Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1432752895846.10669@akamai.com>
Date: Wed, 27 May 2015 18:54:55 +0000
From: "Seaman, Chad" <cseaman@...mai.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
CC: "cve-assign@...re.org" <cve-assign@...re.org>
Subject: Re: CVE Request, multiple WordPress plugins and themes

These two had their formatting mangled, sorry about that.


  * wp-fastest-cache [PLUGIN]
    + url: https://wordpress.org/plugins/wp-fastest-cache/
    + vuln found:
    :--|- XSS

  * leaflet-maps-marker [PLUGIN]
    + url: https://wordpress.org/plugins/leaflet-maps-marker/
    + vuln found:
    :--|- XSS x 2





________________________________
From: Seaman, Chad
Sent: Wednesday, May 27, 2015 2:53 PM
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: CVE Request, multiple WordPress plugins and themes


​

​I'm not sure if these should be broken down by individual vulnerability or lumped per plugin/theme, there are 21 plugins/themes affected in total.


  * grand-media [PLUGIN]
    + url: https://wordpress.org/plugins/grand-media/
    + vuln found:
    :--|- XSS
    :
    :--|- LFI
    :    |- note: only truly exploitable if user sets ALLOW_NO_EXT == true
    :
    :--|- DoS
    :    |- note: force to recursively call itself via remote 301 redirects, cripples php-fpm w/ nginx
    :
    :--|- Open proxy



  * wp-mobile-edition [PLUGIN]
    + url: https://wordpress.org/plugins/wp-mobile-edition/
    + vuln found:
    :--|- LFI
    :    |- note: pre PHP 5.3 is likely (unconfirmed) suspectible to nullbyte injection, meaning any file can be read
    :
    :--|- OpenProxy
    :
    :--|- DoS
    :    |- note: will process list of files in for loop, aiding DoS capabilities
    :    |- note: follows 301 redirects, can be used to recursively call itself to exhaustion, ​cripples php-fpm w/ nginx
    :
    :--|- e-mail header injection (spam sandwich)
    :    |- note: will throw fatal error, but will send e-mail before doing so.
    :
    :--|- Multiple XSS vulns


* wp-fastest-cache [PLUGIN] + url: https://wordpress.org/plugins/wp-fastest-cache/ + vuln found: :--|- XSS * leaflet-maps-marker [PLUGIN] + url: https://wordpress.org/plugins/leaflet-maps-marker/ + vuln found: :--|- XSS x 2 * landing-pages [PLUGIN] + url: https://wordpress.org/plugins/landing-pages/ + vuln found: :--|- XSS into admin session * extended-catagories-widget [PLUGINS] + url: https://wordpress.org/plugins/extended-categories-widget/ + vuln found: :--|- post auth admin SQLi

  * gallery-images [PLUGINS] && gallery-video [PLUGINS]
    + url: https://wordpress.org/plugins/gallery-images/
    + url: https://wordpress.org/plugins/gallery-video/
    + vuln found:
    :--|- XSS into admin session (image and video gallery are both affected)


  * easy-google-fonts [PLUGIN]
    + url: https://wordpress.org/plugins/easy-google-fonts/
    + vuln found:
    :--|- XSS into admin session


  * cta [PLUGIN]
    + url: https://wordpress.org/plugins/cta/
    + vuln found:
    :--|- CSRF & persistent XSS attack into admin session, and site-wide for visitors


  * constant-contact-api [PLUGIN]
    + url: https://wordpress.org/plugins/constant-contact-api/
    + vuln found:
    :--|- XSS x 2


  * zerif-lite [THEME]
    + url: https://wordpress.org/themes/zerif-lite/
    + vuln found:
    :--|- XSS


  * colorway [THEME]
    + url: https://wordpress.org/themes/colorway/
    + vuln found:
    :--|- e-mail header injection (spam sandwich)
    :
    :--|- XSS x 3


  * charitas-lite [THEME]
    + url: https://wordpress.org/themes/charitas-lite/
    + vuln found:
    :--|- e-mail header injection (spam sandwich)

  * ariwoo [THEME]
    + url: https://wordpress.org/themes/ariwoo/
    + vuln found:
    :--|- e-mail header injection (spam sandwich)
    :
    :--|- XSS x 3


  * kage-green [THEME]
    + url: https://wordpress.org/themes/kage-green/
    + vuln found:
    :--|- XSS


  * intuition [THEME]
    + url: https://wordpress.org/themes/intuition/
    + vuln found:
    :--|- XSS


  * imag-mag [THEME]
    + url: https://wordpress.org/themes/imag-mag/
    + vuln found:
    :--|- XSS

  * fastnews-light [THEME]
    + url: https://wordpress.org/themes/fastnews-light/
    + vuln found:
    :--|- XSS


  * business-directory [THEME]
    + url: https://wordpress.org/themes/business-directory/
    + vuln found:
    :--|- XSS


  * boot-store [THEME]
    + url: https://wordpress.org/themes/boot-store/
    + deps: TheCartPress (https://wordpress.org/plugins/thecartpress/)
    + note: theme must be present, plugin must be present, user must not be logged in.
    + vuln found:
    :--|- XSS




Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.