Summary
The host is running WordPress Register Plus Redux Plugin and is prone to multiple vulnerabilities.
Impact
Successful exploitation could allow an attacker to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.
Impact Level: Application
Solution
No solution or patch was made available for at least one year since disclosure of this vulnerability. Likely none will be provided anymore.
General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.
Insight
The flaws are due to,
- Improper validation of input passed via the 'user_login', 'user_email', 'firstname', 'lastname', 'website', 'aim', 'yahoo', 'jabber', 'about', 'password', and 'invitation_code' parameters to 'wp-login.php' (when 'action' is set to 'register').
- A direct request to 'register-plus-redux.php' allows remote attackers to obtain installation path in error message.
Affected
WordPress Register Plus Redux Plugin 3.7.3 and prior.
References
Severity
Classification
-
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Related Vulnerabilities
- @Mail WebMail Email Body HTML Injection Vulnerability
- AN Guestbook Local File Inclusion Vulnerability
- Alt-N WebAdmin Remote Source Code Information Disclosure Vulnerability
- Apache Solr XML External Entity(XXE) Vulnerability-01 Jan-14
- AjaXplorer Remote Command Injection and Local File Disclosure Vulnerabilities