VaultPress – Remote Code Execution via Man in The Middle attack

fulldisclosure logo
Full Disclosure
mailing list archives

VaultPress – Remote Code Execution via Man in The Middle attack


From: Summer of Pwnage <lists () securify nl>

Date: Wed, 1 Mar 2017 07:11:00 +0100


------------------------------------------------------------------------
VaultPress - Remote Code Execution via Man in The Middle attack
------------------------------------------------------------------------
David Vaartjes, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Man in The Middle (MiTM) vulnerability has been identified in the
VaultPress plugin of WordPress. This issue allows an attacker to to
sniff clear-text communication and to run arbitrary PHP code on the
affected WordPress host.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160728-0002

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on VaultPress WordPress Plugin
version 1.8.4

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/vaultpress___remote_code_execution_via_man_in_the_middle_attack.html

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


  By Date  
     
  By Thread  

Current thread:

  • VaultPress – Remote Code Execution via Man in The Middle attack Summer of Pwnage (Feb 28)

Source: Full Disclosure @ March 1, 2017 at 03:17AM

0
Share