links <= 1.0.10 - Cross-Site Scripting (XSS)
https://wpvulndb.com/vulnerabilities/8580
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
XSS - Prevention - POST : suspicious 'meta' tag found in data
3.2.0
XSS - Prevention - POST : suspicious 'img' attribute found in data
3.2.0
XSS - Prevention - POST : suspicious 'style' tag found in data
5.0.0
XSS - Prevention - POST : javascript code found in data
5.0.0
XSS - Prevention - POST : suspicious tag with event found in data
5.0.0
SQL injection Prevention - POST : suspicious UPDATE statement in data
5.0.0
XSS - Prevention - POST : suspicious 'embed' tag found in data
5.0.0
SQL injection Prevention - POST : suspicious SELECT statement in data
5.0.0
XSS - Prevention - POST : 'location' javascript object found in data
5.0.0
SQL injection Prevention - POST : suspicious DECLARE statement in data
5.0.0
SQL injection Prevention - POST : suspicious OPENROWSET statement in data
5.0.0
SQL injection Prevention - POST : suspicious OPENQUERY statement in data
5.0.0
XSS - Prevention - POST : code allowing cookie access found in data
5.0.0
SQL injection Prevention - POST : suspicious CAST statement in data
5.0.0
SQL injection Prevention - POST : suspicious EXEC statement in data
5.0.0
SQL injection Prevention - POST : suspicious CREATE statement in data
5.0.0
SQL injection Prevention - POST : suspicious INSERT statement in data
5.0.0
XSS - Prevention - POST : 'script' tag found in data
5.0.0
SQL injection Prevention - POST : suspicious DROP statement in data
5.0.0
XSS - Prevention - POST : suspicious 'style' attribute found in data
5.0.0
SQL injection Prevention - POST : suspicious HAVING statement in data
5.0.0
XSS - Prevention - POST : suspicious 'applet' tag found in data
5.0.0
SQL injection Prevention - POST : suspicious UNION statement in data
5.0.0
XSS - Prevention - POST : suspicious 'div' tag found in data
5.0.0
SQL injection Prevention - POST : suspicious OR statement in data
5.0.0
XSS - Prevention - POST : suspicious 'img' attribute found in data
5.0.0
XSS - Prevention - POST : suspicious 'meta' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'object' tag found in data
5.0.0
SQL injection Prevention - POST : possible version probing in data
5.0.0
XSS - Prevention - POST : suspicious 'iframe' tag found in data
5.0.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2016-07-30 

 Target Type 
Client + Server 

 Possible exploit 
Remote