Vulners
Lucene search
WordPress Nextend Twitter Connect 1.5.1 Cross Site Scripting
| Reporter | Title | Published | Views | Family All 7 |
|---|---|---|---|---|
 | Multiple Cross-Site Scripting Vulnerabilities in Multiple WordPress Plugins | 8 Jul 201500:00 | – | cnvd |
 | CVE-2015-4557 | 12 Apr 201815:00 | – | cve |
 | CVE-2015-4557 | 12 Apr 201815:00 | – | cvelist |
 | EUVD-2015-4577 | 7 Oct 202500:30 | – | euvd |
 | CVE-2015-4557 | 12 Apr 201815:29 | – | nvd |
 | Cross site scripting | 12 Apr 201815:29 | – | prion |
 | Nextend Twitter Connect <= 1.5.1 - Reflected Cross-Site Scripting (XSS) | 24 Jun 201500:00 | – | wpvulndb |
`Wordpress Nextend Twitter Connect
===================================
Document Title:
===============
WordPress Nextend Twitter Connect Plugin Version: 1.5.1 is vulnerable to Reflected XSS (Cross Site Scripting)
Download URL:
=============
https://wordpress.org/plugins/nextend-twitter-connect/
Release Date:
=============
2015-06-20
Vulnerability CVE ID:
=====================
CVE-2015-4557
Vulnerability Disclosure Timeline:
==================================
2015 06 15 First notified to WordPress.
2015 06 15 First notified to plugin vendor .
2015 06 15 First notified to Mitre for CVE number.
2015 06 16 Vendor publish update for the plugin.
2015 06 22 Public Disclosure.
Discovery Status:
=================
Published
Severity Level:
===============
High
Technical Details, Description & Proof of Concept (PoC):
========================================================
After installing Wordpress I add the plugin "Nextend Twitter Connect" witch allow you to login Wordpress with Twitter account.
During my test I find out that the redirect_to parameter is vulnerable to Reflected XSS attack.
http://www.siz.co.il/my.php?i=hvmwzqo0tmjw.png
To reach to root of the problem, I took a look in the plugin source code and realized that the new_Twitter_sign_button witch located in the file nextend-Twitter-connect.php.
The problematic function are locate in line 492:
http://www.siz.co.il/my.php?i=bndijzkozjdy.png
As you can see in the line 492, the function dont escapes HTML tags or other dangerous symbols.
When attacker injects the Javascript code in the URL the function runs the code, as you can see:
http://www.siz.co.il/my.php?i=ni4jzmzjmrni.png
And pop the alert window.
Solution - Fix & Patch:
=======================
In order to solve this security flaw you need to add the htmlentities function. (http://php.net/htmlentities)
As you can see in the image:
http://www.siz.co.il/my.php?i=yjz4jmie4m1g.png
Wordpress Nextend Google Connect
===================================
Document Title:
===============
WordPress Nextend Google Connect Plugin Version: 1.5.1 is vulnerable to Reflected XSS (Cross Site Scripting)
Download URL:
=============
https://wordpress.org/plugins/nextend-google-connect/
Release Date:
=============
2015-06-20
Vulnerability CVE ID:
=====================
CVE-2015-4557
Vulnerability Disclosure Timeline:
==================================
2015 06 15 First notified to WordPress.
2015 06 15 First notified to plugin vendor .
2015 06 15 First notified to Mitre for CVE number.
2015 06 16 Vendor publish update for the plugin.
2015 06 22 Public Disclosure.
Discovery Status:
=================
Published
Severity Level:
===============
High
Technical Details, Description & Proof of Concept (PoC):
========================================================
After installing Wordpress I add the plugin "Nextend Google Connect" witch allow you to login Wordpress with Google account.
During my test I find out that the redirect_to parameter is vulnerable to Reflected XSS attack.
http://www.siz.co.il/my.php?i=yzjzqwyn4qo3.png
To reach to root of the problem, I took a look in the plugin source code and realized that the new_google_sign_button witch located in the file nextend-Google-connect.php.
The problematic function are locate in line 433:
http://www.siz.co.il/my.php?i=z4dnntazxkmz.png
As you can see in the line 433, the function dont escapes HTML tags or other dangerous symbols.
When attacker injects the Javascript code in the URL the function runs the code, as you can see:
http://www.siz.co.il/my.php?i=0omtugeig1z0.png
And pop the alert window.
Solution - Fix & Patch:
=======================
In order to solve this security flaw you need to add the htmlentities function. (http://php.net/htmlentities)
As you can see in the image:
http://sizmedia.com/my.php?i=zmnjdljwthmm.png
Liran Segal (Bugsec Information Security LTD)
Regards,
Liran Segal
Penetration Testing
BugSec Cyber & Information Security
____________________________________________________________________________________________________________________________________________________________________________________________
Office: 03-9622655 Fax: 03-9511433 Mobile: 054-8308351
Mail: [email protected]<mailto:[email protected]> Site: www.bugsec.com<http://www.bugsec.com/>
[úéàåø: úéàåø: úéàåø: bugsec_car_logo]<http://www.bugsec.com/>
Would you know if youre under attack?
[úéàåø: cid:[email protected]]<http://www.cyber-spear.com/>
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Jun 2015 00:00Current
6.4Medium risk
Vulners AI Score6.4
EPSS0.00413