SNS Vulnerability

WordPress Third Party Modules Multiple Vulnerabilities

Description

(#Several vulnerabilities have been identified in third-party plugins for WordPress:#- Contact Form Pro: SQL injection#- Mail Masta WP: local file inclusion#- Zero Spam: blind SQL injection##Proofs of concept are available.)

Vulnerable Products

Vulnerable Software:
WordPress (WordPress) -

Solution

No solution for the moment.

CVE

References

- cxsecurity : Mail Masta WP Local File Inclusion
https://cxsecurity.com/issue/WLB-2016080220
- cxsecurity : Contact Form Pro 2.1.2 WP SQL injection
https://cxsecurity.com/issue/WLB-2016080210
- WPVulnDB : WordPress Zero Spam <= 2.1.1 - Unauthenticated Blind SQL Injection
https://wpvulndb.com/vulnerabilities/8608

Vulnerability Manager Detection

IPS Protection

ASQ Engine alarm	Available Since
Directory traversal	3.2.0
Directory traversal backward root folder	3.2.0
Misc : Local File Inclusion - suspicious /etc/passwd found in URL	3.5.0
SQL injection Prevention - POST : suspicious UPDATE statement in data	5.0.0
SQL injection Prevention - POST : suspicious SELECT statement in data	5.0.0
SQL injection Prevention - POST : suspicious DECLARE statement in data	5.0.0
SQL injection Prevention - POST : suspicious OPENROWSET statement in data	5.0.0
SQL injection Prevention - POST : suspicious OPENQUERY statement in data	5.0.0
SQL injection Prevention - POST : suspicious CAST statement in data	5.0.0
SQL injection Prevention - POST : suspicious EXEC statement in data	5.0.0
SQL injection Prevention - POST : suspicious CREATE statement in data	5.0.0
SQL injection Prevention - POST : suspicious INSERT statement in data	5.0.0
SQL injection Prevention - POST : suspicious DROP statement in data	5.0.0
SQL injection Prevention - POST : suspicious HAVING statement in data	5.0.0
SQL injection Prevention - POST : suspicious UNION statement in data	5.0.0
SQL injection Prevention - POST : suspicious OR statement in data	5.0.0
SQL injection Prevention - POST : possible version probing in data	5.0.0

Risk level

Moderate

Vulnerability First Public Report Date

2016-08-24

Target Type

Server

Possible exploit

Remote