Summary
This host is installed with Wordpress
Sexy Squeeze Pages and is prone to cross site scripting vulnerability.
Impact
Successful exploitation will allow remote
attackers to execute arbitrary HTML and script code in a users browser session in the context of an affected site.
Impact Level: Application
Solution
No solution or patch is available as of
20th February, 2015. Information regarding this issue will be updated once the solution details are available.
For updates refer to http://instasqueeze.com
Insight
Flaw is due to the /instasqueeze/lp/index.php
script does not validate input to the 'id' parameter before returning it to users.
Affected
Wordpress InstaSqueeze Sexy Squeeze
Pages Plugin
Detection
Send a crafted data via HTTP GET request
and check whether it is able to read cookie or not.
References
Severity
Classification
-
CVE CVE-2014-9176 -
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Related Vulnerabilities
- An Image Gallery Multiple Cross-Site Scripting Vulnerability
- AjaXplorer 'doc_file' Parameter Local File Disclosure Vulnerability
- AN Guestbook Local File Inclusion Vulnerability
- 11in1 Cross Site Request Forgery and Local File Include Vulnerabilities
- Adiscon LogAnalyzer 'highlight' Parameter Cross Site Scripting Vulnerability