Headline
CVE-2017-20099: Analytics Stats Counter Statistics WordPress Plugin unauthenticated PHP Object injection vulnerability
A vulnerability was found in Analytics Stats Counter Statistics Plugin 1.2.2.5 and classified as critical. This issue affects some unknown processing. The manipulation leads to code injection. The attack may be initiated remotely.
Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev
Full Disclosure mailing list archives
From: Summer of Pwnage <lists () securify nl>
Date: Wed, 1 Mar 2017 06:59:09 +0100
------------------------------------------------------------------------ Analytics Stats Counter Statistics WordPress Plugin unauthenticated PHP Object injection vulnerability
Yorick Koster, June 2016
Abstract
A PHP Object injection vulnerability was found in the Analytics Stats Counter Statistics WordPress Plugin, which can be used by an unauthenticated user to instantiate arbitrary PHP Objects. Using this vulnerability it is possible to execute arbitrary PHP code.
OVE ID
OVE-20160803-0005
Tested versions
This issue was successfully tested on the Analytics Stats Counter Statistics WordPress Plugin version 1.2.2.5.
Fix
There is currently no fix available.
Details
https://sumofpwn.nl/advisory/2016/analytics_stats_counter_statistics_wordpress_plugin_unauthenticated_php_object_injection_vulnerability.html
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its goal is to contribute to the security of popular, widely used OSS projects in a fun and educational way.
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Analytics Stats Counter Statistics WordPress Plugin unauthenticated PHP Object injection vulnerability Summer of Pwnage (Feb 28)