Vulners
Lucene search
WordPress Navis DocumentCloud 0.1 Cross Site Scripting
🗓️ 27 Aug 2015 00:00:00Reported by Harry MetcalfeType 
packetstorm🔗 packetstormsecurity.com👁 44 Views
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | WordPress Navis DocumentCloud 0.1 Cross Site Scripting Vulnerability | 28 Aug 201500:00 | – | zdt |
 | WordPress Navis DocumentCloud Plugin Cross-Site Scripting Vulnerability | 6 Sep 201500:00 | – | cnvd |
 | CVE-2015-2807 | 1 Sep 201514:00 | – | cve |
 | CVE-2015-2807 | 1 Sep 201514:00 | – | cvelist |
 | EUVD-2015-2895 | 7 Oct 202500:30 | – | euvd |
 | Navis DocumentCloud <0.1.1 - Cross-Site Scripting | 6 Jun 202603:01 | – | nuclei |
 | CVE-2015-2807 | 1 Sep 201514:59 | – | nvd |
 | WordPress Navis DocumentCloud Plugin <= 0.1.0 - XSS | 31 Mar 201500:00 | – | patchstack |
 | Cross site scripting | 1 Sep 201514:59 | – | prion |
 | Navis DocumentCloud 0.1 - Unauthenticated Reflected Cross-Site Scripting (XSS) | 26 Aug 201500:00 | – | wpvulndb |
10
`Details
================
Software: Navis DocumentCloud
Version: 0.1
Homepage: https://wordpress.org/plugins/navis-documentcloud/
Advisory report: https://security.dxw.com/advisories/publicly-exploitable-xss-in-wordpress-plugin-navis-documentcloud/
CVE: CVE-2015-2807
CVSS: 6.4 (Medium; AV:N/AC:L/Au:N/C:P/I:P/A:N)
Description
================
Publicly exploitable XSS in WordPress plugin Navis Documentcloud
Vulnerability
================
This plugin contains the following code in js/window.php:
$SITEURL .= $_GET[ ‘wpbase’ ];
// snip
<script src=”https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js”></script>
<script src=”<?php echo $SITEURL; ?>wp-includes/js/tinymce/tiny_mce_popup.js”></script>
Which is a trivially exploitable XSS.
Proof of concept
================
Visit the following page on a site with this plugin installed. Note that the plugin need not be active:
http://yourwordpresssite/wp-content/plugins/navis-documentcloud/js/window.php?wpbase=%22%3Ealert(%27xss%27)%3C/script%3E%3Cscript%20src=%22
NB: this proof of concept may not work in browsers with XSS protection features.
Mitigations
================
This plugin is no longer maintained, so if at all possible, switch to using the DocumentCloud plugin https://wordpress.org/plugins/documentcloud/.
If this is not possible, upgrade to version 0.1.1 or later.
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
Please contact us on [email protected] to acknowledge this report if you received it via a third party (for example, [email protected]) as they generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this report with 14 days.
Timeline
================
2015-03-31 – Discovered
2015-03-31 – Requested CVE
2015-07-14 – Reported to [email protected]
2015-07-14 – Vendor responded saying they’ll get in touch with the developer
2015-08-24 – Vendor reported the issue fixed in version 0.1.1
Discovered by dxw:
================
Harry Metcalfe
Please visit security.dxw.com for more information.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Aug 2015 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.0689