WordPress WP Symposium Plugin 'uid' Parameter Cross-Site Scripting Vulnerability Network Vulnerability

Summary

This host is running WordPress WP Symposium plugin and is prone to cross site scripting vulnerability.

Impact

Successful exploitation will allow remote attackers to insert arbitrary HTML and script code, which will be executed in a user's browser session in the context of an affected site. Impact Level: Application

Solution

Upgrade to Wordpress WP Symposium plugin version 11.12.08 or later. For updates refer to http://wordpress.org/extend/plugins/wp-symposium

Insight

The flaw is due to improper validation of user-supplied input passed to the 'uid' parameter in wp-content/plugins/wp-symposium/uploadify/get_ profile_avatar.php, which allows attackers to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.

Affected

WordPress WP Symposium Plugin version 11.11.26

References

http://osvdb.org/77634
http://secunia.com/advisories/47243
http://secunia.com/secunia_research/2011-82/
http://www.wpsymposium.com/2011/12/v11-12-08/
http://xforce.iss.net/xforce/xfdb/71748

Updated on 2015-03-25

Severity

Classification

CVE CVE-2011-3841
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Apache Tomcat HTTP BIO Connector Information Disclosure Vulnerability
APC PowerChute Network Shutdown HTTP Response Splitting Vulnerability
Adobe BlazeDS XML and XML External Entity Injection Vulnerabilities
Apache CouchDB Cross Site Request Forgery Vulnerability
/doc directory browsable ?

Take action and discover your vulnerabilities