WordPress Ultimate Member 1.3.28 Cross Site Scripting Vulnerability

Posted on Posted in Exploit
Full title WordPress Ultimate Member 1.3.28 Cross Site Scripting Vulnerability
Date add 03-12-2015
Category web applications
Platform php
Risk
Security Risk Medium
CVE CVE-2015-8354
Product: Ultimate Member WordPress plugin
Vendor: Ultimate Member
Vulnerable Version(s): 1.3.28 and probably prior
Tested Version: 1.3.28
Advisory Publication:  October 29, 2015  [without technical details]
Vendor Notification: October 29, 2015 
Vendor Patch: October 31, 2015 
Public Disclosure: November 19, 2015 
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2015-8354
Risk Level: Medium 
CVSSv3 Base Score: 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
 
-----------------------------------------------------------------------------------------------
 
Advisory Details:
 
High-Tech Bridge Security Research Lab discovered vulnerability in Ultimate Member WordPress plugin, intended for managing users’ profiles. The vulnerability can be used against website administrators to perform Cross-Site Scripting (XSS) attacks. 
 
Anonymous attacker might be able to steal administrator's cookies, credentials and browser history, modify web page content to perform phishing attacks, or even to perform drive-by-download attacks by injecting malware into website pages when the website administrator follows a specially crafted link with XSS exploit.
 
The vulnerability is caused by absence of filtration of input-data passed via the "_refer" HTTP GET parameter to "wp-admin/users.php" script, when "update" is set to value "confirm_delete". A remote unauthenticated attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
 
A simple exploit below will display JS popup with "ImmuniWeb" word:
 
http://[host]/wp-admin/users.php?update=confirm_delete&_refer='"><script>alert('ImmuniWeb');</script>
 
-----------------------------------------------------------------------------------------------
 
Solution:
 
Update to Ultimate Member 1.3.29

Quelle: 0day.today

Facebooktwittergoogle_plus