2015-06-18

Ultimate Member 1.2.98-1.2.997, Reflected XSS

The Ultimate Member plugin utilizes the Redux Framework. The Redux Framework includes a script named ‘class.p.php’, which acts as a HTTP proxy. Utilizing this script, it is possible to trigger a Reflected XSS attack, by loading data from a location...

2015-06-10

Smart Website Tools by AddThis 4.0.6 - 4.0.7, Persistent XSS

The Smart Website Tools by AddThis plugin exposes an AJAX function called ‘at_async_loading’ in ‘addthis/addthis-for-wordpress.php’. Access to this function is restricted to Registered users, however is not restricted to Administrative users, meaning...

2015-05-30

Ultimate Social Media and Share Icons 1.1.1.11, Persistent XSS

The Ultimate Social Media Icons plugin exposes several AJAX methods to all registered users, regardless of user level (see content of ultimate-social-media-icons/libs/controllers/sfsi_buttons_controller.php). These methods are used to update settings...

2015-05-30

Formidable Forms 2.0.07, Information Disclosure

The Formidable Forms plugin exposes a function to the public, which allows for preview of forms. Within the body of the form preview, a field named ‘_wp_http_referer’ is set. This will contain arguments passed through in the URL. Due to a do_shortcode...

2015-05-27

VulnHub - Darknet 1.0 Solution Writeup

I've seen people playing on Vulnhub for quite a while, however have never taken part myself. After spending time training myself, and learning as much as I can in various fields of security, I thought it was about time I took a serious crack at one of...

2015-05-25

NextScripts: Social Networks Auto-Poster 3.4.17, Persistent XSS

The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to a Persistent XSS attack on the settings screen, due to a lack of sanitation of user input, and lack of CSRF token (nonce)

2015-05-25

Anti-Malware and Brute-Force Security by ELI 4.15.22, Persistent XSS

The Anti-Malware and Brute-Force Security by ELI has two issues which we will cover in this report. The first is that no nonce (CSRF token) is utilized on the settings screen. This could potentially result in resource utilization (by performing a...

2015-05-04

Pie Register 2.0.14-2.0.15, SQL Injection

User input is not validated correctly when accepting an Invitation Code, as such an SQL Injection attack is possible. This attack is triggered when the parameters ‘show_dash_widget’ and ‘invitaion_code’ are provided to any page, by any user (anonymous...

2015-05-04

Pie Register 2.0.14-2.0.15, Privilege Escalation

User input is not validated correctly when accepting a login request via the Pie Register plugin. It is possible to manipulate posted variables in order to login using an arbitrary User ID (such as 1, for the default Administrative account).

Previous Next