All In One WP Security & Firewall multiple XSS vulnerabilities (<=4.0.7).

by

NinTechNet


NinTechNet identified multiple XSS vulnerabilities in the All In One WP Security & Firewall v4.0.7 plugin.
The affected parameter was 'tab' (all pages):

/wp-admin/admin.php?page=aiowpsec&tab=[XSS]  
/wp-admin/admin.php?page=aiowpsec_settings&tab=[XSS]
/wp-admin/admin.php?page=aiowpsec_useracc&tab=[XSS]
/wp-admin/admin.php?page=aiowpsec_userlogin&tab=[XSS]
/wp-admin/admin.php?page=aiowpsec_user_registration&tab=[XSS]
/wp-admin/admin.php?page=aiowpsec_database&tab=[XSS]
/wp-admin/admin.php?page=aiowpsec_filesystem&tab=[XSS]
/wp-admin/admin.php?page=aiowpsec_whois&tab=[XSS]
/wp-admin/admin.php?page=aiowpsec_blacklist&tab=[XSS]
/wp-admin/admin.php?page=aiowpsec_firewall&tab=[XSS]
/wp-admin/admin.php?page=aiowpsec_brute_force&tab=[XSS]
/wp-admin/admin.php?page=aiowpsec_spam&tab=[XSS]
/wp-admin/admin.php?page=aiowpsec_filescan&tab=[XSS]
/wp-admin/admin.php?page=aiowpsec_maintenance&tab=[XSS]
/wp-admin/admin.php?page=aiowpsec_misc&tab=[XSS]

According to the author, the issue was patched in 4.0.8.




NinjaMonitoring

Website Monitoring
for just $4.99 per month.



NinjaFirewall

Web Application Firewall
for PHP and WordPress.



NinjaRecovery

Malware removal
and hacking recovery.

Table of contents