oss-sec mailing list archives
Re: CVE Request - CSRF and XSS in Encrypted Contact Form Wordpress Plugin v1.0.4
From: cve-assign () mitre org
Date: Sat, 16 May 2015 09:14:24 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I discovered CSRF and XSS vulnerabilities in the Encrypted Contact Form Wordpress Plugin v1.0.4 which was responsibly disclosed and patched by the vendor in v1.1.
https://plugins.trac.wordpress.org/changeset/1125443/
http://seclists.org/fulldisclosure/2015/May/63
https://wordpress.org/plugins/encrypted-contact-form/changelog/ 1.1 Detection of CSRF attacks added
action="/wp-admin/options-general.php?page=conformconf" name="iframe_url" value="[XSS]"
Use CVE-2015-4010 for this CSRF vulnerability (with resultant XSS). - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVV0IqAAoJEKllVAevmvmsiDkH/R51FqbfSiQZvFUtywS5Q5d3 jKNkpOyQEkDStzjlN6U9lNTFJRWxE9+GV5FfvMMjOBxlCtZx9QaurnpNUdf5eBYh iuQrqpgPR6qWhhycEwTv5YyWI2ssDyL9KMne15Kdwv6pifDnNftxceOd5nlsZ+Z4 L77Y3Fz4N9dPb8Gnst7K8AYOwku4an+sLiQyz/2JvUGqFyZyxMMY58ExwaQG2/UL loFKkn4tFb2t9ABNtQctYjnYJWZ3PVtgEntCNBVNqtXMgY+Rsn32SPh9buXnUoyl 6i8g4s5aKbh5zzIBgQw48FNI/CIcICcp3h+e67yCgt46lWqwrZfTBe6S3UTqs0I= =ALMA -----END PGP SIGNATURE-----
Current thread:
- CVE Request - CSRF and XSS in Encrypted Contact Form Wordpress Plugin v1.0.4 Nitin Venkatesh (May 15)
- Re: CVE Request - CSRF and XSS in Encrypted Contact Form Wordpress Plugin v1.0.4 cve-assign (May 16)