Summary
This host is running WordPress Comment Rating Plugin and prone to cross site scripting and SQL injection vulnerabilities.
Impact
Successful exploitation will allow attacker to insert arbitrary HTML and script code or cause SQL Injection attack to gain sensitive information.
Impact Level: Application
Solution
Upgrade to WordPress Comment Rating plugin version 2.9.24 or later. For updates refer to http://wordpress.org/extend/plugins/comment-rating/
Insight
The flaws are due to an,
- Improper validation of user-supplied input passed to the 'id' parameter in '/wp-content/plugins/comment-rating/ck-processkarma.php' before using it in an SQL query, which allows attackers to execute arbitrary SQL commands in the context of an affected site.
- Improper validation of user-supplied input passed to the 'path' parameter in '/wp-content/plugins/comment-rating/ck-processkarma.php', which allows attackers to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.
Affected
WordPress Comment Rating plugin version 2.9.20
References