Anti-Malware Security & Brute-Force Firewall <= 4.15.42 - XSS & CSRF

2016-03-23T00:00:00
ID WPVDB-ID:35D8C81C-1D23-4A55-B9C7-E77171AB8B9C
Type wpvulndb
Reporter blinkms
Modified 2019-10-31T23:05:18

Description

The Anti-Malware Security and Brute-Force Firewall WordPress plugin was affected by a XSS & CSRF security vulnerability.

PoC

XSS vulnerability in https://wordpress.org/plugins/gotmls/ has been identified. While I scan a site with that plugin , i had a file '">.png and it was skippped , but result was javascript execution , confirming the existence of XSS vulnerability . An attacker , when have access to files , can modify file and can stop scanning , can hijack cookies , can bypass malware checks / stop scanning process or redirect to malicious websites as well . CSRF Vulnerability :- All the forms on Anti-Malware Security and Brute-Force Firewall Plugin were vulnerable to CSRF vulnerability as they lack wp_nonce parameter in all forms they had .