WEB APPLICATION VULNERABILITIES Standard & Premium

WordPress Plugin FoxyPress Multiple Vulnerabilities (0.4.2.5)

Description

WordPress Plugin FoxyPress is prone to multiple SQL injection, arbitrary file upload, cross-site scripting and cross-site request forgery vulnerabilities. A successful exploit may allow an attacker to gain unauthorized access and perform certain administrative actions, compromise the application, disclose potentially sensitive information, access or modify data, or exploit latent vulnerabilities in the underlying database. WordPress Plugin FoxyPress version 0.4.2.5 is vulnerable; other versions may also be affected.

Remediation

Update to plugin version 0.4.2.9 or latest

References

http://www.securityfocus.com/bid/56332/exploit

http://www.waraxe.us/advisory-95.html

http://www.exploit-db.com/exploits/22374/

http://packetstormsecurity.com/files/117768/WordPress-FoxyPress-0.4.2.5-XSS-CSRF-SQL-Injection.html

http://secunia.com/advisories/51109/

Related Vulnerabilities

WordPress Plugin Ultimate Member-User Profile, Registration, Login, Member Directory, Content Restriction & Membership Open Redirect (2.0.33)

Ruby Improper Restriction of XML External Entity Reference Vulnerability (CVE-2021-28965)

Dolibarr Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2018-19995)

Opencart Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-15081)

PHP Integer Overflow or Wraparound Vulnerability (CVE-2016-7133)

Severity

High

Classification

CWE-79 CWE-89 CWE-352 CWE-434 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags