Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

WordPress Plugin Cart66 Lite::WordPress Ecommerce Multiple Vulnerabilities (1.5.1.14)

Description

WordPress Plugin Cart66 Lite::WordPress Ecommerce is prone to multiple vulnerabilities, including cross-site scripting and cross-site request forgery vulnerabilities. Exploiting these issues could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, allowing the attacker to steal cookie-based authentication credentials and launch other attacks or to perform certain administrative actions and gain unauthorized access to the affected application. WordPress Plugin Cart66 Lite::WordPress Ecommerce version 1.5.1.14 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 1.5.1.15 or latest

References

http://blog.noobroot.com/2013/10/0-day-wordpress-cart66-plugin-15114.html

http://www.exploit-db.com/exploits/28959/

http://www.securityfocus.com/archive/1/529129

http://packetstormsecurity.com/files/123587/WordPress-Cart66-1.5.1.14-Cross-Site-Request-Forgery-Cross-Site-Scripting.html

Related Vulnerabilities

IBM WebSEAL Use of Hard-coded Credentials Vulnerability (CVE-2018-1887)

MySQL CVE-2015-4792 Vulnerability (CVE-2015-4792)

Ruby on Rails Permissions, Privileges, and Access Controls Vulnerability (CVE-2011-0449)

WordPress Plugin twitterDash Cross-Site Request Forgery (2.1)

WordPress Plugin Form for WordPress-Zoho Forms Cross-Site Scripting (3.0)

Severity

High

Classification

CVE-2013-5977 CVE-2013-5978 CWE-79 CWE-352 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update