SNS Vulnerability

WordPress Third-Party Plugins Multiple Vulnerabilities

Description

(#Several vulnerabilities have been identified in third-party plugins for WordPress:#- WP Support Plus Responsive Ticket System: privilege escalation#- Responsive Poll: cross-site request forgery and cross-site scripting#- Chained Quiz: cross-site scripting.##Proofs of concept are available.)

Vulnerable Products

Vulnerable Software:
WordPress (WordPress) -

Solution

No solution for the moment.

CVE

References

- security.dxw : CSRF/XSS in Responsive Poll allows unauthenticated attackers to do almost anything an admin can
https://security.dxw.com/advisories/csrfxss-in-responsive-poll-allows-unauthenticated-attackers-to-do-almost-anything-an-admin-can/
- pluginvulnerabilities : Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Chained Quiz
https://www.pluginvulnerabilities.com/2017/01/12/authenticated-persistent-cross-site-scripting-xss-vulnerability-in-chained-quiz/
- exploit-db : WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation
https://www.exploit-db.com/exploits/41006/

Vulnerability Manager Detection

IPS Protection

ASQ Engine alarm	Available Since
XSS - Prevention - POST : suspicious 'meta' tag found in data	3.2.0
XSS - Prevention - POST : suspicious 'img' attribute found in data	3.2.0
XSS - Prevention - POST : suspicious 'style' tag found in data	5.0.0
XSS - Prevention - POST : javascript code found in data	5.0.0
XSS - Prevention - POST : suspicious tag with event found in data	5.0.0
XSS - Prevention - POST : suspicious 'embed' tag found in data	5.0.0
XSS - Prevention - POST : 'location' javascript object found in data	5.0.0
XSS - Prevention - POST : code allowing cookie access found in data	5.0.0
XSS - Prevention - POST : 'script' tag found in data	5.0.0
XSS - Prevention - POST : suspicious 'style' attribute found in data	5.0.0
XSS - Prevention - POST : suspicious 'applet' tag found in data	5.0.0
XSS - Prevention - POST : suspicious 'div' tag found in data	5.0.0
XSS - Prevention - POST : suspicious 'img' attribute found in data	5.0.0
XSS - Prevention - POST : suspicious 'meta' tag found in data	5.0.0
XSS - Prevention - POST : suspicious 'object' tag found in data	5.0.0
XSS - Prevention - POST : suspicious 'iframe' tag found in data	5.0.0

Risk level

Moderate

Vulnerability First Public Report Date

2017-01-10

Target Type

Client

Possible exploit

Remote