Description

WordPress Plugin Cimy Counter is prone to an HTTP response-splitting vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user, steal cookie-based authentication credentials, and influence how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust. WordPress Plugin Cimy Counter versions prior to 0.9.5 are vulnerable.

Remediation

Update to the latest version

References

http://www.securityfocus.com/bid/41132/exploit

http://www.exploit-db.com/exploits/14057/

http://www.securityfocus.com/archive/1/512003

http://secunia.com/advisories/40258/

Related Vulnerabilities

WordPress Plugin WordPress Popups for Marketing and Email Newsletters, Lead Generation and Conversions by OptinMonster Security Bypass (1.1.4.5)

MySQL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-10268)

WordPress Plugin Kraken.io Image Optimizer Cross-Site Request Forgery (2.6.5)

WordPress Plugin Divi Builder Arbitrary File Upload (4.5.2)

WordPress 4.0 Multiple Vulnerabilities (4.0)

Severity

High

Classification

CWE-79 CWE-113 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Http Response Splitting XSS