oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request, multiple WordPress plugins and themes

From: "Seaman, Chad" <cseaman () akamai com>
Date: Wed, 27 May 2015 18:54:55 +0000
These two had their formatting mangled, sorry about that.


  * wp-fastest-cache [PLUGIN]
    + url: https://wordpress.org/plugins/wp-fastest-cache/
    + vuln found:
    :--|- XSS

  * leaflet-maps-marker [PLUGIN]
    + url: https://wordpress.org/plugins/leaflet-maps-marker/
    + vuln found:
    :--|- XSS x 2





________________________________
From: Seaman, Chad
Sent: Wednesday, May 27, 2015 2:53 PM
To: oss-security () lists openwall com
Cc: cve-assign () mitre org
Subject: CVE Request, multiple WordPress plugins and themes


​

​I'm not sure if these should be broken down by individual vulnerability or lumped per plugin/theme, there are 21 
plugins/themes affected in total.


  * grand-media [PLUGIN]
    + url: https://wordpress.org/plugins/grand-media/
    + vuln found:
    :--|- XSS
    :
    :--|- LFI
    :    |- note: only truly exploitable if user sets ALLOW_NO_EXT == true
    :
    :--|- DoS
    :    |- note: force to recursively call itself via remote 301 redirects, cripples php-fpm w/ nginx
    :
    :--|- Open proxy



  * wp-mobile-edition [PLUGIN]
    + url: https://wordpress.org/plugins/wp-mobile-edition/
    + vuln found:
    :--|- LFI
    :    |- note: pre PHP 5.3 is likely (unconfirmed) suspectible to nullbyte injection, meaning any file can be read
    :
    :--|- OpenProxy
    :
    :--|- DoS
    :    |- note: will process list of files in for loop, aiding DoS capabilities
    :    |- note: follows 301 redirects, can be used to recursively call itself to exhaustion, ​cripples php-fpm w/ 
nginx
    :
    :--|- e-mail header injection (spam sandwich)
    :    |- note: will throw fatal error, but will send e-mail before doing so.
    :
    :--|- Multiple XSS vulns


* wp-fastest-cache [PLUGIN] + url: https://wordpress.org/plugins/wp-fastest-cache/ + vuln found: :--|- XSS * 
leaflet-maps-marker [PLUGIN] + url: https://wordpress.org/plugins/leaflet-maps-marker/ + vuln found: :--|- XSS x 2 * 
landing-pages [PLUGIN] + url: https://wordpress.org/plugins/landing-pages/ + vuln found: :--|- XSS into admin session * 
extended-catagories-widget [PLUGINS] + url: https://wordpress.org/plugins/extended-categories-widget/ + vuln found: 
:--|- post auth admin SQLi

  * gallery-images [PLUGINS] && gallery-video [PLUGINS]
    + url: https://wordpress.org/plugins/gallery-images/
    + url: https://wordpress.org/plugins/gallery-video/
    + vuln found:
    :--|- XSS into admin session (image and video gallery are both affected)


  * easy-google-fonts [PLUGIN]
    + url: https://wordpress.org/plugins/easy-google-fonts/
    + vuln found:
    :--|- XSS into admin session


  * cta [PLUGIN]
    + url: https://wordpress.org/plugins/cta/
    + vuln found:
    :--|- CSRF & persistent XSS attack into admin session, and site-wide for visitors


  * constant-contact-api [PLUGIN]
    + url: https://wordpress.org/plugins/constant-contact-api/
    + vuln found:
    :--|- XSS x 2


  * zerif-lite [THEME]
    + url: https://wordpress.org/themes/zerif-lite/
    + vuln found:
    :--|- XSS


  * colorway [THEME]
    + url: https://wordpress.org/themes/colorway/
    + vuln found:
    :--|- e-mail header injection (spam sandwich)
    :
    :--|- XSS x 3


  * charitas-lite [THEME]
    + url: https://wordpress.org/themes/charitas-lite/
    + vuln found:
    :--|- e-mail header injection (spam sandwich)

  * ariwoo [THEME]
    + url: https://wordpress.org/themes/ariwoo/
    + vuln found:
    :--|- e-mail header injection (spam sandwich)
    :
    :--|- XSS x 3


  * kage-green [THEME]
    + url: https://wordpress.org/themes/kage-green/
    + vuln found:
    :--|- XSS


  * intuition [THEME]
    + url: https://wordpress.org/themes/intuition/
    + vuln found:
    :--|- XSS


  * imag-mag [THEME]
    + url: https://wordpress.org/themes/imag-mag/
    + vuln found:
    :--|- XSS

  * fastnews-light [THEME]
    + url: https://wordpress.org/themes/fastnews-light/
    + vuln found:
    :--|- XSS


  * business-directory [THEME]
    + url: https://wordpress.org/themes/business-directory/
    + vuln found:
    :--|- XSS


  * boot-store [THEME]
    + url: https://wordpress.org/themes/boot-store/
    + deps: TheCartPress (https://wordpress.org/plugins/thecartpress/)
    + note: theme must be present, plugin must be present, user must not be logged in.
    + vuln found:
    :--|- XSS
Previous By Date Next
Previous By Thread Next

Current thread: