PT-2009-6336 · Royal Plugin+1 · Wp-Cumulus+1
Published
2009-12-02
·
Updated
2018-10-10
·
CVE-2009-4168
CVSS v2.0
4.3
Medium
| Vector | AV:N/AC:M/Au:N/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
WP-Cumulus plugin versions prior to 1.23
Joomulus module versions 2.0 and earlier
Description
The issue allows remote attackers to inject arbitrary web script or HTML via the
tagcloud parameter in a tags action, which can lead to cross-site scripting (XSS). This occurs in the tagcloud.swf file used by the affected plugins.Recommendations
For WP-Cumulus plugin versions prior to 1.23, update to version 1.23 or later.
For Joomulus module versions 2.0 and earlier, consider disabling the module until a patch is available.
As a temporary workaround, consider restricting access to the
tagcloud parameter in the tags action to minimize the risk of exploitation.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Joomulus
Wp-Cumulus