Home › Forums › BulletProof Security Pro › Wordfence Security Vulnerability – Cross-site scripting XSS vulnerability in Wordfence Security
- This topic has 0 replies, 1 voice, and was last updated 10 years, 3 months ago by
AITpro Admin.
-
AuthorPosts
-
AITpro Admin
KeymasterWordfence Security Vulnerability: XSS Security vulnerability in Wordfence Security plugin: 5-2016 – Wordfence Security versions 6.1.1 to 6.1.6.
Wordfence Security Vulnerability: XSS Security vulnerability in the Wordfence Security plugin: 12-2015 – Wordfence Security vulnerable versions below: 6.0.22
Wordfence Security Vulnerabilities: Cross-site scripting (XSS) security vulnerability in the Wordfence Security plugin: 11-2014 – Wordfence vulnerable versions below: 5.1.4
Reference: http://www.cvedetails.com/cve/CVE-2014-4664/
Allows remote attackers to inject arbitrary web script or HTML via the whoisval parameter on the Wordfence security Whois page to wp-admin/admin.php.CVSS Scores & Vulnerability Types
CVSS Score 4.3
Confidentiality Impact None (There is no impact to the confidentiality of the system.)
Integrity Impact Partial (Modification of some system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is limited.)
Availability Impact None (There is no impact to the availability of the system.)
Access Complexity Medium (The access conditions are somewhat specialized. Some preconditions must be satistified to exploit)
Authentication Not required (Authentication is not required to exploit the vulnerability.)
Gained Access None
Vulnerability Type(s) Cross Site Scripting
CWE ID 79YouTube video of the Wordfence Security Cross-site scripting XSS vulnerability being exploited: Wordfence Security Cross-site scripting XSS vulnerability
Related Wordfence Security Vulnerabilities Topics: Wordfence Security Vulnerabilities
UPDATE:
I was not aware that Wordfence Security is leading the pack for security vulnerabilities. Makes me wonder about the real goal and intention of the Wordfence Security post about BulletProof Security vulnerabilites and other plugin’s security vulnerabilities. ie was it to take some of the heat off of Wordfence security vulnerabilities? The timing of when the latest Wordfence security vulnerabilities were reported and when Wordfence decided to start creating lots of posts about other plugins security vulnerabilities is a bit suspicious. 😉Wordfence security plugin listed in the top 10 WordPress plugins with the most security vulnerabilities:
“Top 10 Most Vulnerable WordPress Plugins”: https://www.wpwhitesecurity.com/wordpress-security/statistics-highlight-main-source-wordpress-vulnerabilities/Top 10 Most Vulnerable WordPress Plugins
Here are some worrying facts about the Top 10 most vulnerable WordPress plugins:
- 5 of them are commercial plugins
- These plugins were downloaded around 21 million times
- 1 of these plugins is a WordPress security plugin
https://wpvulndb.com/plugins/wordfence
2014-12-08 Wordfence <= 5.1.4 – Cross-Site Scripting (XSS) fixed in version 5.1.5 2014-12-01 Wordfence 5.2.2 – XSS in Referer Header fixed in version 5.2.3 2014-10-07 Wordfence <= 5.2.4 – Multiple Vulnerabilities (XSS & Bypasses) fixed in version 5.2.5 2014-09-27 Wordfence 5.2.3 – Multiple Vulnerabilities fixed in version 5.2.4 2014-09-22 Wordfence 5.2.3 – Banned IP Functionality Bypass fixed in version 5.2.4 2014-09-22 Wordfence 5.2.4 – IPTraf.php URI Request Stored XSS fixed in version 5.2.5 2014-09-22 Wordfence 5.2.4 – Unspecified Issue fixed in version 5.2.5 2014-08-01 Wordfence 3.8.1 – wp-admin/admin.php whois Parameter Stored XSS fixed in version 3.8.3 2014-08-01 Wordfence 3.3.5 – XSS and IAA fixed in version 3.3.7 2014-08-01 Wordfence 3.8.6 – lib/IPTraf.php User-Agent Header Stored XSS fixed in version 3.8.7 2014-08-01 Wordfence 3.8.1 – Password Creation Restriction Bypass fixed in version 3.8.3 -
AuthorPosts
- You must be logged in to reply to this topic.