search

wpscanteam / wpscan

WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via contact@wpscan.com
https://wpscan.com/wordpress-cli-scanner
Other
8.59k stars 1.26k forks source link

CVE-2011-4955/bsuite #606

Closed fgeek closed 10 years ago

fgeek commented 10 years ago

CVE-2011-4955/bsuite http://osvdb.org/74046 "bSuite Plugin for WordPress index.php Multiple Parameter XSS"

bSuite Plugin for WordPress contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the wp-content/plugins/bsuite/ui_stats.php script does not validate the 's' and 'p' parameters upon submission to the index.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Solution: The vendor has not updated this product since 2009 and therefore a patch or upgrade that mitigates this problem is unlikely. It is recommended that an alternate software package be used in its place.

Is there a good way to incidate for end-user that this plugin shouldn't be used?

pvdl commented 10 years ago

In the past we had a suggestion to make an Info tag. Decided not to do it. (Time consuming to update this kind of info) Maybe we should rethink topic.

ethicalhack3r commented 10 years ago

https://wpvulndb.com/vulnerabilities/7604

We could add notes on WPVULNDB but I don't think it is that important for this plugin judging from how old it is.

fgeek commented 10 years ago

I can see from my scanner that there is at least 250 sites running this plugin in the wild. I do not think age matters.