Related information

Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

[SECURITY] [DSA 1938-1] New php-mail packages fix insufficient input sanitising

[SECURITY] [DSA 1937-1] New gforge packages fix cross-site scripting

[Bkis-13-2009] e107 Multiple Vulnerabilities

Executing arbitrary PHP code on OpenX <= 2.8.1

From:	MustLive <mustlive_(at)_websecurity.com.ua>
Date:	25.11.2009
Subject:	Vulnerabilities in plugins for WordPress

Hello Bugtraq!

I want to tell you about different vulnerabilities in plugins for WordPress.
About some of them there were posts to the list earlier.

This August I made a summary about all vulnerabilities in plugins for
WordPress (http://websecurity.com.ua/3397/), which I found during 2006-2009.

In this list 135 different vulnerabilities are mentioned in 20 plugins for
WordPress. Including Cross-Site Scripting, Insufficient Anti-automation,
Cross-Site Request Forgery, Directory Traversal, Arbitrary File Deletion,
Denial of Service, Full path disclosure, Insufficient Authorization,
Information Leakage, Abuse of Functionality, HTTP Response Splitting, SQL
Injection and CRLF Injection vulnerabilities.

Most posts mentioned in the list are on Ukrainian (so use Google Translate),
but some of them are on English - posts from my Month of Bugs in Captchas
(MoBiC) project, which I made in 2007. Take care of your plugins for WP and
web sites which use them.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua