High Risk Vulnerabilities in WordPress and Horde

By   ISBuzz Team
Writer , Information Security Buzz | Oct 12, 2015 05:00 pm PST

IT security company High-Tech Bridge’s Research Team has identified high risk vulnerabilities in WordPress and open source collaboration suite, Horde Groupware.

[su_note note_color=”#ffffcc” text_color=”#00000″]Ilia Kolochenko, CEO of High-Tech Bridge :

  • High-Tech Bridge’s research team has identified two Reflected XSS Vulnerabilities in Calls to Action WordPress plugin, which can influence the execution of code and open back doors into 10,000+ live WordPress websites for hackers to exploit and steal personal data. Vulnerable versions are 2.4.3 and probably prior.

InboundNow, the developer of the plug-in has been notified of these vulnerabilities.

Details of this research can be found HERE.

Impact : personal data theft and compromise via XSS

Stats : Visit HERE.

  • High-Tech Bridge has identified Remote Code Execution vulnerability via CSRF in Horde Groupware

Horde Groupware was notified of this vulnerability on 30 September but, as of today, there has been no response and the vulnerability still remains. The vulnerability can be exploited via a remote code executable via Cross Site Request Forgery (CSRF) to compromise customers’ data, execute arbitrary PHP code, and perform Cross-Site Scripting attacks against users.

Details of this research can also be found HERE.

Impact : remote code exec via CSRF

Stats : Visit HERE.

USEFUL INFO : High-Tech Bridge’s blog post explains the threats posed by old plugins and passwords, and extensions on popular CMSs such as WordPress, which every business should be aware of.[/su_note]

[su_box title=”About Ilia Kolochenko” style=”noise” box_color=”#336588″][short_info id=’60198′ desc=”true” all=”false”][/su_box]