Wordpress Contact Form 7 Integrations Multiple Cross Site Scripting Vulnerabilities Network Vulnerability

Summary

This host is installed with Wordpress Contact Form 7 Integrations and is prone to multiple cross site scripting vulnerabilities.

Impact

Successful exploitation will allow attacker to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. Impact Level: Application

Solution

Upgrade to version 1.3.11 or later, For updates refer to https://wordpress.org/plugins/contact-form-7-integrations

Insight

Flaws are due to the includes/toAdmin.php script does not validate input passed via 'uE' and 'uC' parameters.

Affected

Wordpress Contact Form 7 Integrations version 1.0 to 1.3.10

Detection

Send a crafted data via HTTP GET request and check whether it is able to read cookie or not.

References

http://research.g0blin.co.uk/cve-2014-6445
http://www.osvdb.com/112170
https://wordpress.org/plugins/contact-form-7-integrations/changelog

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-6445

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

A Really Simple Chat Multiple XSS Vulnerabilities
Adobe BlazeDS XML and XML External Entity Injection Vulnerabilities
Andromeda Streaming MP3 Server Cross Site Scripting Vulnerability
Allaire JRun directory browsing vulnerability
Allegro RomPager HTTP Referer Header Cross Site Scripting Vulnerability

Take action and discover your vulnerabilities