WordPress iMember360プラグインに脆弱性

wordpressを、会員制サイトにカスタマイズするプラグインである、iMember360プラグインに脆弱性が発見されているようです。

 

OSVDBでは、4つの脆弱性が報告されています。

106298 2014-04-25 iMember360 Plugin for WordPress i4w_dbinfo Parameter Database Credential Disclosure

iMember360 Plugin for WordPress contains a flaw that is triggered when setting the ‘i4w_dbinfo’ parameter. In versions prior to 3.9.001, a remote attacker can gain access to full database credentials (database name, username, password, and encoding). After version 3.9.001, an authenticated attacker must request an admin URL to gain access to this information.

106299 2014-04-25 iMember360 Plugin for WordPress Multiple Parameter Reflected XSS

iMember360 Plugin for WordPress contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the prorgram does not validate input to the ‘decrypt’ and ‘encrypt’ GET parameters before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

106300 2014-04-25 iMember360 Plugin for WordPress i4w_clearuser Parameter Remote User Deletion

iMember360 Plugin for WordPress contains a flaw that is triggered as input passed via the ‘i4w_clearuser’ parameter is not properly sanitized. This may allow a remote attacker to delete users from the database.

106301 2014-04-25 iMember360 Plugin for WordPress i4w_trace Parameter Remote Code Execution

iMember360 Plugin for WordPress contains a flaw that is triggered as input passed via the ‘i4w_trace’ parameter is not properly escaped. With a specially crafted request, an authenticated remote attacker can execute arbitrary code.

 

データベース情報を覗かれたり、クロスサイトスクリプティングを許したりと、致命的な脆弱性と言えます。

 

LINEで送る
Pocket

こんな記事も読まれています