Description

WordPress Plugin Cimy Counter is prone to an HTTP response-splitting vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user, steal cookie-based authentication credentials, and influence how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust. WordPress Plugin Cimy Counter versions prior to 0.9.5 are vulnerable.

Remediation

Update to the latest version

References

http://www.securityfocus.com/bid/41132/exploit

http://www.exploit-db.com/exploits/14057/

http://www.securityfocus.com/archive/1/512003

http://secunia.com/advisories/40258/

Related Vulnerabilities

WordPress Plugin TDO Mini Forms Arbitrary File Upload (0.13.9)

WordPress Plugin Launcher:Coming Soon & Maintenance Mode Cross-Site Scripting (1.0.10)

Apache Tomcat Cryptographic Issues Vulnerability (CVE-2011-5064)

Oracle JRE CVE-2013-0443 Vulnerability (CVE-2013-0443)

Moodle Improper Access Control Vulnerability (CVE-2020-25629)

Severity

High

Classification

CWE-79 CWE-113 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Http Response Splitting XSS