Hello Bugtraq! I want to warn you about security vulnerabilities in plugin WP-UserOnline for WordPress. ----------------------------- Advisory: Vulnerabilities in WP-UserOnline for WordPress ----------------------------- URL: http://websecurity.com.ua/4177/ ----------------------------- Affected products: WP-UserOnline 2.62 and previous versions. ----------------------------- Timeline: 26.04.2010 - found vulnerabilities. 30.04.2010 - announced at my site. 01.05.2010 - informed developer. 07.05.2010 - developer released WP-UserOnline 2.70. In version 2.70 the developer fixed XSS, but not Full path disclosure vulnerabilities. 01.07.2010 - disclosed at my site. ----------------------------- Details: These are Cross-Site Scripting and Full path disclosure vulnerabilities. XSS: With help of special request to the site it's possbile to conduct XSS attack. For this it's needed to send GET request in special way (not in browser) to page http://site/?. This is persistent XSS. Vulnerability appears at page http://site/wp-admin/index.php?page=wp-useronline. Full path disclosure: http://site/wp-content/plugins/wp-useronline/admin.php http://site/wp-content/plugins/wp-useronline/widget.php http://site/wp-content/plugins/wp-useronline/wp-stats.php http://site/wp-content/plugins/wp-useronline/wp-useronline.php http://site/wp-content/plugins/wp-useronline/scb/Widget.php http://site/wp-content/plugins/wp-useronline/scb/load.php Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua