SNS Vulnerability

Wordpress Multiple Third Party Plugins Multiple Vulnerabilities

Description

Several vulnerabilities have been identified in plugins for WordPress:
- sp-client-document-manager: blind SQL injection via the "pid" parameter of the "sp-client-document-manager/ajax.php?function=thumbnails" page
- Backitup: information disclosure allowing to retrieve backup file
- Download Manager: stored cross-site scripting located in the name of the uploaded file
- mailcwp: remote file upload via the "wp-content/plugins/mailcwp/mailcwp-upload.php" script page
- fast-image-adder: remote file upload via the "url" parameter of the "fast-image-adder/fast-image-adder-uploader.php" script page
- Mobile Pack: information disclosure allowing to access to published private post
- Portfolio: cross-site request forgery via POST "wplw_hashtag" parameter of the "formulaire wp-admin/options-general.php?page=instagram-portfolio" form
- wptf-image-gallery: remote file download via the "url" parameter of the "wp-content/plugins/wptf-image-gallery/lib-mbox/ajax_load.php" script page
- Paid Memberships Pro: several cross-site scripting (CVE-2015-5532)
- Count Per Day: post authentication SQL injection exploitable via "cpd_keep_month" POST parameter of the "wp-admin/options-general.php?page=count-per-day/counter-options.php&tab=tools" page.
Proofs of concept are available.
An exploitation code is available for the vulnerability affecting mailcwp.

Vulnerable Products

Vulnerable Software:
WordPress (WordPress)

Solution

New versions of the following plugins fix the vulnerabilities impacting them:- sp-client-document-manager: 2.5.4- Backitup: 1.9.2- Download Manager: 2.7.95- mailcwp: 1.110- Mobile Pack: 2.1.3- Portfolio : 1.05- Paid Memberships Pro: 1.8.4.3- Count Per Day: 3.4.1.

CVE

CVE-2015-5532

References

- oss-sec : CVE request: WordPress plugin sp-client-document-manager Blind SQL Injection
http://seclists.org/oss-sec/2015/q3/124
Wordpress : WP Backitup
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=1031761%40wp-backitup&old=1027647%40wp-backitup&sfp_email=&sfph_mail=
WPvulndb : WordPress Download Manager <= 2.7.94
Authenticated Stored XSS
https://wpvulndb.com/vulnerabilities/8104
Vapid.dhs : Remote file upload vulnerability in mailcwp v1.99 wordpress plugin
http://www.vapid.dhs.org/advisory.php?v=138
oss-sec : Remote file upload vulnerability in fast-image-adder v1.1 Wordpress plugin
http://seclists.org/oss-sec/2015/q3/136
fulldisclosure : Information Exposure Vulnerability in WordPress Mobile Pack Wordpress Plugin v2.1.2 and below
http://seclists.org/fulldisclosure/2015/Jul/97
fulldisclosure : Cross-Site Request Forgery Vulnerability in Portfolio Plugin Wordpress Plugin v1.0
http://seclists.org/fulldisclosure/2015/Jul/104
Vapid.dhs : Remote file download vulnerability in wptf-image-gallery v1.03
http://www.vapid.dhs.org/advisory.php?v=148
Bugtraq : SQL Injection in Count Per Day WordPress Plugin
http://seclists.org/bugtraq/2015/Jul/107

