Wordpress Multiple Third Party Plugins Multiple Vulnerabilities


Description   (#Several vulnerabilities have been identified in third-party plugins for WordPress:#- Robo Gallery: remote code execution#- Woocommerce product options: file upload#- Stop User Enumeration: username enumeration bypass##Several cross-site scripting in the following third-party plugins:#- MW Font Changer#- S3 Video Plugin#- Admin Font Editor (CVE-2016-1000126)#- Infusionsoft Gravity Forms (CVE-2016-1000139)#- MiniMax#- WPSOLR#- Tidio Gallery#- CSV Import##Proof of concepts are available.)
     
Vulnerable Products   Vulnerable Software:
WordPress (WordPress) -
     
Solution   Version 1.5.12 of Infusionsoft Gravity Forms fixes the vulnerability affecting it (CVE-2016-1000139).
     
CVE   CVE-2016-1000139
     
References   - seclists : Wordpress Robo Gallery v2.0.14 - Code Execution Vulnerability
http://seclists.org/bugtraq/2016/Apr/69
- cxsecurity : Wordpress Product Options for WooCommerce Plugin File Upload
https://cxsecurity.com/issue/WLB-2016040066
- wpvulndb : Robo Gallery <= 2.0.14 - Remote Code Execution
https://wpvulndb.com/vulnerabilities/8438
- wpvulndb : Stop User Enumeration <= 1.3.3 - Username Enumeration Bypass
https://wpvulndb.com/vulnerabilities/8436
- wpvulndb : MW Font Changer <= 4.2.5 - Unauthenticated Reflected Cross-Site Scripting (XSS)
https://wpvulndb.com/vulnerabilities/8443
- wpvulndb : S3 Video Plugin <= 0.983 - Unauthenticated Reflected Cross-Site Scripting (XSS)
https://wpvulndb.com/vulnerabilities/8442
- wpvulndb : Admin Font Editor <= 1.8 - Unauthenticated Reflected Cross-Site Scripting (XSS)
https://wpvulndb.com/vulnerabilities/8441
- wpvulndb : Infusionsoft Gravity Forms Add-on <= 1.5.11 - Unauthenticated Reflected Cross-Site Scripting (XSS)
https://wpvulndb.com/vulnerabilities/8440
- wpvulndb : MiniMax <= 2.0.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)
https://wpvulndb.com/vulnerabilities/8446
- wpvulndb : WPSOLR <= 8.6 - Unauthenticated Reflected Cross-Site Scripting (XSS)
https://wpvulndb.com/vulnerabilities/8445
- wpvulndb : Tidio Gallery <= 1.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
https://wpvulndb.com/vulnerabilities/8444
- wpvulndb : CSV Import 1.0 - Reflected Cross-Site Scripting (XSS)
https://wpvulndb.com/vulnerabilities/8395
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Upload of a PHP file in a vulnerable web application
5.0.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2016-04-14 

 Target Type 
Client 

 Possible exploit 
Remote