|
Description
|
|
(#Several vulnerabilities have been identified in the following themes for Wordpress:#- NewsGamer: cross-site scripting in the "popup" parameter of the "themes/newsgamer/wp-admin/tinymce/popup.php" page. A remote attacker can exploit it in order to execute arbitrary JavaScript or HTML code by inciting their victim into following a specially formed link##- Contentive: cross-site scripting in the "s" parameter. A remote attacker can exploit it in order to execute arbitrary JavaScript or HTML code by inciting their victim into following a specially formed link##- Rehber: arbitrary file upload in "themes/rehber/js/upload.php"##- Purevision: arbitrary file upload in "themes/purevision/scripts/admin/uploadify/uploadify.php"##- U-design: arbitrary file upload in "themes/[u/design OR u-design ]/scripts/admin/uploadify/uploadify.php".##Proofs of concept are available.)
|
|
|
|
|
|
Vulnerable Products
|
|
Vulnerable Software:
WordPress (WordPress) -
|
|
|
|
|
|
Solution
|
|
No solution for the moment.
|
|
|
|
|
|
CVE
|
|
|
|
|
|
|
|
References
|
|
- Vulnerability-Lab : Wordpress Contentive Theme - Cross Site Web Vulnerability
https://www.vulnerability-lab.com/get_content.php?id=2065
- CXSecurity : WordPress Themes Purevision - Arbitrary File Upload
https://cxsecurity.com/issue/WLB-2017050215
- CXSecurity : WordPress Themes U-design File Upload
https://cxsecurity.com/issue/WLB-2017060004
- CXSecurity : WordPress rehber Themes File Upload Vulnerability
https://cxsecurity.com/issue/WLB-2017050164
- 0day : Wordpress NewsGamer Premium Theme - Cross Site Scripting Vulnerability
http://0day.today/exploit/27837
|
|
|
|
|
|
Vulnerability Manager Detection
|
|
No
|
|
|
|
|
|
IPS Protection
|
|
|
|
|
|
|
