- Joined
- 11 yrs. 6 mth. 27 days
- Messages
- 5,381
- Reaction score
- 18,380
- Age
- 45
- Wallet
- 11,590$
- [email protected]
The WordPress I Love It theme suffers from cross site scripting, content spoofing, and path disclosure vulnerabilities.
Hello list!
These are Cross-Site Scripting, Content Spoofing and Full path disclosure
vulnerabilities in I Love It theme for WordPress. This is commercial
(premium) theme.
-------------------------
Affected products:
-------------------------
All versions of I Love It theme for WordPress. The theme contains vulnerable
versions of Audio Player and GDD FLVPlayer.
-------------------------
Affected vendors:
-------------------------
CosmoThemes
CosmoThemes » Premium WordPress Themes
----------
Details:
----------
Cross-Site Scripting (WASC-08):
))}catch(e){alert(document. cookie)}//
Content Spoofing (WASC-12):
There are 10 vulnerabilities in GDD FLVPlayer: 8 CS and 2 XSS. Which I
announced recently (??????????? ? GDD FLVPlayer - Websecurity - ??? ???????) and informed developers
of GDD FLVPlayer. These vulnerabilities will be disclosed later.
Full path disclosure (WASC-13):
There are FPD vulnerabilities in index.php and other php-files (in folder
and subfolders).
------------
Timeline:
------------
2013.05.24 - informed CosmoThemes about vulnerabilities in their I Love It
New theme.
2013.07.11 - disclosed at my site (XSS, CS ?? FPD ??????????? ? ???? I Love It ??? WordPress - Websecurity - ??? ???????).
2013.07.12 - informed developers about vulnerabilities in their I Love It
theme.
Hello list!
These are Cross-Site Scripting, Content Spoofing and Full path disclosure
vulnerabilities in I Love It theme for WordPress. This is commercial
(premium) theme.
-------------------------
Affected products:
-------------------------
All versions of I Love It theme for WordPress. The theme contains vulnerable
versions of Audio Player and GDD FLVPlayer.
-------------------------
Affected vendors:
-------------------------
CosmoThemes
CosmoThemes » Premium WordPress Themes
----------
Details:
----------
Cross-Site Scripting (WASC-08):
))}catch(e){alert(document. cookie)}//
Content Spoofing (WASC-12):
There are 10 vulnerabilities in GDD FLVPlayer: 8 CS and 2 XSS. Which I
announced recently (??????????? ? GDD FLVPlayer - Websecurity - ??? ???????) and informed developers
of GDD FLVPlayer. These vulnerabilities will be disclosed later.
Full path disclosure (WASC-13):
There are FPD vulnerabilities in index.php and other php-files (in folder
and subfolders).
------------
Timeline:
------------
2013.05.24 - informed CosmoThemes about vulnerabilities in their I Love It
New theme.
2013.07.11 - disclosed at my site (XSS, CS ?? FPD ??????????? ? ???? I Love It ??? WordPress - Websecurity - ??? ???????).
2013.07.12 - informed developers about vulnerabilities in their I Love It
theme.