Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29556
HistoryJul 15, 2013 - 12:00 a.m.

XSS, CS and FPD vulnerabilities in I Love It theme for WordPress

2013-07-1500:00:00
vulners.com
16
JSON

Hello 3APA3A!

These are Cross-Site Scripting, Content Spoofing and Full path disclosure vulnerabilities in I Love It theme for WordPress. This is commercial (premium) theme.

Affected products:

All versions of I Love It theme for WordPress. The theme contains vulnerable versions of Audio Player and GDD FLVPlayer.

Affected vendors:

CosmoThemes
http://cosmothemes.com

Details:

Cross-Site Scripting (WASC-08):

http://site/wp-content/themes/iloveit/lib/php/assets/player.swf?playerID=%22))}catch(e){alert(document.cookie)}//

Content Spoofing (WASC-12):

http://site/wp-content/themes/iloveit/flv/gddflvplayer.swf

There are 10 vulnerabilities in GDD FLVPlayer: 8 CS and 2 XSS. Which I announced recently (http://websecurity.com.ua/6642/) and informed developers of GDD FLVPlayer. These vulnerabilities will be disclosed later.

Full path disclosure (WASC-13):

http://site/wp-content/themes/iloveit/

There are FPD vulnerabilities in index.php and other php-files (in folder and subfolders).

Timeline:

2013.05.24 - informed CosmoThemes about vulnerabilities in their I Love It New theme.
2013.07.11 - disclosed at my site (http://websecurity.com.ua/6646/).
2013.07.12 - informed developers about vulnerabilities in their I Love It theme.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

JSON