← Advisories

Wordpress Securimage-WP Plugin v3.2.4 URI-based XSS Vulnerability

Medium
Advisory ID
ZSL-2013-5140
Release Date
11 May 2013
Vendor
Securimage PHP CAPTCHA - https://wordpress.org/extend/plugins/securimage-wp/
Affected Version
3.2.4
CVE
N/A
Tested On
Microsoft Windows 7 Ultimate SP1 (EN), Apache 2.4.2 (Win32), PHP 5.4.7, MySQL 5.5.25a
Summary

Securimage-WP adds powerful CAPTCHA protection to comment forms on posts and pages to help prevent comment spam from getting onto your site.

Description

Securimage-WP suffers from a XSS issue in 'siwp_test.php' that uses the 'PHP_SELF' variable. The vulnerability is present because there isn't any filtering to the mentioned variable in the affected script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

Proof of Concept
securimage_wp_xss.txtTXT
Disclosure Timeline
24.04.2013Vulnerability discovered.
24.04.2013Contact with the vendor.
24.04.2013Vendor promises patch.
10.05.2013No reply from the vendor.
11.05.2013Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://cxsecurity.com/issue/WLB-2013050098
[2]http://www.securityfocus.com/bid/59816
[3]http://secunia.com/advisories/53376/
[4]http://www.osvdb.org/show/osvdb/93259
[5]http://packetstormsecurity.com/files/121588
[6]http://xforce.iss.net/xforce/xfdb/84186
[7]https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/securimage-wp/securimage-wp-plugin-351-reflected-cross-site-scripting
[8]https://exchange.xforce.ibmcloud.com/vulnerabilities/84186
[9]https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-securimage-wp-cross-site-scripting-3-2-4/
[10]https://wordpress.org/plugins/securimage-wp/#developers
[11]https://plugins.trac.wordpress.org/changeset/729639
Changelog
11.05.2013Initial release
13.05.2013Added reference [1], [2] and [3]
14.05.2013Added reference [4], [5] and [6]
16.12.2022Added reference [7], [8], [9], [10] and [11]