- 2014年4月30日
- WordPress脆弱性情報
WordPress iMember360プラグインに脆弱性
wordpressを、会員制サイトにカスタマイズするプラグインである、iMember360プラグインに脆弱性が発見されているようです。
OSVDBでは、4つの脆弱性が報告されています。
106298 | 2014-04-25 | iMember360 Plugin for WordPress i4w_dbinfo Parameter Database Credential Disclosure | |||
iMember360 Plugin for WordPress contains a flaw that is triggered when setting the ‘i4w_dbinfo’ parameter. In versions prior to 3.9.001, a remote attacker can gain access to full database credentials (database name, username, password, and encoding). After version 3.9.001, an authenticated attacker must request an admin URL to gain access to this information. |
|||||
106299 | 2014-04-25 | iMember360 Plugin for WordPress Multiple Parameter Reflected XSS | |||
iMember360 Plugin for WordPress contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the prorgram does not validate input to the ‘decrypt’ and ‘encrypt’ GET parameters before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server. |
|||||
106300 | 2014-04-25 | iMember360 Plugin for WordPress i4w_clearuser Parameter Remote User Deletion | |||
iMember360 Plugin for WordPress contains a flaw that is triggered as input passed via the ‘i4w_clearuser’ parameter is not properly sanitized. This may allow a remote attacker to delete users from the database. |
|||||
106301 | 2014-04-25 | iMember360 Plugin for WordPress i4w_trace Parameter Remote Code Execution | |||
iMember360 Plugin for WordPress contains a flaw that is triggered as input passed via the ‘i4w_trace’ parameter is not properly escaped. With a specially crafted request, an authenticated remote attacker can execute arbitrary code. |
データベース情報を覗かれたり、クロスサイトスクリプティングを許したりと、致命的な脆弱性と言えます。