Researchers have identified a handful of vulnerabilities present in three different plugins used by the content management system WordPress.
The issues, most of which are cross-site scripting (XSS) vulnerabilities, could give some users administrative privileges, warns DXW Security, a British firm that found the issues and disclosed them on Monday.
Two XSS vulnerabilities, one reflected and one stored, can be found in version 3.0 of the WordPress’ iframe plugin. The stored vulnerability could allow users to insert arbitrary HTML into pages and exceed the privileges they were granted, Tom Adams, a developer with the firm warns.
The reflected XSS vulnerability could expose pages which use the “get_params_from_url” to an attack.
View the full story here