Another update, another batch of vulnerabilities. We have an interesting mix of new security test this week, including Sitecore, HashiCorp Consul and WordPress vulnerabilities. As always, don’t forget to run a scan to check if you’re vulnerable.
* Image Resizer Exposure in .NET (information finding that affects Sitecore and Episerver, among others)
* Exposure of /.mysql_history
* Exposure of /.pgsql_history
* CVE-2017-14619: phpMyFAQ XSS
* WordPress simple-login-log SQL Injection
* WordPress invite-anyone Object Injection
* WordPress hrm Authenticated SQL Injection
* WordPress userpro Authentication Bypass
* WordPress wp-support-plus-responsive-ticket-system CSRF/RCE
* WordPress qards SSRF
* WordPress wp-all-import XSS
* WordPress buddypress Authenticated Open Redirect
* WordPress caldera-forms Authenticated XSS
* WordPress wp-custom-fields-search XSS
* HasiCorp Consul Exposure
Happy scanning!
The Detectify Team