WordPress Google Analyticator Cross Site Scripting
Google Analyticator (WP Plugin) - WordPress Google Analyticator Cross Site Scripting
Google Analyticator (WP Plugin) - Multiple XSS
Advisory ID: RO-15-005
CVE ID: CVE-2015-6238
Severity: Medium
Vendor: Sudar
Product: Google Analyticator WordPress Plugin
Version: *
Overview #
Multiple Cross-site Scripting (XSS) vulnerabilities exist in the Google Analyticator WordPress Plugin. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML.
Vulnerability Details #
Affected Versions: All versions before patch
Root Cause: Insufficient input validation and output encoding on multiple parameters allows XSS attacks.
Exploitation Requirements #
No authentication required for some vectors
Victim must visit crafted URLs or pages
Impact #
Remote attackers can exploit these vulnerabilities to:
Steal WordPress admin session cookies
Perform actions on behalf of admin users
Compromise the WordPress installation
Proof of Concept #
Details available upon request.
Solution #
Upgrade to a patched version of Google Analyticator that includes proper input sanitization.
References #
CVE-2015-6238
Timeline:
[2015-01-01] - Discovered
Credits: Omar Kurt