WordPress WP-Members Multiple Cross Site Scripting Vulnerabilities Network Vulnerability

Summary

This host is installed with Wordpress WP-Members Plugin and is prone to multiple cross site scripting vulnerabilities.

Impact

Successful exploitation will allow attacker to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. Impact Level: Application

Solution

Upgrade to version Wordpress WP-Members Plugin 2.8.10 or later, For updates refer to http://wordpress.org/plugins/wp-members

Insight

Flaws are due to input sanitation errors in multiple GET and POST parameter.

Affected

Wordpress WP-Members Plugin version 2.8.9, Other versions may also be affected.

Detection

Send a crafted data via HTTP GET request and check whether it is able to read cookie or not.

References

http://cxsecurity.com/issue/WLB-2014010044
http://seclists.org/fulldisclosure/2014/Jan/29
http://wordpress.org/plugins/wp-members/changelog

Updated on 2015-03-25

Severity

Classification

CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Ampache Reflected Cross Site Scripting Vulnerability
Apache ActiveMQ 'admin/queueBrowse' Cross Site Scripting Vulnerability
Allegro RomPager HTTP Referer Header Cross Site Scripting Vulnerability
@Mail 'MailType' Parameter Cross Site Scripting Vulnerability
Apache Archiva Home Page Cross-Site Scripting vulnerability

Take action and discover your vulnerabilities