Cross-Site Scripting Vulnerability in Wordfence Security Plugin for WordPress
CVE-2014-4664

Currently unrated

Key Information:

Vendor: Wordpress
Status: Wordfence Security
Vendor: CVE Published:; 6 November 2014

Summary

A cross-site scripting vulnerability exists in the Wordfence Security plugin for WordPress prior to version 5.1.4. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML via a crafted 'whoisval' parameter on the WordfenceWhois page, which is processed by wp-admin/admin.php. Successful exploitation can enable attackers to execute unauthorized code in the context of the victim's browser, potentially leading to data theft, session hijacking, or website defacement.

References

http://www.securityfocus.com/bid/70911

vdb-entryx_refsource_BID

http://www.securityfocus.com/archive/1/533907/100/0/threaded

mailing-listx_refsource_BUGTRAQ

http://www.wordfence.com/blog/2014/06/security-fix-wordfe...

x_refsource_CONFIRM

Timeline

Vulnerability published
Nov 6, 2014
Vulnerability Reserved
Jun 26, 2014