[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <348db197-f842-a0b2-4291-c317b82a28f8@securify.nl>
Date: Sun, 20 Nov 2016 11:18:24 +0100
From: Summer of Pwnage <lists@...urify.nl>
To: "Larry W. Cashdollar" <larry0@...com>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Stored Cross-Site Scripting in WP Canvas - Shortcodes
WordPress Plugin
Hi Larry,
The entire advisories are posted to the oss-security mailing list.
Cheers,
Team Summer of Pwnage
On 19-11-16 15:13, Larry W. Cashdollar wrote:
> Hello All,
>
> These are really great advisories, my only wish is that they were copied to the security lists in their entirety. This way we aren't relying on a single point of failure (your website) when looking for the data in the future.
>
> Thanks!
> Larry
>
>> On Nov 19, 2016, at 5:48 AM, Summer of Pwnage <lists@...urify.nl> wrote:
>>
>> ------------------------------------------------------------------------
>> Stored Cross-Site Scripting in WP Canvas - Shortcodes WordPress Plugin
>> ------------------------------------------------------------------------
>> Yorick Koster, July 2016
>>
>> ------------------------------------------------------------------------
>> Abstract
>> ------------------------------------------------------------------------
>> A Cross-Site Scripting vulnerability was found in the WP Canvas -
>> Shortcodes WordPress Plugin. This issue allows an attacker to perform a
>> wide variety of actions, such as stealing Administrators' session
>> tokens, or performing arbitrary actions on their behalf. This issue can
>> be exploited by authenticated users with the Contributor or higher role.
>>
>> ------------------------------------------------------------------------
>> OVE ID
>> ------------------------------------------------------------------------
>> OVE-20160724-0031
>>
>> ------------------------------------------------------------------------
>> Tested versions
>> ------------------------------------------------------------------------
>> This issue was successfully tested on WP Canvas - Shortcodes WordPress
>> Plugin version 1.92.
>>
>> ------------------------------------------------------------------------
>> Fix
>> ------------------------------------------------------------------------
>> This issue has been addressed in WP Canvas - Shortcodes WordPress Plugin
>> version 2.07.
>>
>> ------------------------------------------------------------------------
>> Details
>> ------------------------------------------------------------------------
>> https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_in_wp_canvas___shortcodes_wordpress_plugin.html
>>
>> ------------------------------------------------------------------------
>> Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
>> goal is to contribute to the security of popular, widely used OSS
>> projects in a fun and educational way.
>>
>> _______________________________________________
>> Sent through the Full Disclosure mailing list
>> https://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists