Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 27 May 2015 18:54:55 +0000
From: "Seaman, Chad" <cseaman@...mai.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
CC: "cve-assign@...re.org" <cve-assign@...re.org>
Subject: Re: CVE Request, multiple WordPress plugins and themes

These two had their formatting mangled, sorry about that.


  * wp-fastest-cache [PLUGIN]
    + url: https://wordpress.org/plugins/wp-fastest-cache/
    + vuln found:
    :--|- XSS

  * leaflet-maps-marker [PLUGIN]
    + url: https://wordpress.org/plugins/leaflet-maps-marker/
    + vuln found:
    :--|- XSS x 2





________________________________
From: Seaman, Chad
Sent: Wednesday, May 27, 2015 2:53 PM
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: CVE Request, multiple WordPress plugins and themes


​

​I'm not sure if these should be broken down by individual vulnerability or lumped per plugin/theme, there are 21 plugins/themes affected in total.


  * grand-media [PLUGIN]
    + url: https://wordpress.org/plugins/grand-media/
    + vuln found:
    :--|- XSS
    :
    :--|- LFI
    :    |- note: only truly exploitable if user sets ALLOW_NO_EXT == true
    :
    :--|- DoS
    :    |- note: force to recursively call itself via remote 301 redirects, cripples php-fpm w/ nginx
    :
    :--|- Open proxy



  * wp-mobile-edition [PLUGIN]
    + url: https://wordpress.org/plugins/wp-mobile-edition/
    + vuln found:
    :--|- LFI
    :    |- note: pre PHP 5.3 is likely (unconfirmed) suspectible to nullbyte injection, meaning any file can be read
    :
    :--|- OpenProxy
    :
    :--|- DoS
    :    |- note: will process list of files in for loop, aiding DoS capabilities
    :    |- note: follows 301 redirects, can be used to recursively call itself to exhaustion, ​cripples php-fpm w/ nginx
    :
    :--|- e-mail header injection (spam sandwich)
    :    |- note: will throw fatal error, but will send e-mail before doing so.
    :
    :--|- Multiple XSS vulns


* wp-fastest-cache [PLUGIN] + url: https://wordpress.org/plugins/wp-fastest-cache/ + vuln found: :--|- XSS * leaflet-maps-marker [PLUGIN] + url: https://wordpress.org/plugins/leaflet-maps-marker/ + vuln found: :--|- XSS x 2 * landing-pages [PLUGIN] + url: https://wordpress.org/plugins/landing-pages/ + vuln found: :--|- XSS into admin session * extended-catagories-widget [PLUGINS] + url: https://wordpress.org/plugins/extended-categories-widget/ + vuln found: :--|- post auth admin SQLi

  * gallery-images [PLUGINS] && gallery-video [PLUGINS]
    + url: https://wordpress.org/plugins/gallery-images/
    + url: https://wordpress.org/plugins/gallery-video/
    + vuln found:
    :--|- XSS into admin session (image and video gallery are both affected)


  * easy-google-fonts [PLUGIN]
    + url: https://wordpress.org/plugins/easy-google-fonts/
    + vuln found:
    :--|- XSS into admin session


  * cta [PLUGIN]
    + url: https://wordpress.org/plugins/cta/
    + vuln found:
    :--|- CSRF & persistent XSS attack into admin session, and site-wide for visitors


  * constant-contact-api [PLUGIN]
    + url: https://wordpress.org/plugins/constant-contact-api/
    + vuln found:
    :--|- XSS x 2


  * zerif-lite [THEME]
    + url: https://wordpress.org/themes/zerif-lite/
    + vuln found:
    :--|- XSS


  * colorway [THEME]
    + url: https://wordpress.org/themes/colorway/
    + vuln found:
    :--|- e-mail header injection (spam sandwich)
    :
    :--|- XSS x 3


  * charitas-lite [THEME]
    + url: https://wordpress.org/themes/charitas-lite/
    + vuln found:
    :--|- e-mail header injection (spam sandwich)

  * ariwoo [THEME]
    + url: https://wordpress.org/themes/ariwoo/
    + vuln found:
    :--|- e-mail header injection (spam sandwich)
    :
    :--|- XSS x 3


  * kage-green [THEME]
    + url: https://wordpress.org/themes/kage-green/
    + vuln found:
    :--|- XSS


  * intuition [THEME]
    + url: https://wordpress.org/themes/intuition/
    + vuln found:
    :--|- XSS


  * imag-mag [THEME]
    + url: https://wordpress.org/themes/imag-mag/
    + vuln found:
    :--|- XSS

  * fastnews-light [THEME]
    + url: https://wordpress.org/themes/fastnews-light/
    + vuln found:
    :--|- XSS


  * business-directory [THEME]
    + url: https://wordpress.org/themes/business-directory/
    + vuln found:
    :--|- XSS


  * boot-store [THEME]
    + url: https://wordpress.org/themes/boot-store/
    + deps: TheCartPress (https://wordpress.org/plugins/thecartpress/)
    + note: theme must be present, plugin must be present, user must not be logged in.
    + vuln found:
    :--|- XSS

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.