Showing posts with label cross-site scripting. Show all posts
Showing posts with label cross-site scripting. Show all posts

Ajay Verma , , , 21:23
Severity Rating: High

Systems Affected
·         WordPress versions 5.4.1 and prior

Overview
Multiple vulnerabilities have been reported in WordPress that could allow a
remote attacker to perform cross-site scripting attack, gaining elevated
privileges or sensitive information disclosure on the targeted system.

Description
These vulnerabilities exist due to insufficient sanitization of
user-supplied data, and improper impose of security restrictions. A remote
attacker could exploit these vulnerabilities by executing arbitrary script
code in user's browser.

Successful exploitation of these vulnerabilities could allow the attacker
to perform cross-site scripting attack, gaining elevated privileges or
access to sensitive information on the targeted system.

Solution
Upgrade to WordPress version 5.4.2
- -release/

Vendor Information
WordPress

- -release/

References
WordPress
- -release/
Wordfence
- -vulnerabilities/
US-CERT
- -security-and-maintenance-update

Read more [..]

Ajay Verma , , , , , 01:03
Severity Rating: High
Software Affected:            
·         Word press plug in before 2.54.6
Overview:
Multiple vulnerabilities have been reported in Word Press Plugin which
could allow an attacker to execute remote code execution on the targeted
system.
Description
1.                     Cross-Site Scripting Vulnerability (CVE-2020-12675)
This Vulnerability exists in Word Press page builder plug in due to
improper handling the Checks for AJAX Functions. An authenticated remote
attacker could exploit this vulnerability by passing the user request
through AJAX Function Checks with subscriber level or wp-admin in an
authenticated session on the targeted system. Successful exploitation of
this vulnerability may result in remote command execution to download or
delete arbitrary PHP files or upload arbitrary malicious PHP files to
vulnerable sites.
2.            Cross-Site Request Forgery Vulnerability
This Vulnerability exists in Word Press page builder plug in due to
improper handling the user requests for updating site's setting. A remote
attacker could exploit this vulnerability to forge a request on behalf of a
site's administrator to modify the settings of the plug in. Successful
exploitation of this vulnerability may result in remote command execution
to allow the malicious Java script injection to vulnerable sites.
Solution

Apply appropriate patches as mentioned in Word Press Bulletin:

elayer-plugin-affect-over-200000-wordpress-sites/

References:
Vendor Information

Word Fence

elayer-plugin-affect-over-200000-wordpress-sites/

Alert Logic

- -vulnerability-cve-2020-12675-in-mappress-plugin-for-wordpress/

CVE Name
CVE-2020-12675

Read more [..]
Subscribe to: Posts ( Atom )

© Copyright 2020. Designed By Templateify

© Copyright 2020. Ud64

Scroll to Top