Vulnerabilities in WordPress older than 3.8.2, Twitget Plugin and Quick Page Post Redirect Plugin.
This entry was posted in WordPress Security on April 14, 2014 by Mark Maunder 0 Replies
WordPress Vulnerability: WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role. More info available on the National Cyber Awareness System: CVE-2014-0165
WordPress Vulnerability: The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie. More info available on the National Cyber Awareness System: CVE-2014-0166
What to do about the above: Make sure you are running the newest version of WordPress, version 3.8.2.
Plugin Vulnerability: CSRF/XSS vulnerability in Twitget 3.3.1. If a logged-in administrator visits a specially crafted page, options can be updated (CSRF) without their consent, and some of those options are output unescaped into the form (XSS). Vulnerability ID: CVE-2014-2559 (not yet published)
What to do: Upgrade to Twitget 3.3.3 or later which contains a fix. Author is aware of the vulnerability and has fixed it.
Plugin Vulnerability: Quick Page/Post Redirect Plugin contains a CSRF and stored XSS vulnerability. Vulnerability ID is: CVE-2014-2598 (not yet published)
What to do: Upgrade to version 5.0.5 or later. Author is aware of vulnerability and has fixed it.