Vigil@nce - WordPress wp-football: multiple vulnerabilities
November 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use several vulnerabilities of type XSS in
wp-football for WordPress.
– Impacted products: WordPress Plugins
– Severity: 2/4
– Creation date: 28/10/2014
DESCRIPTION OF THE VULNERABILITY
Several vulnerabilities were announced in wp-football.
An attacker can trigger a Cross Site Scripting in the league
parameter of the page football_classification.php, in order to
execute JavaScript code in the context of the web site.
[severity:2/4]
An attacker can trigger a Cross Site Scripting in
football_criteria.php, in order to execute JavaScript code in the
context of the web site. [severity:2/4]
An attacker can trigger a Cross Site Scripting via the f parameter
of the page football-functions.php, in order to execute JavaScript
code in the context of the web site. [severity:2/4]
An attacker can trigger a Cross Site Scripting via the id
parameter of the pages football_groups_list.php,
football_matches_list.php, football_matches_phase.php,
football_phases_list.php, in order to execute JavaScript code in
the context of the web site. [severity:2/4]
An attacker can trigger a Cross Site Scripting via thge parameter
id_league in the page football_matches_load.php, in order to
execute JavaScript code in the context of the web site.
[severity:2/4]
An attacker can trigger a Cross Site Scripting in
template_default_preview.php, in order to execute JavaScript code
in the context of the web site. [severity:2/4]
An attacker can trigger a Cross Site Scripting in
template_worldCup_preview.php, in order to execute JavaScript code
in the context of the web site. [severity:2/4]
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/WordPress-wp-football-multiple-vulnerabilities-15553