WordPress Symposium Plugin <= 14.10 - Multiple XSS

symposium

Software
Symposium
Versions
<= 14.10
Disclosure date
2014-11-13
CVE
CVE-2014-8809
References
Credits
Classification
Cross Site Scripting (XSS)
OWASP Top 10
A3: Cross Site Scripting (XSS)

Are your websites subject to this vulnerability?

Details

Because of these vulnerabilities, the attackers can inject arbitrary web script or HTML via the 4 parameters: "compose_text" ( in a sendMail action to ajax/mail_functions.php), "text" (in an addComment action to ajax/profile_functions.php), "comment" (in an add_comment action to ajax/lounge_functions.php), or "name" (in a create_album action to ajax/gallery_functions.php).

Solution

Update the plugin.

Found a vulnerability that puts your sites at risk?

Found a vulnerability? Help us secure the web and join our community of ethical hackers.

Are you the developer of this software? Hire our researchers for a thorough security audit.