ThreatPress

WordPress Vulnerabilities Database

Back

WordPress Foxypress Plugin 0.4.2.5 - Multiple Vulnerabilities

Product
Foxypress
Description
Foxypress plugin is prone to multiple vulnerabilities. 1. Arbitrary file upload vulnerability via "documenthandler.php". It allows an attacker to upload files with arbitrary extension to remote system. 2. SQL Injection vulnerability via "documenthandler.php" that allows an attacker to insert any data to any tables in current database. 3. SQL Injection vulnerability via "foxypress-manage-emails.php". 4. SQL Injection vulnerabilities via "inventory-category.php". 5. SQL Injection vulnerabilities via "affiliate-management.php". 6. Reflected XSS vulnerability via "reports.php". 7. Reflected XSS vulnerability via "foxypress-manage-emails.php". 8. Reflected XSS vulnerability via "foxypress-affiliate.php". 9. Reflected XSS vulnerability via "order-management.php". 10. Reflected XSS vulnerability via "affiliate-management.php". 11. Open Redirect vulnerability via "foxypress-affiliate.php". 12. Information Leakage vulnerability via directly accessible CSV files. 13. CSRF vulnerability via "affiliate-management.php". 14. CSRF vulnerabilities via "inventory-category.php". 15. CSRF vulnerability via "inventory-option-groups.php". 16. CSRF vulnerability via "status-management.php". 17. CSRF vulnerability via "order-management.php". 18. CSRF vulnerability via "foxypress-manage-emails.php". 19. Unauthorized Access vulnerability via "ajax.php". 20. Full Path Disclosure vulnerability via multiple scripts that allows an attacker
Solution
Update the plugin.
Classification
Type Multi
References
Exploit-DB
CVE
Name CVE-N/A
Versions
Affected In <= 0.4.2.5
Fixed In 0.4.2.6
Disclosure date
2012-10-31
Credits
waraxe