SNS Vulnerability

Wordpress Multiple Third Party Plugins Multiple Vulnerabilities

Description

Several vulnerabilities have been identified in plugins for WordPress:
- StageShow: open redirect using the "url" parameter in the "stageshow_redirect.php" page (CVE-2015-5461)
- Ninja Forms: cross-site scripting in Admin Action Settings
- Albo Pretorio Online: multiple vulnerabilities (SQL injection, CSRF, XSS, shell uploading)
- Ultra Users: SQL injection via the "data_target" and "data_vote" parameters, located in the "admin-ajax.php" page (CVE-2015-4109)
- MDC YouTube Downloader: local file inclusion via the parameter "file" of the page "download.php" (CVE-2015-5469)
- WP e-Commerce Styling Shop: local file inclusion via the parameter "filename" of the page "download.php"
- S3Bubble Cloud Video With Adverts & Analytics: Arbitrary File Download via the parameter "name" of the page "downloader.php"
- ACF Frontend display: arbitrary file upload via the parameter "files" of action "upload"
- Custom Content Type Manager: remote php code execution by a user with administrator permissions (CVE-2015-3173)
- Swim Team: local file inclusion via the parameters "file" and "filename" of the page "download.php" (CVE-2015-5471)
- YOP Poll: cross-site scripting located in the function "yop_poll_set_wordpress_vote ()" declared in the page "yop-poll/inc/admin.php"
- InfiniteWP Client : unspecified critical vulnerability
- IBS Mappro: directory traversal via the parameter "file" in the page "download.php" (CVE-2015-5472)
- GD bbPress Attachments: cross-site scripting via the parameter "tab" on the page "forms/panels.php"
- GD bbPress Attachments: local file inclusion, located in the "wp-admin / edit.php". Exploitation of this vulnerability requires administrative privileges
- WP Attachment Export: arbitrary file download via the parameters "content" and "wp-attachment-download-export" of the page "wp-admin/tools.php".
Proofs of concept are available.
An exploitation code is available for "S3Bubble Cloud Video With Adverts & Analytics" plugin.

Vulnerable Products

Vulnerable Software:
WordPress (WordPress)

Solution

New versions of the following plugins fix the vulnerabilities impacting them:- Stageshow: 5.0.9- Ninja Forms: 2.9.19- Albo Pretorio Online: 3.3- Ultra Users: 1.5.16- MDC YouTube Downloader 2.1.1- WP e-Commerce Styling Shop: 2.6- Custom Content Type Manager: 0.9.8.6- Swim Team: 1.45- YOP Poll: 5.7.4- InfiniteWP Client: 1.3.15- IBS Mappro: 1.0- GD bbPress Attachments: 2.3- WP Attachment Export: 0.2.3.

CVE

CVE-2015-5472
CVE-2015-5471
CVE-2015-5469
CVE-2015-5461
CVE-2015-4109
CVE-2015-3173

References

- OSS-SEC : Open redirect vulnerability in StageShow Wordpress plugin v5.0.8
http://seclists.org/fulldisclosure/2015/Jul/27
Wordpress : StageShow <= 5.0.8
Open Redirect
https://wpvulndb.com/vulnerabilities/8073
Wordpress : Ninja Forms <= 2.9.18
Cross-Site Scripting (XSS)
https://wpvulndb.com/vulnerabilities/8076
Wordpress : Albo Pretorio Online <= 3.2
Multiple Vulnerabilities
https://wpvulndb.com/vulnerabilities/8072
Wordpress : Users Ultra <= 1.5.15
SQL Injection
https://wpvulndb.com/vulnerabilities/8029
Wordpress : MDC YouTube Downloader <= 2.1.0
Local File Inclusion
https://wpvulndb.com/vulnerabilities/8074
OSS-SEC : Remote file download in Wordpress Plugin mdc-youtube-downloader v2.1.0
http://seclists.org/oss-sec/2015/q3/50
Wordpress : WP e-Commerce Shop Styling <= 2.5
Local File Inclusion
https://wpvulndb.com/vulnerabilities/8079
Worspress : S3Bubble Cloud Video With Adverts & Analytics <= 0.7
Arbitrary File Download
https://wpvulndb.com/vulnerabilities/8082
Wordpress : ACF Frontend display <= 2.0.5
Arbitrary File Upload
https://wpvulndb.com/vulnerabilities/8086
Wordpress : Custom Content Type Manager <= 0.9.8.5
Remote Code Execution
https://wpvulndb.com/vulnerabilities/8077
Wordpress : Swim Team <= v1.44.10777
Local File Inclusion
https://wpvulndb.com/vulnerabilities/8071
OSS-SEC : Remote file download vulnerability in Wordpress Plugin wp-swimteam v1.44.10777
http://seclists.org/oss-sec/2015/q3/83
Wordpress : YOP Poll <= 5.7.3
Reflected Cross-Site Scripting (XSS)
https://wpvulndb.com/vulnerabilities/8083
Wordpress : InfiniteWP Client <= 1.3.14
Unspecified Critical Vulnerability
https://wpvulndb.com/vulnerabilities/8084
Wordpress : IBS Mappro <= 0.6
Directory Traversal
https://wpvulndb.com/vulnerabilities/8091
OSS-SEc : Remote file download vulnerability in ibs-Mappro v0.6 Wordpress plugin
http://seclists.org/oss-sec/2015/q3/75
Wordpress : GD bbPress Attachments <= 2.2
Authenticated Reflected Cross-Site Scripting (XSS)
https://wpvulndb.com/vulnerabilities/8088
Wordpress : GD bbPress Attachments <= 2.2
Local File Inclusion
<a h... (truncated text)

