This host is installed with Wordpress VideoWhisper Live Streaming Integration Plugin and is prone to multiple vulnerabilities.

Successful exploitation will allow attacker to execute arbitrary HTML and script code in a user's browser session in the context of an affected site and read/delete arbitrary files. Impact Level: Application

Upgrade to version 4.29.5 or later, For updates refer to http://wordpress.org/plugins/videowhisper-live-streaming-integration

Multiple flaws are due to an, - Improper verification of file extensions before uploading files to the server in '/videowhisper-live-streaming-integration/ls/vw_snapshots.php' - Input passed via HTTP POST parameters 'msg' to /ls/vc_chatlog.php, 'm' to /ls/lb_status.php, 'ct' to /ls/lb_status.php and /ls/v_status.php. - Input passed via HTTP GET parameters 'n' to /ls/channel.php, htmlchat.php, ls/video.php, and /videotext.php, 'message' to /ls/lb_logout.php, and 's' to rtmp_login.php and rtmp_logout.php scripts.

WordPress VideoWhisper Live Streaming Integration Plugin version 4.27.3 and probably prior.

Send a crafted data via HTTP GET request and check whether it is able to read cookie or not.

• http://packetstormsecurity.com/files/125454
• http://www.exploit-db.com/exploits/31986
• http://www.osvdb.com/103426
• https://www.htbridge.com/advisory/HTB23199

---

Updated on 2015-03-25