oss-sec mailing list archives
Re: CVE request / Advisory: Floating Social Bar (Wordpress plugin) 1.0.1 - 1.1.6
From: Matthew Daley <mattd () bugfuzz com>
Date: Mon, 13 Apr 2015 20:02:40 +1200
On 13 April 2015 at 18:25, <cve-assign () mitre org> wrote:
I'd like to request a CVE ID for this issue. This is the first such request; this message serves as an advisory as well. Affected software: Floating Social Bar (Wordpress plugin) Affected versions: 1.0.1 - 1.1.6 Website: https://wordpress.org/plugins/floating-social-bar/ Description: One of the plugin's unauthenticated AJAX action handlers is vulnerable to a stored cross-site scripting vulnerability. By invoking the action with certain parameters, it is possible for unauthenticated attackers to force the persistent injection of arbitrary script across the site's post pages. Fixed version: 1.1.7 Fix: https://plugins.trac.wordpress.org/changeset/1129648/floating-social-bar/trunk Changelog: https://plugins.trac.wordpress.org/changeset/1129648/floating-social-bar/trunk#file5Use CVE-2015-3299 for the specific issue in your "Description" section above. It seems conceivable that 1129648 also fixed something else, e.g., 1. Maybe the "- add_action( 'wp_ajax_nopriv_fsb_save_order', array( $this, 'save_order' ) );" code change means that wp_ajax_nopriv_fsb_save_order allowed bypassing intended access control, even if the attacker did not supply an XSS payload.
Yes. It wasn't intended for non-administrators to be able to adjust the services by executing the action.
2. Maybe the patched code can help to prevent a CSRF attack against an authenticated action handler.
Again, yes. Administrators could be forced to execute the action with an attacker's parameters via a CSRF attack. Nonces have been added to stop this.
If so, then additional CVE IDs would be needed.
Current thread:
- CVE request / Advisory: Floating Social Bar (Wordpress plugin) 1.0.1 - 1.1.6 Matthew Daley (Apr 11)
- Re: CVE request / Advisory: Floating Social Bar (Wordpress plugin) 1.0.1 - 1.1.6 cve-assign (Apr 12)
- Re: CVE request / Advisory: Floating Social Bar (Wordpress plugin) 1.0.1 - 1.1.6 Matthew Daley (Apr 13)
- Re: CVE request / Advisory: Floating Social Bar (Wordpress plugin) 1.0.1 - 1.1.6 cve-assign (Apr 13)
- Re: CVE request / Advisory: Floating Social Bar (Wordpress plugin) 1.0.1 - 1.1.6 Matthew Daley (Apr 13)
- Re: CVE request / Advisory: Floating Social Bar (Wordpress plugin) 1.0.1 - 1.1.6 cve-assign (Apr 12)