Skip to content
This repository has been archived by the owner on Oct 12, 2021. It is now read-only.

bug in plugin detection #10

Open
d4op opened this issue Sep 2, 2017 · 1 comment
Open

bug in plugin detection #10

d4op opened this issue Sep 2, 2017 · 1 comment
Labels
bug

Comments

@d4op
Copy link

d4op commented Sep 2, 2017

[i] Name: wysija-newsletters - v2.7.11.3
[!]RCE : MailPoet Newsletters 2.6.6 - Theme File Upload H&ling Remote Code Execution - ID:6680
| Fixed in 2.6.7
| References:
- http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html
- http://www.openwall.com/lists/oss-security/2014/07/02/1
- Metasploit exploit/unix/webapp/wp_wysija_newsletters_upload
- Exploitdb 33991
- Cve 2014-4725
- Secunia 59455
[!]SQLI : Wysija Newsletters 2.2 - SQL Injection - ID:6681
| Fixed in 2.2.1
| References:
- https://www.htbridge.com/advisory/HTB23140
- http://packetstormsecurity.com/files/120089/
- http://seclists.org/bugtraq/2013/Feb/29
- http://cxsecurity.com/issue/WLB-2013020039
- Cve 2013-1408
[!]XSS : Wysija Newsletters - swfupload Cross-Site Scripting - ID:6682
| Fixed in 2.1.7
| References:
- http://brindi.si/g/blog/vulnerable-swf-bundled-in-wordpress-plugins.html
- Secunia 51249
[!]UNKNOWN : MailPoet Newsletters 2.6.7 - helpers/back.php page Parameter Unspecified Issue - ID:7573
| Fixed in 2.6.8
| References:
- http://www.securityfocus.com/bid/68462/
- Cve 2014-4726
[!]CSRF : MailPoet Newsletters 2.6.10 - Unspecified CSRF - ID:7574
| Fixed in 2.6.11
| References:
- Cve 2014-3907
[!]XSS : MailPoet Newsletters <= 2.6.19 - Unauthenticated Reflected Cross-Site Scripting (XSS) - ID:8373
| Fixed in 2.7
| References:
- https://www.netsparker.com/ns-16-002-xss-vulnerability-identified-in-mailpoet-newsletters/
[!]XSS : MailPoet Newsletters <= 2.7.2 - Authenticated Reflected Cross-Site Scripting (XSS) - ID:8617
| Fixed in 2.7.3
| References:
- https://sumofpwn.nl/advisory/2016/reflected_cross_site_scripting_vulnerability_in_mailpoet_newsletters_plugin.html
- http://seclists.org/fulldisclosure/2016/Sep/17
[!]SQLI : MailPoet Newsletters <= 2.7.2 - SQL Injection - ID:8618
| Fixed in 2.7.3
| References:
- https://plugins.trac.wordpress.org/changeset/1469869/wysija-newsletters
[i] Name: contact-form-7 - v4.9
[i] Name: wp-members - v3.1.9.1
[!]XSS : WP-Members 2.8.9 - profile.php Multiple Parameter Stored XSS - ID:7079
| Fixed in 2.8.10
| References:
- http://packetstormsecurity.com/files/124720/
- http://www.securityfocus.com/bid/64713/
- Secunia 56271
[!]XSS : WP-Members 2.8.9 - wp-login.php register Action Multiple Parameter Reflected XSS - ID:7080
| Fixed in 2.8.10
| References:
- http://packetstormsecurity.com/files/124720/
- http://www.securityfocus.com/bid/64713/
- Secunia 56271
[!]XSS : WP-Members <= 3.1.7 - Authenticated Cross-Site Scripting (XSS) - ID:8858
| Fixed in 3.1.8
| References:
- https://jvn.jp/en/jp/JVN51355647/index.html
- https://plugins.trac.wordpress.org/changeset/1667369/#file12
- Cve 2017-2222

why does it show me vulns of older versions even if all is up-to-date ?
@d4op
Copy link
Author

d4op commented Sep 2, 2017

why does it show me vulns of older versions even if all is up-to-date ?

@swisskyrepo swisskyrepo added the bug label Sep 3, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@d4op @swisskyrepo