|
Description
|
|
Several vulnerabilities have been identified in Wordpress third party plugins:
- Rollback: cross-site scripting and cross-site request forgery
- CopyProtect: cross-site scripting via the POST "CopyProtect_nrc_text" parameter of the "/wp-admin/admin.php?page=wpcopyprotect" web page
- NewStatPress: cross-site scripting due to an improper validation the HTTP header Referer
- Powerplay Gallery: remote file upload and SQL injection
- Simple Ads Manager: denial of service
- Albo Pretorio Online: blind SQL injection and cross-site request forgery via the "id" parameter of the "wp-admin/admin.php?page=responsabili&action=edit" and "wp-admin/admin.php?page=atti&action=view-atto" web pages
- Albo Pretorio Online: cross-site scripting
- easy2map: SQL injection via the "mapName" parameter of the "wp-admin/admin-ajax.php?mapID=VALID_MAP_ID" page (CVE-2015-4614)
- easy2map: directory traversal (CVE-2015-4616)
- WordPress File Upload: remote file upload, cross-site request forgery, several cross-site scripting and information disclosure
- Swim Team: local file include via the "file" parameter of the "wp-content/plugins/wp-swimteam/include/user/download.php" script page.
Proofs of concept are available.
An exploitation code is available for the vulnerability impacting Powerplay Gallery.
|
|
|
|
|
|
Vulnerable Products
|
|
Vulnerable Software:
WordPress (WordPress)
|
|
|
|
|
|
Solution
|
|
New versions of the following plugins fix these vulnerabilities:- Rollback: 1.2.3- CopyProtect: 3.1.0- NewStatPress: 1.0.4- Simple Ads Manager: 2.9.4.116- Albo Pretorio Online: 3.3- easy2map: 1.25- WordPress File Upload: 3.0.0.
|
|
|
|
|
|
CVE
|
|
CVE-2015-4616
CVE-2015-4614
|
|
|
|
|
|
References
|
|
- Securepress : WP Rollback
a too permissive plugin
http://blog.secupress.fr/en/wp-rollback-a-too-permissive-plugin-395.html
g0blin : WP-CopyProtect [Protect your blog posts] 3.0.0
Persistent XSS
https://research.g0blin.co.uk/g0blin-00054/
WPVulnDB : NewStatPress <= 1.0.3
Unauthenticated Persistent Cross-Site Scripting (XSS)
https://wpvulndb.com/vulnerabilities/8067
Vapid.DHS : Remote file upload vulnerability & SQLi in wordpress plugin wp-powerplaygallery v3.3
http://www.vapid.dhs.org/advisory.php?v=132
oss-sec : CVE- Request for Wordpress Plugin Simple Ads Manager: DoS without authentication
http://seclists.org/oss-sec/2015/q3/13
Exploit DB : Albo Pretorio Online 3.2 Multiple Vulnerabilities
https://www.exploit-db.com/exploits/37464/
oss-sec : SQL Injection in easy2map wordpress plugin v1.24
http://seclists.org/oss-sec/2015/q3/15
software-talk : Code Execution
CSRF
XSS
Information Disclosure in WordPress File Upload Plugin 2.7.6
http://software-talk.org/blog/2015/07/code-execution-csrf-xss-vulnerability-wordpress-file-upload-plugin/
Vapid.DHS : LFI in Wordpress Plugin wp-swimteam v1.44.10777
http://www.vapid.dhs.org/advisory.php?v=134
|
|
|
|
|
|
Vulnerability Manager Detection
|
|
No
|
|
|
|
|
|
IPS Protection
|
|
|
|
|
|
|
