Headline
CVE-2017-20096: Cross-Site Scripting vulnerability in WP-SpamFree Anti-Spam WordPress Plugin
A vulnerability classified as problematic has been found in WP-SpamFree Anti-Spam Plugin 2.1.1.4. This affects an unknown part. The manipulation leads to basic cross site scripting. It is possible to initiate the attack remotely.
Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev
Full Disclosure mailing list archives
From: Summer of Pwnage <lists () securify nl>
Date: Wed, 1 Mar 2017 07:02:45 +0100
------------------------------------------------------------------------ Cross-Site Scripting vulnerability in WP-SpamFree Anti-Spam WordPress Plugin
Radjnies Bhansingh, July 2016
Abstract
A reflected Cross-Site Scripting vulnerability exists in the WP-SpamFree Anti-Spam WordPress plugin. This vulnerability allows an attacker to perform any action with the privileges of the target user. The affected code is not protected with an anti-Cross-Site Request Forgery token. Consequently, it can be exploited by luring the target user into clicking a specially crafted link or visiting a malicious website (or advertisement).
OVE ID
OVE-20160712-0026
Tested versions
This issue was succesfully tested on the WP-SpamFree Anti-Spam WordPress Plugin version 2.1.1.4.
Fix
There is currently no fix available.
Details
https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_wp_spamfree_anti_spam_wordpress_plugin.html
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its goal is to contribute to the security of popular, widely used OSS projects in a fun and educational way.
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Cross-Site Scripting vulnerability in WP-SpamFree Anti-Spam WordPress Plugin Summer of Pwnage (Feb 28)