Hello list! I want to warn you about multiple new vulnerabilities in plugin Register Plus Redux for WordPress. Last version of the plugin was checked. These are Cross-Site Scripting, SQL Injection, Code Execution and Full path disclosure vulnerabilities. ------------------------- Affected products: ------------------------- Vulnerable are Register Plus Redux v3.7.3.1 and previous versions. By request of my client I've made new version of the plugin with fixing of all vulnerabilities, which I found. I named this version as Register Plus Redux 3.8 (to distinguish between it and original version of the plugin). So all users of this plugin can find new and secure version of the plugin in Internet. ---------- Details: ---------- XSS (WASC-08): POST request at page http://site/wp-login.php?action=register In field About Yourself. By using function Autocomplete URL it's possible to conduct attack via GET: http://site/wp-login.php?action=register&description=%3C/textarea%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E At plugin options page the protection against CSRF is used, so it needs to use reflected XSS for bypassing it and conducting of persistent XSS and persistent SQL Injection attacks. Persistent XSS (WASC-08): At set option "Show Invitation Code Tracking widget on Dashboard" in plugin settings and adding invitation code (Add a new invitation code), it's possible to set JS/VBS code. Which will work at page Dashboard (http://site/wp-admin/index.php). Persistent SQL Injection (WASC-19): At set option "Show Invitation Code Tracking widget on Dashboard" in plugin settings and adding invitation code (Add a new invitation code), it's possible to set for SQL Injection. ' and benchmark(1000000,md5(now())) and 1='1 Which will work at visiting of the page Dashboard (http://site/wp-admin/index.php). This is Persistent Blind SQL Injection (http://websecurity.com.ua/2751/). Code Execution (WASC-31): If to have access to plugin settings, it's possible to conduct Code Execution via field Custom Logo URL via uploading of 1.phtml.jpg. It's depends of version of the engine, which I've wrote about in post Code Execution in WordPress 2.5 - 3.1.1 (http://websecurity.com.ua/5108/). This attack will work in versions of engine before WordPress 3.1.3, where developers fixed upload functionality (which is used by the plugin). Full path disclosure (WASC-13): http://site/wp-content/plugins/register-plus-redux/register-plus-redux.php In register-plus-redux.php there is FPD (as in previous versions). And file dash_widget.php (with FPD) was remade to dashboard_invitation_tracking_widget.php, which already has no FPD. Also FPD was fixed at POST request at page http://site/wp-login.php?action=register. But in special way it can be resurrected. At adding of new field in Additional Fields and at setting 1 (or almost any value) in field Options and at turning on the option Show on Registration, FPD will appear at POST request at page http://site/wp-login.php?action=register. Also it's possible to add to the site two FPD vulnerabilities. If to set in Custom Logo URL the address to not image file or just "http://", then there will be showing error message with FPD at pages http://site/wp-admin/options-general.php?page=register-plus-redux and http://site/wp-login.php?action=register. ------------ Timeline: ------------ 2011.11.25 - found vulnerabilities. 2011.11.30 - fixed vulnerabilities. 2011.11.30 - Informed developer. 2011.11.30 - announced at my site. 2011.11.30 - released Register Plus Redux 3.8 (with fixed all vulnerabilities of version 3.7.3.1). 2011.12.05 - released Register Plus Redux 3.8.1 (with new features). 2011.12.29 - disclosed at my site. I mentioned about these vulnerabilities at my site: http://websecurity.com.ua/5532/ Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua