Latest from our blog
Cross-Site Scripting (XSS) in Ad-minister Wordpress plugin
|Product:||Ad-minister Wordpress plugin|
|Vulnerable Versions:||0.6 and probably prior|
|Advisory Publication:||December 5, 2013 [without technical details]|
|Vendor Notification:||December 5, 2013|
|Public Disclosure:||December 26, 2013|
|Latest Update:||December 25, 2013|
|Vulnerability Type:||Cross-Site Scripting [CWE-79]|
|CVSSv2 Base Score:||2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)|
|Solution Status:||Solution Available|
|Discovered and Provided:||High-Tech Bridge Security Research Lab|
High-Tech Bridge Security Research Lab discovered vulnerability in Ad-minister Wordpress plugin, which can be exploited to perform Cross-Site Scripting (XSS) attacks.
|Vendor did not reply to 3 notifications by email, 1 notification via twitter, 1 forum thread. Currently we are not aware of any official solution for this vulnerability.|
Unofficial patch was developed by High-Tech Bridge Security Research Lab and is available here: https://www.htbridge.com/advisory/HTB23187-patch.zip
| High-Tech Bridge Advisory HTB23187 - https://www.htbridge.com/advisory/HTB23187 - Cross-Site Scripting (XSS) in Ad-minister Wordpress plugin.|
 Ad-minister Wordpress plugin - http://wordpress.org/plugins/ad-minister/ - A complete system for handling advertising, including ad-rotation (with weights), scheduling and support for theme widgets.
 Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
 ImmuniWeb® SaaS - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.