WordPress WHOIS Plugin 'domain' Parameter Cross-site Scripting Vulnerability Network Vulnerability

Summary

This host is installed with WordPress WHOIS plugin and is prone to cross-site scripting vulnerability.

Impact

Successful exploitation will allow attackers to execute arbitrary web script or HTML in a user's browser session in the context of an affected site. Impact Level: Application

Solution

Upgrade to WordPress WHOIS Plugin version 1.4.2.3 or later For updates refer to http://wordpress.org/extend/plugins/wordpress-whois-search/download/

Insight

The flaw is caused by an input validation error in the 'domain' parameter in '/wp-content/plugins/wordpress-whois-search/wp-whois-ajax.php' when processing user-supplied data.

Affected

WordPress WHOIS Plugin version prior to 1.4.2.3

References

http://packetstormsecurity.org/files/108271/wpwhois-xss.txt
http://secunia.com/advisories/47428/
http://www.securityfocus.com/bid/51244/info

Updated on 2017-03-28

Severity

Classification

CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

AdaptCMS Lite Cross Site Scripting and Remote File Include Vulnerabilities
appRain CMF 'uploadify.php' Remote Arbitrary File Upload Vulnerability
@Mail WebMail Email Body HTML Injection Vulnerability
Apache Commons Daemon 'jsvc' Information Disclosure Vulnerability
Adobe ColdFusion Multiple Full Path Disclosure Vulnerabilities

Take action and discover your vulnerabilities