Vulnerability Manager Detection

IPS Protection

ASQ Engine alarm	Available Since
XSS - Prevention - POST : suspicious tag with event found in data	3.2.0
XSS - Prevention - POST : suspicious 'meta' tag found in data	3.2.0
SQL injection Prevention - POST : suspicious SELECT statement in data	3.2.0
XSS - Prevention - POST : suspicious 'object' tag found in data	3.2.0
SQL injection Prevention - POST : possible version probing in data	3.2.0
XSS - Prevention - POST : suspicious 'applet' tag found in data	3.2.0
SQL injection Prevention - POST : suspicious OPENQUERY statement in data	3.2.0
SQL injection Prevention - POST : suspicious CREATE statement in data	3.2.0
XSS - Prevention - POST : 'location' javascript object found in data	3.2.0
SQL injection Prevention - POST : suspicious UPDATE statement in data	3.2.0
XSS - Prevention - POST : javascript code found in data	3.2.0
XSS - Prevention - POST : suspicious 'iframe' tag found in data	3.2.0
SQL injection Prevention - POST : suspicious UNION statement in data	3.2.0
XSS - Prevention - POST : code allowing cookie access found in data	3.2.0
XSS - Prevention - POST : suspicious 'img' attribute found in data	3.2.0
SQL injection Prevention - POST : suspicious DROP statement in data	3.2.0
SQL injection Prevention - POST : suspicious INSERT statement in data	3.2.0
SQL injection Prevention - POST : suspicious OR statement in data	3.2.0
SQL injection Prevention - POST : suspicious EXEC statement in data	3.2.0
XSS - Prevention - POST : suspicious 'embed' tag found in data	3.2.0
XSS - Prevention - POST : suspicious 'style' tag found in data	3.2.0
SQL injection Prevention - POST : suspicious OPENROWSET statement in data	3.2.0
XSS - Prevention - POST : suspicious 'div' tag found in data	3.2.0
SQL injection Prevention - POST : suspicious DECLARE statement in data	3.2.0
XSS - Prevention - POST : 'script' tag found in data	3.2.0
XSS - Prevention - POST : suspicious 'style' attribute found in data	3.2.0
SQL injection Prevention - POST : suspicious HAVING statement in data	3.2.0
SQL injection Prevention - POST : suspicious CAST statement in data	3.2.0
XSS - Prevention - POST : suspicious 'style' tag found in data	5.0.0
XSS - Prevention - POST : javascript code found in data	5.0.0
XSS - Prevention - POST : suspicious tag with event found in data	5.0.0
SQL injection Prevention - POST : suspicious UPDATE statement in data	5.0.0
XSS - Prevention - POST : suspicious 'embed' tag found in data	5.0.0
SQL injection Prevention - POST : suspicious SELECT statement in data	5.0.0
XSS - Prevention - POST : 'location' javascript object found in data	5.0.0
SQL injection Prevention - POST : suspicious DECLARE statement in data	5.0.0
SQL injection Prevention - POST : suspicious OPENROWSET statement in data	5.0.0
SQL injection Prevention - POST : suspicious OPENQUERY statement in data	5.0.0
XSS - Prevention - POST : code allowing cookie access found in data	5.0.0
SQL injection Prevention - POST : suspicious CAST statement in data	5.0.0
SQL injection Prevention - POST : suspicious EXEC statement in data	5.0.0
SQL injection Prevention - POST : suspicious CREATE statement in data	5.0.0
SQL injection Prevention - POST : suspicious INSERT statement in data	5.0.0
XSS - Prevention - POST : 'script' tag found in data	5.0.0
SQL injection Prevention - POST : suspicious DROP statement in data	5.0.0
XSS - Prevention - POST : suspicious 'style' attribute found in data	5.0.0
SQL injection Prevention - POST : suspicious HAVING statement in data	5.0.0
XSS - Prevention - POST : suspicious 'applet' tag found in data	5.0.0
SQL injection Prevention - POST : suspicious UNION statement in data	5.0.0
XSS - Prevention - POST : suspicious 'div' tag found in data	5.0.0
SQL injection Prevention - POST : suspicious OR statement in data	5.0.0
XSS - Prevention - POST : suspicious 'img' attribute found in data	5.0.0
XSS - Prevention - POST : suspicious 'meta' tag found in data	5.0.0
XSS - Prevention - POST : suspicious 'object' tag found in data	5.0.0
SQL injection Prevention - POST : possible version probing in data	5.0.0
XSS - Prevention - POST : suspicious 'iframe' tag found in data	5.0.0

Risk level

Moderate

Vulnerability First Public Report Date

2015-07-22

Target Type

Server

Possible exploit

Remote