SNS Vulnerability

WordPress Third-Party Plugins Multiple Vulnerabilities

Description

(#Several vulnerabilities have been identified in third-party plugins for WordPress:#- Ultimate Member: security bypass. A remote attacker could exploit it in order to change arbitrary user's password. This vulnerability is located in the "core/um-actions-password.php" script file##- WooCommerce Email Test: order information disclosure##- Twitter Cards Meta: cross-site scripting and cross-site request forgery located in the "/wp-admin/admin.php?page=twitter-cards-meta" setting page##- Social Plug: reflected cross-site scripting in the "dpsp_message_class" paramter##- Multisite Post Duplicator: cross-site request forgery##- Delete All Comments: arbitrary file upload##- Google Analytics Counter Tracker: PHP object injection##- BP Profile Search: PHP object injection##- wpDataTables Lite: authenticated cross-site scripting##- Insert Html Snippet WordPress Plugin: cross-site request forgery##- Image Gallery WordPress Plugin: stored cross-site scripting##- MailChimp: authenticated cross-site scripting.##Proof of concepts are available.)

Vulnerable Products

Vulnerable Software:
WordPress (WordPress) -

Solution

- MailChimp: 4.0.11

CVE

References

- wpvulndb : Ultimate Member <= 1.3.75 - Unauthenticated Change Passwords
https://wpvulndb.com/vulnerabilities/8688
- wpvulndb : WooCommerce Email Test 1.5 - Order Information Disclosure
https://wpvulndb.com/vulnerabilities/8689
- pluginvulnerabilities : Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Twitter Cards Meta
https://www.pluginvulnerabilities.com/2016/12/09/cross-site-request-forgery-csrfcross-site-scripting-xss-vulnerability-in-twitter-cards-meta/
- security.dxw : Reflected XSS in Social Pug ? Easy Social Share Buttons could allow an attacker to do almost anything an admin user can
https://security.dxw.com/advisories/reflected-xss-in-social-pug-easy-social-share-buttons-could-allow-an-attacker-to-do-almost-anything-an-admin-user-can/
- seclists : CSRF vulnerability in Multisite Post Duplicator could allow an attacker to do almost anything an admin user can do (WordPress plugin)
http://seclists.org/fulldisclosure/2016/Dec/36
- seclists : [oss-security] Multiple vulnerabilities affecting three WordPress Plugins (XSS, & PHP object injection)
http://seclists.org/oss-sec/2016/q4/652
- wpvulndb : Delete All Comments 2.0 - Unauthenticated Arbitrary File Upload
https://wpvulndb.com/vulnerabilities/8694
- wpvulndb : Google Analytics Counter Tracker <= 3.4.0 - Unauthenticated PHP Object Injection
https://wpvulndb.com/vulnerabilities/8693
- wpvulndb : Multisite Post Duplicator <= 0.9.5.1 - Cross-Site Request Forgery (CSRF)
https://wpvulndb.com/vulnerabilities/8691
- wpvulndb : BP Profile Search <= 4.5.3 - PHP Object Injection
https://wpvulndb.com/vulnerabilities/8690
- pluginvulnerabilities : Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in wpDataTables Lite
https://www.pluginvulnerabilities.com/2016/12/12/authenticated-persistent-cross-site-scripting-xss-vulnerability-in-wpdatatables-lite/
- wpvulndb : MailChimp for WordPress <= 4.0.10 - Authenticated Cross-Site Scripting (XSS)
https://wpvulndb.com/vulnerabilities/8695

Vulnerability Manager Detection

IPS Protection

ASQ Engine alarm	Available Since
XSS - Prevention - GET : suspicious 'iframe' tag found in URL	3.2.0
XSS - Prevention - GET : suspicious 'meta' tag found in URL	3.2.0
XSS - Prevention - GET : suspicious tag with event found in URL	3.2.0
XSS - Prevention - POST : suspicious 'meta' tag found in data	3.2.0
XSS - Prevention - GET : suspicious 'applet' tag found in URL	3.2.0
XSS - Phishing : suspicious 'div' tag found in URL	3.2.0
XSS - Prevention - GET : suspicious 'style' attribute found in URL	3.2.0
XSS - Prevention - GET : suspicious 'img' tag found in URL	3.2.0
XSS - Prevention - POST : suspicious 'img' attribute found in data	3.2.0
XSS - Phishing : suspicious 'a' tag found in URL	3.2.0
XSS - Prevention - GET : cookie access attempt using script language found in URL	3.2.0
XSS - Prevention - GET : suspicious 'embed' tag found in URL	3.2.0
XSS - Prevention - GET : suspicious 'object' tag found in URL	3.2.0
XSS - Phishing : suspicious 'form' tag found in URL	3.2.0
XSS - Prevention - GET : javascript code found in URL	3.2.0
XSS - Prevention - GET : evasion attempt using tag characters encoding in URL	3.2.0
XSS - Prevention - GET : suspicious 'style' tag found in URL	3.2.0
XSS - Phishing : suspicious 'link' tag found in URL	3.2.0
XSS - Prevention - GET : 'script' tag found in URL	3.2.0
XSS - Prevention - GET : 'location' javascript object found in URL	3.2.0
XSS - Prevention - GET : suspicious 'div' tag found in URL	3.2.0
XSS - Prevention - POST : suspicious 'style' tag found in data	5.0.0
XSS - Prevention - POST : javascript code found in data	5.0.0
XSS - Prevention - POST : suspicious tag with event found in data	5.0.0
XSS - Prevention - POST : suspicious 'embed' tag found in data	5.0.0
XSS - Prevention - POST : 'location' javascript object found in data	5.0.0
XSS - Prevention - POST : code allowing cookie access found in data	5.0.0
Serialized PHP object in HTTP header	5.0.0
XSS - Prevention - POST : 'script' tag found in data	5.0.0
XSS - Prevention - POST : suspicious 'style' attribute found in data	5.0.0
XSS - Prevention - POST : suspicious 'applet' tag found in data	5.0.0
XSS - Prevention - POST : suspicious 'div' tag found in data	5.0.0
XSS - Prevention - POST : suspicious 'img' attribute found in data	5.0.0
XSS - Prevention - POST : suspicious 'meta' tag found in data	5.0.0
XSS - Prevention - POST : suspicious 'object' tag found in data	5.0.0
XSS - Prevention - POST : suspicious 'iframe' tag found in data	5.0.0

Risk level

High

Vulnerability First Public Report Date

2016-12-09

Target Type

Server

Possible exploit

Remote