Freely subscribe to our NEWSLETTER

This bulletin was written by Vigil@nce : http://vigilance.fr/offer

SYNTHESIS OF THE VULNERABILITY

An attacker can use several vulnerabilities of type XSS in
wp-football for WordPress.

– Impacted products: WordPress Plugins
– Severity: 2/4
– Creation date: 28/10/2014

DESCRIPTION OF THE VULNERABILITY

Several vulnerabilities were announced in wp-football.

An attacker can trigger a Cross Site Scripting in the league
parameter of the page football_classification.php, in order to
execute JavaScript code in the context of the web site.
[severity:2/4]

An attacker can trigger a Cross Site Scripting in
football_criteria.php, in order to execute JavaScript code in the
context of the web site. [severity:2/4]

An attacker can trigger a Cross Site Scripting via the f parameter
of the page football-functions.php, in order to execute JavaScript
code in the context of the web site. [severity:2/4]

An attacker can trigger a Cross Site Scripting via the id
parameter of the pages football_groups_list.php,
football_matches_list.php, football_matches_phase.php,
football_phases_list.php, in order to execute JavaScript code in
the context of the web site. [severity:2/4]

An attacker can trigger a Cross Site Scripting via thge parameter
id_league in the page football_matches_load.php, in order to
execute JavaScript code in the context of the web site.
[severity:2/4]

An attacker can trigger a Cross Site Scripting in
template_default_preview.php, in order to execute JavaScript code
in the context of the web site. [severity:2/4]

An attacker can trigger a Cross Site Scripting in
template_worldCup_preview.php, in order to execute JavaScript code
in the context of the web site. [severity:2/4]

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

http://vigilance.fr/vulnerability/WordPress-wp-football-multiple-vulnerabilities-15553