Bugtraq: Cross-Site Scripting in Magic Fields 1 WordPress Plugin

————————————————————————

Cross-Site Scripting in Magic Fields 1 WordPress Plugin

————————————————————————

Burak Kelebek, July 2016

————————————————————————

Abstract

————————————————————————

A reflected Cross-Site Scripting vulnerability has been encountered in

the Magic Fields 1 WordPress plugin. This issue allows an attacker to

perform a wide variety of actions, such as stealing Administrators’

session tokens, or performing arbitrary actions on their behalf.

————————————————————————

OVE ID

————————————————————————

OVE-20160724-0019

————————————————————————

Tested versions

————————————————————————

This issue was successfully tested on Magic Fields 1 version 1.7.1.

————————————————————————

Fix

————————————————————————

This issue is addressed in the 1.7.2 version of Magic Fields 1. You can

obtain the most recent version on the following location:

https://github.com/hunk/Magic-Fields/releases

————————————————————————

Details

————————————————————————

https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_magic_fields_1

_wordpress_plugin.html

————————————————————————

Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its

goal is to contribute to the security of popular, widely used OSS

projects in a fun and educational way.

[ reply ]

Source: SecurityFocus Vulnerabilities @ March 1, 2017 at 02:06AM

0
Share