Wordpress Contact Form 7 Integrations Multiple Cross Site Scripting Vulnerabilities Network Vulnerability

Summary

This host is installed with Wordpress Contact Form 7 Integrations and is prone to multiple cross site scripting vulnerabilities.

Impact

Successful exploitation will allow attacker to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. Impact Level: Application

Solution

Upgrade to version 1.3.11 or later, For updates refer to https://wordpress.org/plugins/contact-form-7-integrations

Insight

Flaws are due to the includes/toAdmin.php script does not validate input passed via 'uE' and 'uC' parameters.

Affected

Wordpress Contact Form 7 Integrations version 1.0 to 1.3.10

Detection

Send a crafted data via HTTP GET request and check whether it is able to read cookie or not.

References

http://research.g0blin.co.uk/cve-2014-6445
http://www.osvdb.com/112170
https://wordpress.org/plugins/contact-form-7-integrations/changelog

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-6445
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Apache Tomcat cal2.jsp Cross Site Scripting Vulnerability
appRain CMF 'uploadify.php' Remote Arbitrary File Upload Vulnerability
Apache Continuum Cross Site Scripting Vulnerability
Apache Archiva Multiple Vulnerabilities
Abtp Portal Project 'ABTPV_BLOQUE_CENT' Parameter Local and Remote File Include Vulnerabilities

Take action and discover your vulnerabilities