oss-security - CVE request for XSS and CSRF vulnerability in wordpress plugin WP-Stats

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Date: Wed, 17 Jun 2015 14:04:28 +0200
From: Sebastian Wolfgang Kraemer | HSASec <Sebastian.Kraemer@...Augsburg.de>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
CC: cve-assign@...re.org
Subject: CVE request for XSS and CSRF vulnerability in wordpress plugin WP-Stats

Greetings,

we discovered a vulnerability in the following component and want to
request a CVE for it:

Product-Type:     
Wordpress Plugin

Product:         
WP-Stats (https://de.wordpress.org/plugins/wp-stats/)

Version:         
2.51

Vendor:         
lesterchan@...il.com

Fixed:             
reported: 2015-06-16
fixed in version 2.52, 2015-06-17

Changelog:         
https://wordpress.org/plugins/wp-stats/changelog/

PoC available:     
yes

Description:
persistent XSS in wordpress-admin-panel enabled by csrf-vulnerability in
admin-menu of plugin

Researchers:
* Michael Kapfer (Michael.Kapfer@...augsburg.de)
* Sebastian Kraemer (Sebastian.Kraemer@...sec.de)


Best regards,
 the HSASec-Team
 (https://www.hsasec.de)
 


Download attachment "smime.p7s" of type "application/pkcs7-signature" (5123 bytes)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.