==================================================== Product: WooCommerce WordPress plugin Vendor: WooThemes Tested Version: 2.2.10 Vulnerability Type: Cross-Site Scripting [CWE-79] Risk Level: Medium CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Solution Status: Solved in version 2.2.11 Discovered and Provided: Eric Flokstra - ITsec Security Services ==================================================== [-] About the Vendor: WooCommerce is a popular open source WordPress e-commerce plugin with around 6.2 million downloads.It is built by WooThemes and designed for small to large-sized online merchants. [-] Advisory Details: The WooCommerce plugin gives users the ability to see their stores performance from month to month using graphs and stats. However insufficient validation on the request retrieving the reports is performed, enabling remote execution of arbitrary scripting code in the target's web browser. This scripting code will be executed within the security context of the WordPress admin panel. [-] Proof of Concept: http://ift.tt/1MGUwCy">> [-] Disclosure Timeline: [28 Jan 2015]: Vendor notification [29 Jan 2015]: Vulnerability confirmation [29 Jan 2015]: Vulnerability patched [19 Feb 2015]: Public disclosure [-] Solution: Update to version 2.2.11. [-] References: [1] WooCommerce Changelog
Source: Gmail -> IFTTT-> Blogger
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment