This host is running WordPress Comment Rating Plugin and prone to cross site scripting and SQL injection vulnerabilities.

Successful exploitation will allow attacker to insert arbitrary HTML and script code or cause SQL Injection attack to gain sensitive information. Impact Level: Application

Upgrade to WordPress Comment Rating plugin version 2.9.24 or later. For updates refer to http://wordpress.org/extend/plugins/comment-rating/

The flaws are due to an, - Improper validation of user-supplied input passed to the 'id' parameter in '/wp-content/plugins/comment-rating/ck-processkarma.php' before using it in an SQL query, which allows attackers to execute arbitrary SQL commands in the context of an affected site. - Improper validation of user-supplied input passed to the 'path' parameter in '/wp-content/plugins/comment-rating/ck-processkarma.php', which allows attackers to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.

WordPress Comment Rating plugin version 2.9.20

• http://packetstormsecurity.org/files/108314/wpcommentrating-sqlxss.txt
• http://securityreason.com/exploitalert/11106
• http://www.exploit-db.com/exploits/18303
• http://www.securityfocus.com/bid/51241

---

Updated on 2015-03-25