SNS Vulnerability

Wordpress Multiple Third Party Plugins Multiple Vulnerabilities

Description

Several vulnerabilities have been identified in plugins for WordPress:
- iframe: stored cross-site scripting
- iframe: cross-site scripting if "get_params_from_url" parameter is used
- OAuth2: security bypass due to a pseudo random number generator which is non-cryptographically secure
- Google Analytics by Yoast Premium: stored cross-site scripting
- Symposium: SQL injection
- Hide My WP: stored cross-site scripting
- REST API: cross-site scripting.
Proofs of concept are available.

Vulnerable Products

Vulnerable Software:
WordPress (WordPress)

Solution

New versions of the following plugins fix the vulnerabilities impacting them:- iframe: 4.0 (only for reflected cross-site scripting)- OAuth2: 3.1.5- Google Analytics by Yoast Premium: 5.4.5- Symposium: 15.8- Hide My WP: 4.54- REST API: 1.2.3 and 2.0 Beta 4.

CVE

References

- dxw : Stored XSS in iframe allows less privileged users to do almost anything an admin can
https://security.dxw.com/advisories/stored-xss-in-iframe-allows-less-privileged-users-to-do-almost-anything-an-admin-can/
dxw : Reflected XSS in iframe allows unauthenticated users to do almost anything an admin can
https://security.dxw.com/advisories/reflected-xss-in-iframe-allows-unauthenticated-users-to-do-almost-anything-an-admin-can/
dxw : The OAuth2 Complete plugin for WordPress uses a pseudorandom number generator which is non-cryptographically secure
https://security.dxw.com/advisories/the-oauth2-complete-plugin-for-wordpress-uses-a-pseudorandom-number-generator-which-is-non-cryptographically-secure/
dxw : Stored XSS in Google Analytics by Yoast Premium allows privileged users to attack other users
https://security.dxw.com/advisories/xss-in-google-analytics-by-yoast-premium-by-privileged-users/
dxw : Blind SQL Injection in WP Symposium allows unauthenticated attackers to access sensitive data
https://security.dxw.com/advisories/blind-sql-injection-in-wp-symposium-allows-unauthenticated-attackers-to-access-sensitive-data/
WPVulnDB : Hide My WP <= 4.53
Stored-Cross Site Scripting (XSS)
https://wpvulndb.com/vulnerabilities/8151
WPTavern : WP REST API 1.2.3 Patches XSS Vulnerability
http://wptavern.com/wp-rest-api-1-2-3-patches-xss-vulnerability

Vulnerability Manager Detection

IPS Protection

ASQ Engine alarm	Available Since
XSS - Prevention - GET : suspicious 'iframe' tag found in URL	3.2.0
XSS - Prevention - GET : suspicious 'meta' tag found in URL	3.2.0
XSS - Prevention - GET : suspicious tag with event found in URL	3.2.0
SQL injection Prevention - POST : suspicious SELECT statement in data	3.2.0
XSS - Prevention - GET : suspicious 'applet' tag found in URL	3.2.0
SQL injection Prevention - POST : possible version probing in data	3.2.0
SQL injection Prevention - POST : suspicious OPENQUERY statement in data	3.2.0
SQL injection Prevention - POST : suspicious CREATE statement in data	3.2.0
SQL injection Prevention - POST : suspicious UPDATE statement in data	3.2.0
XSS - Phishing : suspicious 'div' tag found in URL	3.2.0
XSS - Prevention - GET : suspicious 'style' attribute found in URL	3.2.0
XSS - Prevention - GET : suspicious 'img' tag found in URL	3.2.0
SQL injection Prevention - POST : suspicious UNION statement in data	3.2.0
SQL injection Prevention - POST : suspicious DROP statement in data	3.2.0
SQL injection Prevention - POST : suspicious INSERT statement in data	3.2.0
SQL injection Prevention - POST : suspicious OR statement in data	3.2.0
XSS - Phishing : suspicious 'a' tag found in URL	3.2.0
XSS - Prevention - GET : cookie access attempt using script language found in URL	3.2.0
XSS - Prevention - GET : suspicious 'embed' tag found in URL	3.2.0
SQL injection Prevention - POST : suspicious EXEC statement in data	3.2.0
XSS - Prevention - GET : suspicious 'object' tag found in URL	3.2.0
XSS - Phishing : suspicious 'form' tag found in URL	3.2.0
XSS - Prevention - GET : javascript code found in URL	3.2.0
SQL injection Prevention - POST : suspicious OPENROWSET statement in data	3.2.0
XSS - Prevention - GET : evasion attempt using tag characters encoding in URL	3.2.0
XSS - Prevention - GET : suspicious 'style' tag found in URL	3.2.0
SQL injection Prevention - POST : suspicious DECLARE statement in data	3.2.0
XSS - Phishing : suspicious 'link' tag found in URL	3.2.0
XSS - Prevention - GET : 'script' tag found in URL	3.2.0
XSS - Prevention - GET : 'location' javascript object found in URL	3.2.0
SQL injection Prevention - POST : suspicious HAVING statement in data	3.2.0
SQL injection Prevention - POST : suspicious CAST statement in data	3.2.0
XSS - Prevention - GET : suspicious 'div' tag found in URL	3.2.0
SQL injection Prevention - POST : suspicious UPDATE statement in data	5.0.0
SQL injection Prevention - POST : suspicious SELECT statement in data	5.0.0
SQL injection Prevention - POST : suspicious DECLARE statement in data	5.0.0
SQL injection Prevention - POST : suspicious OPENROWSET statement in data	5.0.0
SQL injection Prevention - POST : suspicious OPENQUERY statement in data	5.0.0
SQL injection Prevention - POST : suspicious CAST statement in data	5.0.0
SQL injection Prevention - POST : suspicious EXEC statement in data	5.0.0
SQL injection Prevention - POST : suspicious CREATE statement in data	5.0.0
SQL injection Prevention - POST : suspicious INSERT statement in data	5.0.0
SQL injection Prevention - POST : suspicious DROP statement in data	5.0.0
XSS - Prevention : suspicious 'script' tag found in header	5.0.0
SQL injection Prevention - POST : suspicious HAVING statement in data	5.0.0
SQL injection Prevention - POST : suspicious UNION statement in data	5.0.0
SQL injection Prevention - POST : suspicious OR statement in data	5.0.0
SQL injection Prevention - POST : possible version probing in data	5.0.0

Risk level

Moderate

Vulnerability First Public Report Date

2015-08-13

Target Type

Server

Possible exploit

Remote