WordPress Max Banner Ads 1.9 Cross Site Scripting

2015.03.05
Credit: Wang Jing
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

*WordPress "Max Banner Ads" Plug-in XSS (Cross-site Scripting) Security Vulnerabilities* Exploit Title: Wordpress "Max Banner Ads" Plugin /info.php &zone_id Parameter XSS Security Vulnerabilities Product: Wordpress "Max Banner Ads" Plugin Vendor: MaxBlogPress Vulnerable Versions: 1.9 1.8 1.4 1.3.* 1.2.* 1.1 1.09 Tested Version: Check All Related Versions' Source Code Advisory Publication: Mar 04, 2015 Latest Update: Mar 04, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: * Credit: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore] *Advisory Details:* *(1) Vendor & Product Description:* *Vendor:* MaxBlogPress *Product & Version:* Wordpress "Max Banner Ads" Plugin 1.9 1.8 1.4 1.3.7 1.3.6 1.3.5 1.3.4 1.3.3 1.3.2 1.3.1 1.3 1.2.7 1.2.6 1.2.5 1.2 1.1 1.09 *Vendor URL & Download:* Wordpress "Max Banner Ads" Plugin can be downloaded from here, http://www.maxblogpress.com/plugins/ *Product Introduction:* "Easily add and rotate banners in your wordpress blog anywhere you like without editing any themes or touching any codes" *(2) Vulnerability Details:* Wordpress "Max Banner Ads" Plugin has a web application security bug problem. It can be exploited by XSS (Cross-site Scripting) attacks. *(2.1) *The vulnerability occurs at "info.php?" page with "zone_id" parameter. *References:* http://tetraph.com/security/xss-vulnerability/wordpress-max-banner-ads-plug-in-xss-cross-site-scripting-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/03/wordpress-max-banner-ads-plug-in-xss.html http://www.inzeed.com/kaleidoscope/computer-web-security/wordpress-max-banner-ads-plug-in-xss-cross-site-scripting-security-vulnerabilities/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/wordpress-max-banner-ads-plug-in-xss-cross-site-scripting-security-vulnerabilities/ https://itinfotechnology.wordpress.com/2015/03/04/wordpress-max-banner-ads-plug-in-xss-cross-site-scripting-security-vulnerabilities/ http://lists.kde.org/?a=139222176300014&r=1&w=2 -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top