Cross-Site Scripting Vulnerability in Nextend Facebook Connect Plugin for WordPress
CVE-2014-8800

Currently unrated

Key Information:

Vendor: Wordpress
Status: Nextend Facebook Connect
Vendor: CVE Published:; 5 December 2014

What is CVE-2014-8800?

The Nextend Facebook Connect plugin for WordPress has a cross-site scripting vulnerability that allows remote attackers to inject arbitrary web scripts or HTML. This vulnerability exists in the nextend-facebook-settings.php file, where the fb_login_button parameter is improperly handled during the newfb_update_options action. Consequently, an attacker could exploit this weakness to execute malicious scripts in the context of the affected user, potentially leading to data theft, session hijacking, or other forms of exploitation.

References

http://osvdb.org/show/osvdb/115231

vdb-entryx_refsource_OSVDB

http://security.szurek.pl/nextend-facebook-connect-1459-x...

x_refsource_MISC

https://wordpress.org/plugins/nextend-facebook-connect/ch...

x_refsource_CONFIRM

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 5, 2014
Vulnerability Reserved
Nov 13, 2014

JSON

Wordpress

What is CVE-2014-8800?

References

Timeline