Description

WordPress Plugin Cimy Counter is prone to an HTTP response-splitting vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user, steal cookie-based authentication credentials, and influence how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust. WordPress Plugin Cimy Counter versions prior to 0.9.5 are vulnerable.

Remediation

Update to the latest version

References

http://www.securityfocus.com/bid/41132/exploit

http://www.exploit-db.com/exploits/14057/

http://www.securityfocus.com/archive/1/512003

http://secunia.com/advisories/40258/

Related Vulnerabilities

WordPress Plugin Lightweight Sidebar Manager Cross-Site Request Forgery (1.1.4)

Oracle JRE CVE-2014-2422 Vulnerability (CVE-2014-2422)

Liferay DXP Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2022-42110)

Jboss EAP CVE-2018-1304 Vulnerability (CVE-2018-1304)

WordPress Plugin Newsletter Meenews 'idnews' Parameter Cross-Site Scripting (5.1.0)

Severity

High

Classification

CWE-79 CWE-113 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Http Response Splitting XSS