Summary
This host is installed with WordPress
Alipay plugin and is prone to cross-site scripting vulnerability.
Impact
Successful exploitation will allow remote
attackers to execute arbitrary HTML and script code in a users browser session in the context of an affected site.
Impact Level: Application
Solution
Upgrade to WordPress Alipay plugin 3.6.2
or later. For updates refer https://wordpress.org/plugins/alipay/
Insight
Input passed via the para_ret['total_fee GET
parameter to inc.tenpay_notify.php script is not validated before returning it to users.
Affected
WordPress Alipay plugin 3.6.0 and earlier
Detection
Send a crafted data via HTTP GET request
and check whether it is able to read cookie or not.
References
Severity
Classification
-
CVE CVE-2014-4514 -
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Related Vulnerabilities
- Apache Struts2/XWork Remote Command Execution Vulnerability
- Advanced Image Hosting Cross Site Scripting Vulnerability
- Allegro RomPager HTTP Referer Header Cross Site Scripting Vulnerability
- AjaXplorer Remote Command Injection and Local File Disclosure Vulnerabilities
- Apache ActiveMQ 'admin/queueBrowse' Cross Site Scripting Vulnerability