JVN#24834813: Multiple BestWebSoft WordPress plugins vulnerable to cross-site scripting

2017-05-16T00:00:00
ID JVN:24834813
Type jvn
Reporter Japan Vulnerability Notes
Modified 2017-05-16T00:00:00

Description

## Description

Multiple WordPress Plugins provided by BestWebSoft use a common function for displaying the BestWebSoft menu. This function contains a cross-site scripting vulnerability (CWE-79).

## Impact

An arbitrary script may be executed on the logged in user's web browser.

## Solution

Update the plugin
Update the plugin according to the information provided by the developer.

## Products Affected

The following WordPress plugins are affected:

  • Captcha prior to version 4.3.0
  • Car Rental prior to version 1.0.5
  • Contact Form Multi prior to version 1.2.1
  • Contact Form prior to version 4.0.6
  • Contact Form to DB prior to version 1.5.7
  • Custom Admin Page prior to version 0.1.2
  • Custom Fields Search prior to version 1.3.2
  • Custom Search prior to version 1.36
  • Donate prior to version 2.1.1
  • Email Queue prior to version 1.1.2
  • Error Log Viewer prior to version 1.0.6
  • Facebook Button prior to version 2.54
  • Featured Posts prior to version 1.0.1
  • Gallery Categories prior to version 1.0.9
  • Gallery prior to version 4.5.0
  • Google +1 prior to version 1.3.4
  • Google AdSense prior to version 1.44
  • Google Analytics prior to version 1.7.1
  • Google Captcha (reCAPTCHA) prior to version 1.28
  • Google Maps prior to version 1.3.6
  • Google Shortlink prior to version 1.5.3
  • Google Sitemap prior to version 3.0.8
  • Htaccess prior to version 1.7.6
  • Job Board prior to version 1.1.3
  • Latest Posts prior to version 0.3
  • Limit Attempts prior to version 1.1.8
  • LinkedIn prior to version 1.0.5
  • Multilanguage prior to version 1.2.2
  • PDF & Print prior to version 1.9.4
  • Pagination prior to version 1.0.7
  • Pinterest prior to version 1.0.5
  • Popular Posts prior to version 1.0.5
  • Portfolio prior to version 2.4
  • Post to CSV prior to version 1.3.1
  • Profile Extra prior to version 1.0.7
  • PromoBar prior to version 1.1.1
  • Quotes and Tips prior to version 1.32
  • Re-attacher prior to version 1.0.9
  • Realty prior to version 1.1.0
  • Relevant - Related Posts prior to version 1.2.0
  • Sender prior to version 1.2.1
  • SMTP prior to version 1.1.0
  • Social Buttons Pack prior to version 1.1.1
  • Subscriber prior to version 1.3.5
  • Testimonials prior to version 0.1.9
  • Timesheet prior to version 0.1.5
  • Twitter Button prior to version 2.55
  • User Role prior to version 1.5.6
  • Updater prior to version 1.35
  • Visitors Online prior to version 1.0.0
  • Zendesk Help Center prior to version 1.0.5