Vulnerabilities in WordPress older than 3.8.2, Twitget Plugin and Quick Page Post Redirect Plugin.

Share

WordPress Vulnerability: WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role. More info available on the National Cyber Awareness System: CVE-2014-0165

WordPress Vulnerability: The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie. More info available on the National Cyber Awareness System: CVE-2014-0166

What to do about the above: Make sure you are running the newest version of WordPress, version 3.8.2.

Plugin Vulnerability: CSRF/XSS vulnerability in Twitget 3.3.1. If a logged-in administrator visits a specially crafted page, options can be updated (CSRF) without their consent, and some of those options are output unescaped into the form (XSS). Vulnerability ID: CVE-2014-2559 (not yet published)

What to do: Upgrade to Twitget 3.3.3 or later which contains a fix. Author is aware of the vulnerability and has fixed it.

Plugin Vulnerability: Quick Page/Post Redirect Plugin contains a CSRF and stored XSS vulnerability. Vulnerability ID is: CVE-2014-2598 (not yet published)

What to do: Upgrade to version 5.0.5 or later. Author is aware of vulnerability and has fixed it.

Share

One thought on “Vulnerabilities in WordPress older than 3.8.2, Twitget Plugin and Quick Page Post Redirect Plugin.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>