|
Description
|
|
(#Several vulnerabilities have been identified in third party plugins for WordPress:#- Easy2Map: directory traversal and local file inclusion through the '$_FILES["csvfile"]['tmp_name']' parameter (CVE-2015-7669)#- Easy2Map: cross-site scripting through the '$_GET["map_id"]' parameter (CVE-2015-7668)#- ResAds: several cross-site scripting trhough the '$_REQUEST['page']' parameter (CVE-2015-7667)#- PayPal Pro: several cross-site scripting trhough the '$_GET[\"cal\"]' parameter (CVE-2015-7666)#- Appointment Booking Calendar: SQL injection in the 'cpabc_appointments_admin_int_calendar_list.inc.php' file (CVE-2015-7319)#- Ninja Forms: security bypass allows an attacker to export CSV file with malicious macro which could be execute in Microsoft Excel.#- Jetpack: stored cross-site scripting#- Jetpack : information disclosure#- Visual Form Builder: cross-site scripting#- Google Analyticator: several cross-site scripting through the 'ga_adsense', 'ga_admin_disable_DimentionIndex', 'ga_downloads_prefix', 'ga_downloads' and 'ga_outbound_prefix' parameter#- Support Ticket System: SQL injection (CVE-2015-7670)#- u-design: cross-site scripting. (CVE-2015-7357)##A proof of concept is available affecting "Google Analyticator" plugin.)
|
