WordPress qTranslate plugin version 2.5.39 suffers from a cross site scripting vulnerability.
Product: qTranslate WordPress plugin
Vendor: Qian Qin
Vulnerable Version(s): 2.5.39 and probably prior
Tested Version: 2.5.39
Advisory Publication: July 1, 2015 [without technical details]
Vendor Notification: July 1, 2015
Public Disclosure: July 29, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2015-5535
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered vulnerability in qTranslate WordPress plugin, which can be exploited to perform Cross-Site Scripting (XSS) attacks against website administrators. Successful exploitation of this vulnerability may allow a remote attacker to gain complete control over the web application, if the victim visits a malicious page with XSS exploit. This vulnerability can also be used to perform drive-by-download or phishing attacks against website administrators.
Input passed via "edit" HTTP GET parameter to "/wp-admin/options-general.php" is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
A simple exploit below will display a JS popup with "ImmuniWeb" word:
http://wordpress/wp-admin/options-general.php?page=qtranslate&edit=%22%3E%3Cscript%3Ealert%28%2FImmuniWeb%2F%29%3B%3C%2Fscript%3E
-----------------------------------------------------------------------------------------------
Solution:
Disclosure timeline:
2015-07-01 Vendor notified via email, no reply.
2015-07-10 Vendor notified via emails and support thread on the WordPress plugin page, no reply.
2015-07-17 Vendor notified via emails, no reply.
2015-07-28 Fix requested via emails, no reply.
2015-07-29 Public disclosure.
Currently we are not aware of any official solution from the vendor. As at temporary solution we strongly recommend disabling the vulnerable plugin.
# 0day.today [2018-01-17] #