Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27969
HistoryApr 23, 2012 - 12:00 a.m.

New XSS vulnerabilities in Register Plus Redux for WordPress

2012-04-2300:00:00
vulners.com
10

Hello 3APA3A!

I want to warn you new about security vulnerabilities in Register Plus Redux for WordPress.

These are Cross-Site Scripting vulnerabilities. After finding and fixing of 36 vulnerabilities in plugin Register Plus Redux in the end of previous year, I've released my version of the plugin with fixed vulnerabilities of original plugin. And recently during security audit of web site, on which Register Plus Redux was using, I've found two new XSS vulnerabilities in this plugin (which also take place on forks of this plugin).


Affected products:

Affected functionality appeared in Register Plus Redux potentially from version 3.7.2.

Vulnerable are original Register Plus Redux and all plugins based on it. Particularly vulnerable are Register Plus Redux 3.7.2 and next versions, my versions Register Plus Redux 3.8 - 3.8.3, Register Plus Redux Auto Login 3.8.1 and previous versions.

At 25.03.2012 I've fixed these vulnerabilities in my version Register Plus Redux 3.8.4.


Details:

XSS (WASC-08):

At page http://site/wp-login.php?action=register in parameters user_login and user_email.

http://websecurity.com.ua/uploads/2012/Register%20Plus%20Redux%20XSS-1.html

http://websecurity.com.ua/uploads/2012/Register%20Plus%20Redux%20XSS-2.html

These vulnerabilities are concerned with variable-width-encoding (with using of this technique it's possible to bypass protection filters). These exploits are for IE6, for other browsers other characters need to be used (this attack is possible in old browsers).


Timeline:

2012.03.25 - found these vulnerabilities in the plugin.
2012.03.25 - fixed these vulnerabilities in my version of the plugin
(Register Plus Redux 3.8.4).
2012.03.26-27 - informed users of my plugin and supplied them with new
version.
2012.03.27 - disclosed at my site.
2012.03.28 - informed developer of original plugin.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/5745/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua