Wordpress Sexy Squeeze Pages 'id' Parameter XSS Vulnerability Network Vulnerability

Summary

This host is installed with Wordpress Sexy Squeeze Pages and is prone to cross site scripting vulnerability.

Impact

Successful exploitation will allow remote attackers to execute arbitrary HTML and script code in a users browser session in the context of an affected site. Impact Level: Application

Solution

No solution or patch is available as of 20th February, 2015. Information regarding this issue will be updated once the solution details are available. For updates refer to http://instasqueeze.com

Insight

Flaw is due to the /instasqueeze/lp/index.php script does not validate input to the 'id' parameter before returning it to users.

Affected

Wordpress InstaSqueeze Sexy Squeeze Pages Plugin

Detection

Send a crafted data via HTTP GET request and check whether it is able to read cookie or not.

References

http://h4x0resec.blogspot.in/2014/11/wordpress-sexy-squeeze-pages-plugin.html
http://packetstormsecurity.com/files/129285
http://www.osvdb.org/115164

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-9176
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Adobe JRun Management Console Multiple Vulnerabilities
Apache Tomcat Directory Listing and File disclosure
Apache ActiveMQ Multiple Vulnerabilities
Advantech WebAccess Multiple Stack Based Buffer Overflow Vulnerabilities
Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities

Take action and discover your vulnerabilities