Lucene search

K
patchstackMustLivePATCHSTACK:FF9804344DC66554B1511B767ABE9E02
HistoryMay 15, 2015 - 12:00 a.m.

WordPress RokBox Plugin <= 2.13 - Multiple Vulnerabilities

2015-05-1500:00:00
MustLive
patchstack.com
3
wordpress rokbox
plugin
vulnerabilities
update
cross site scripting
arbitrary file upload
path disclosure
error log disclosure

This plugin is prone to multiple vulnerabilities:

  1. Path Disclosure via thumb.php “src” parameter.
  2. Cross site scripting in thumb.php “src” parameter.
  3. Direct request path disclosure in rokbox.php.
  4. Arbitrary file upload via thumb.php “src” parameter.
  5. Direct request error log information disclosure in error_log.
  6. Cross site scripting in jwplayer/jwplayer.swf “abouttext” parameter.

Because of these vulnerabilities, attackers can obtain sensitive information, perform certain administrative actions, gain unauthorized access, upload arbitrary files or bypass certain security restrictions.

Solution

           Update plugin. 

Affected configurations

Vulners
Node
-rokboxRange2.13
VendorProductVersionCPE
-rokbox*cpe:2.3:a:-:rokbox:*:*:*:*:*:*:*:*