Do you need assistance with malware removal, security or moving your website ? Contact us – we can help !

Security Alerts

You are here: Home » Security Alerts
May 27, 2013
27 May 2013

WordPress Spider Event Calendar Plugin 1.3.0 – Multiple Vulnerabilities

Janek Vind “waraxe” reports multiple Vulnerability in WordPress Spider Event Calender Plugin

Details

Spider Event Calendar Plugin for WordPress contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to certain functions in the calendar_functions.php script not properly sanitizing user-supplied input. This includes input passed via the ‘order_by’ parameter to the show_spider_calendar() function, the ‘calendar_id’ and ‘order_by’ parameters to the show_spider_event() function, the ‘id’ parameter to the spider_calendar_published() and published_spider_event() functions, and the ‘calendar_id’ parameter to the edit_spider_event() and add_spider_event() functions. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data

Recommended Action:

Disable or Replace plugin until update becomes available.

Info

Platform: WordPress
Type: Plugin
Plugin: Spider Event Calendar Plugin for WordPress
Vendor: http://wordpress.org/extend/plugins/spider-event-calendar/
Version: 1.3.0
Google Dork: inurl:/wp-content/plugins/spider-event-calendar

0 Comments/1 Tweets/in Security Alerts, WordPress
May 25, 2013
25 May 2013

WordPress ProPlayer Plugin 4.7.9.1 – SQL Injection Vulnerability

Ashiyane Digital Security Team reports SQL Injection Vulnerability in WordPress ProPlayer Plugin

Details

ProPlayer Plugin for WordPress contains a flaw that allows SQL Injection. This flaw exists in the wp-content/plugins/proplayer/playlist-controller.php  script does permite SQL Injection via the id parameter.

Recommended Action:

Disable or Replace plugin until update becomes available. Last update to plugin in November 2011 – so don’t hold your breath.

Recommended alternative: http://www.helpwithdata.com/vooplayer

Info

Platform: WordPress
Type: Plugin
Plugin: ProPlayer Plugin for WordPress
Vendor: http://wordpress.org/plugins/proplayer/
Version: 4.7.9.1
Google Dork: inurl:/wp-content/plugins/asset-manager

0 Comments/1 Tweets/in Security, Security Alerts, WordPress
April 29, 2013
29 Apr 2013

WordPress FuneralPress Plugin XSS Vulnerability

robarmstrong.te71@gmail.com reports XSS Vulnerability in WordPress FuneralPress Plugin

Details

There appears to be some basic xss protection on form submissions using <textarea name=”message”> and code injected via this element is not served up on the guestbook admin page.

Despite this, scripts injected via an iframe or embedded svg will be executed by anyone viewing the guestbook at http://site/obituaries/?id=1&f=guestbook on the condition that the post is approved by the site administrator. The chances of an administrator approving a malicious message are increased if some normal-looking text is inserted above the malicious code, resulting in a legitimate looking “Message Preview” field on the admin page.

Recommended Action:

Remove plugin

Info

Platform: WordPress
Type: Plugin
Plugin: Wordpress FuneralPress
Vendor: http://wpfuneralpress.com/
Version: 1.1.6
Google Dork: inurl:/obituaries

0 Comments/1 Tweets/in Security Alerts

Pages

Categories

Archive

© Copyright - HelpWithData.com - Web Design and SEO Optimisation by Help-With-Data

Facebook

Twitter