The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of WordPress Plugins: multiple Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of several WordPress Plugins, in order to run JavaScript code in the context of the web site.
Severity of this threat: 2/4.
Number of vulnerabilities in this bulletin: 30.
Creation date: 12/04/2016.
Revision date: 15/04/2016.
Références of this weakness: CVE-2016-1000126, CVE-2016-1000127, CVE-2016-1000128, CVE-2016-1000129, CVE-2016-1000130, CVE-2016-1000131, CVE-2016-1000132, CVE-2016-1000133, CVE-2016-1000134, CVE-2016-1000135, CVE-2016-1000136, CVE-2016-1000137, CVE-2016-1000138, CVE-2016-1000139, CVE-2016-1000140, CVE-2016-1000141, CVE-2016-1000142, CVE-2016-1000143, CVE-2016-1000144, CVE-2016-1000145, CVE-2016-1000146, CVE-2016-1000147, CVE-2016-1000148, CVE-2016-1000149, CVE-2016-1000150, CVE-2016-1000151, CVE-2016-1000152, CVE-2016-1000153, CVE-2016-1000154, CVE-2016-1000155, VIGILANCE-VUL-19346.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting of several WordPress Plugins, in order to run JavaScript code in the context of the web site.

Here is the list of vulnerable plugins:
 - admin-font-editor v1.8
 - ajax-random-post v2.00
 - anti-plagiarism v3.60
 - defa-online-image-protector v3.3
 - e-search v1.0
 - hdw-tube v1.2
 - heat-trackr v1.0
 - hero-maps-pro v2.1.0
 - indexisto v1.0.5
 - infusionsoft v1.5.11
 - new-year-firework v1.1.9
 - page-layout-builder v1.9.3
 - parsi-font v4.2.5
 - photoxhibit v2.1.8
 - pondol-formmail v1.1
 - s3-video v0.983
 - simpel-reserveren v3.5.2
 - simplified-content v1.0.0
 - tidio-form v1.0
 - tidio-gallery v1.1
 - whizz v1.0.7
 - wpsolr-search-engine v7.6
Full Vigil@nce bulletin... (Free trial)

This security threat impacts software or systems such as WordPress Plugins ~ not comprehensive.

Our Vigil@nce team determined that the severity of this computer weakness note is medium.

The trust level is of type confirmed by a trusted third party, with an origin of document.

This bulletin is about 30 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this computer threat alert.

Solutions for this threat

WordPress Plugins: workaround.
A workaround is to disable the following plugins:
 - admin-font-editor v1.8
 - ajax-random-post v2.00
 - anti-plagiarism v3.60
 - defa-online-image-protector v3.3
 - e-search v1.0
 - hdw-tube v1.2
 - heat-trackr v1.0
 - hero-maps-pro v2.1.0
 - indexisto v1.0.5
 - infusionsoft v1.5.11
 - new-year-firework v1.1.9
 - page-layout-builder v1.9.3
 - parsi-font v4.2.5
 - photoxhibit v2.1.8
 - pondol-formmail v1.1
 - s3-video v0.983
 - simpel-reserveren v3.5.2
 - simplified-content v1.0.0
 - tidio-form v1.0
 - tidio-gallery v1.1
 - whizz v1.0.7
 - wpsolr-search-engine v7.6
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides systems vulnerabilities patches. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.