Vulnerability Manager Detection

IPS Protection

ASQ Engine alarm	Available Since
Misc : Directory traversal - parameter starting with ../	3.2.0
SQL injection Prevention - GET : suspicious OR statement in URL	3.2.0
SQL injection Prevention - POST : suspicious SELECT statement in data	3.2.0
SQL injection Prevention - GET : suspicious combination of 'OR' or 'AND' statements in URL	3.2.0
SQL injection Prevention - POST : possible version probing in data	3.2.0
SQL injection Prevention - GET : suspicious CREATE statement in URL	3.2.0
SQL injection Prevention - GET : suspicious CAST statement in URL	3.2.0
SQL injection Prevention - GET : suspicious OPENROWSET statement in URL	3.2.0
SQL injection Prevention - GET : suspicious DECLARE statement in URL	3.2.0
SQL injection Prevention - POST : suspicious OPENQUERY statement in data	3.2.0
SQL injection Prevention - POST : suspicious CREATE statement in data	3.2.0
Directory traversal using ..\..	3.2.0
SQL injection Prevention - POST : suspicious UPDATE statement in data	3.2.0
SQL injection Prevention - POST : suspicious UNION statement in data	3.2.0
SQL injection Prevention - GET : suspicious OPENQUERY statement in URL	3.2.0
SQL injection Prevention - GET : suspicious shutdown statement in URL	3.2.0
Directory traversal	3.2.0
SQL injection Prevention - GET : suspicious UNION SELECT statement in URL	3.2.0
SQL injection Prevention - POST : suspicious DROP statement in data	3.2.0
SQL injection Prevention - GET : possible database version probing	3.2.0
SQL injection Prevention - POST : suspicious INSERT statement in data	3.2.0
SQL injection Prevention - POST : suspicious OR statement in data	3.2.0
SQL injection Prevention - GET : suspicious UPDATE SET statement in URL	3.2.0
SQL injection Prevention - POST : suspicious EXEC statement in data	3.2.0
SQL injection Prevention - GET : suspicious SELECT statement in URL	3.2.0
SQL injection Prevention - GET : suspicious INSERT statement in URL	3.2.0
SQL injection Prevention - GET : suspicious DROP statement in URL	3.2.0
SQL injection Prevention - POST : suspicious OPENROWSET statement in data	3.2.0
SQL injection Prevention - GET : suspicious EXEC statement in URL	3.2.0
SQL injection Prevention - GET : block comment delimiters in URL	3.2.0
Directory traversal backward root folder	3.2.0
SQL injection Prevention - POST : suspicious DECLARE statement in data	3.2.0
SQL injection Prevention - POST : suspicious HAVING statement in data	3.2.0
SQL injection Prevention - POST : suspicious CAST statement in data	3.2.0
Misc : Local File Inclusion - suspicious /etc/passwd found in URL	3.5.0
SQL injection Prevention - GET : suspicious SQL statement in header	4.0.0
Site with open redirect	4.0.0
SQL injection Prevention - POST : suspicious UPDATE statement in data	5.0.0
SQL injection Prevention - POST : suspicious SELECT statement in data	5.0.0
SQL injection Prevention - POST : suspicious DECLARE statement in data	5.0.0
SQL injection Prevention - POST : suspicious OPENROWSET statement in data	5.0.0
SQL injection Prevention - POST : suspicious OPENQUERY statement in data	5.0.0
SQL injection Prevention - POST : suspicious CAST statement in data	5.0.0
SQL injection Prevention - POST : suspicious EXEC statement in data	5.0.0
SQL injection Prevention - POST : suspicious CREATE statement in data	5.0.0
SQL injection Prevention - POST : suspicious INSERT statement in data	5.0.0
SQL injection Prevention - GET : Authentication bypass attempt with OR statement	5.0.0
SQL injection Prevention - POST : suspicious DROP statement in data	5.0.0
SQL injection Prevention - POST : suspicious HAVING statement in data	5.0.0
SQL injection Prevention - POST : suspicious UNION statement in data	5.0.0
SQL injection Prevention - POST : suspicious OR statement in data	5.0.0
SQL injection Prevention - POST : possible version probing in data	5.0.0

Risk level

Moderate

Vulnerability First Public Report Date

2015-07-06

Target Type

Server

Possible exploit

Remote