[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] WP FuneralPress - Stored XSS in Guestbook
- To: Rob Armstrong <robarmstrong.te71@xxxxxxxxx>
- Subject: Re: [Full-disclosure] WP FuneralPress - Stored XSS in Guestbook
- From: Peter Westwood <westi@xxxxxxxxxxxxxx>
- Date: Sun, 31 Mar 2013 11:58:59 +0100
On 31 Mar 2013, at 08:25, Henri Salo <henri@xxxxxxx> wrote:
> On Sun, Mar 31, 2013 at 11:56:05AM +1300, Rob Armstrong wrote:
>> # WP FuneralPress - stored xss in guestbook
>> #
>> # "FuneralPress is an online website obituary management and guest book
>> program for funeral homes and cemeteries"
>> # http://wpfuneralpress.com/
>> #
>> # tested on: funeralpress version 1.1.6 / wordpress version 3.5.1
>> #
>> # impact:
>> # malicious script execution as wordpress administrator
>> #
>> # author: robarmstrong.te71@xxxxxxxxx
>
> Did you report this to the plugin developer? Is this fixed in some version?
> Does
> this have CVE identifier? It's pretty disturbing if someone actually uses
> vulnerabilities like these to infect others.
Also, I guess this wasn't reported to the plugin review team at WP.org so I
forwarded it to them there - there is a free version of this plugin available
for download there
--
Peter Westwood
Automattic | WordPress.com | WordPress.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/