WordPress WP Photo Album Plus Plugin 'Search Photos' XSS Vulnerability Network Vulnerability

Summary

This host is installed with WordPress WP Photo Album Plus Plugin and is prone to cross site scripting vulnerability.

Impact

Successful exploitation will allow attacker to insert arbitrary HTML and script code, which will be executed in a user's browser session in the context of an affected site when the malicious data is being viewed. Impact Level: Application

Solution

Upgrade to WordPress WP Photo Album Plus Plugin version 4.8.12 or later. For updates refer http://wordpress.org/plugins/wp-photo-album-plus/

Insight

Input passed via the 'wppa-searchstring' parameter to index.php (when page_id is set to the Search Photos page) is not properly sanitised before it is returned to the user.

Affected

WordPress WP Photo Album Plus Plugin version 4.8.11 and prior

References

http://k3170makan.blogspot.in/2012/12/wp-photoplus-xss-csrf-vuln.html
http://packetstormsecurity.com/files/119152/wpphotoplussearch-xssxsrf.txt

Updated on 2015-03-25

Severity

Classification

CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Apache Commons Daemon 'jsvc' Information Disclosure Vulnerability
Apache Struts2/XWork Remote Command Execution Vulnerability
Apache Web Server ETag Header Information Disclosure Weakness
Apache Struts Cross Site Scripting Vulnerability
Apache Continuum Cross Site Scripting Vulnerability

Take action and discover your vulnerabilities