Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormLiran SegalPACKETSTORM:132432
HistoryJun 24, 2015 - 12:00 a.m.

WordPress Nextend Twitter Connect 1.5.1 Cross Site Scripting

2015-06-2400:00:00
Liran Segal
packetstormsecurity.com
28

0.002 Low

EPSS

Percentile

60.2%

JSON
`Wordpress “Nextend Twitter Connect”  
===================================  
Document Title:  
===============  
WordPress “Nextend Twitter Connect” Plugin Version: 1.5.1 is vulnerable to Reflected XSS (Cross Site Scripting)  
  
  
Download URL:  
  
=============  
  
https://wordpress.org/plugins/nextend-twitter-connect/  
  
  
  
Release Date:  
  
=============  
2015-06-20  
  
  
Vulnerability CVE ID:  
  
=====================  
CVE-2015-4557  
  
  
Vulnerability Disclosure Timeline:  
  
==================================  
2015 – 06 – 15 First notified to WordPress.  
2015 – 06 – 15 First notified to plugin vendor .  
2015 – 06 – 15 First notified to Mitre for CVE number.  
2015 – 06 – 16 Vendor publish update for the plugin.  
2015 – 06 – 22 Public Disclosure.  
  
  
Discovery Status:  
  
=================  
  
Published  
  
  
Severity Level:  
  
===============  
  
High  
  
  
Technical Details, Description & Proof of Concept (PoC):  
  
========================================================  
  
After installing Wordpress I add the plugin "Nextend Twitter Connect" witch allow you to login Wordpress with Twitter account.  
  
During my test I find out that the “redirect_to” parameter is vulnerable to Reflected XSS attack.  
http://www.siz.co.il/my.php?i=hvmwzqo0tmjw.png  
  
  
To reach to root of the problem, I took a look in the plugin source code and realized that the “new_Twitter_sign_button” witch located in the file “nextend-Twitter-connect.php”.  
  
The problematic function are locate in line 492:  
http://www.siz.co.il/my.php?i=bndijzkozjdy.png  
  
  
As you can see in the line 492, the function don’t escapes HTML tags or other dangerous symbols.  
  
When attacker injects the Javascript code in the URL the function runs the code, as you can see:  
  
http://www.siz.co.il/my.php?i=ni4jzmzjmrni.png  
  
And pop the alert window.  
  
  
Solution - Fix & Patch:  
  
=======================  
  
In order to solve this security flaw you need to add the “htmlentities” function. (http://php.net/htmlentities)  
  
As you can see in the image:  
http://www.siz.co.il/my.php?i=yjz4jmie4m1g.png  
  
  
  
Wordpress “Nextend Google Connect”  
===================================  
Document Title:  
===============  
WordPress “Nextend Google Connect” Plugin Version: 1.5.1 is vulnerable to Reflected XSS (Cross Site Scripting)  
  
  
Download URL:  
  
=============  
  
https://wordpress.org/plugins/nextend-google-connect/  
  
  
  
Release Date:  
  
=============  
2015-06-20  
  
  
Vulnerability CVE ID:  
  
=====================  
CVE-2015-4557  
  
  
Vulnerability Disclosure Timeline:  
  
==================================  
2015 – 06 – 15 First notified to WordPress.  
2015 – 06 – 15 First notified to plugin vendor .  
2015 – 06 – 15 First notified to Mitre for CVE number.  
2015 – 06 – 16 Vendor publish update for the plugin.  
2015 – 06 – 22 Public Disclosure.  
  
  
Discovery Status:  
  
=================  
  
Published  
  
  
Severity Level:  
  
===============  
  
High  
  
  
Technical Details, Description & Proof of Concept (PoC):  
  
========================================================  
  
After installing Wordpress I add the plugin "Nextend Google Connect" witch allow you to login Wordpress with Google account.  
  
During my test I find out that the “redirect_to” parameter is vulnerable to Reflected XSS attack.  
http://www.siz.co.il/my.php?i=yzjzqwyn4qo3.png  
  
  
To reach to root of the problem, I took a look in the plugin source code and realized that the “new_google_sign_button” witch located in the file “nextend-Google-connect.php”.  
  
The problematic function are locate in line 433:  
  
http://www.siz.co.il/my.php?i=z4dnntazxkmz.png  
  
  
As you can see in the line 433, the function don’t escapes HTML tags or other dangerous symbols.  
  
When attacker injects the Javascript code in the URL the function runs the code, as you can see:  
  
http://www.siz.co.il/my.php?i=0omtugeig1z0.png  
  
  
  
And pop the alert window.  
  
  
Solution - Fix & Patch:  
  
=======================  
  
In order to solve this security flaw you need to add the “htmlentities” function. (http://php.net/htmlentities)  
  
As you can see in the image:  
http://sizmedia.com/my.php?i=zmnjdljwthmm.png  
  
  
Liran Segal (Bugsec Information Security LTD)  
  
Regards,  
Liran Segal  
Penetration Testing  
BugSec Cyber & Information Security  
  
____________________________________________________________________________________________________________________________________________________________________________________________  
  
  
Office: 03-9622655 Fax: 03-9511433 Mobile: 054-8308351  
  
Mail: [email protected]<mailto:[email protected]> Site: www.bugsec.com<http://www.bugsec.com/>  
  
[úéàåø: úéàåø: úéàåø: bugsec_car_logo]<http://www.bugsec.com/>  
Would you know if you’re under attack?  
[úéàåø: cid:[email protected]]<http://www.cyber-spear.com/>  
  
`

Related

wpvulndb 1
prion 1
nvd 1
cve 1
cvelist 1
wpvulndb
wpvulndb
Nextend Twitter Connect <= 1.5.1 - Reflected Cross-Site Scripting (XSS)
2015-06-24 00:00:00
prion
prion
Cross site scripting
2018-04-12 15:29:00
nvd
nvd
CVE-2015-4557
2018-04-12 15:29:00
cve
cve
CVE-2015-4557
2018-04-12 15:29:00
cvelist
cvelist
CVE-2015-4557
2018-04-12 15:00:00

0.002 Low

EPSS

Percentile

60.2%

JSON
Related for PACKETSTORM:132432
wpvulndb1prion1nvd1cve1cvelist1