Anti-Malware Security & Brute-Force Firewall <= 4.15.42 - XSS & CSRF

Sign up to our free email alerts service for instant vulnerability notifications!

Proof of Concept
XSS vulnerability in https://wordpress.org/plugins/gotmls/ has been identified.

While I  scan a  site with that plugin , i had  a file '"><img src=xx onerror=prompt(0)>.png and it was skippped , but result was javascript execution , confirming the existence of XSS vulnerability .


An attacker , when have access to files , can modify file and can stop scanning , can hijack cookies , can bypass malware checks / stop scanning process or redirect to malicious websites as well .

CSRF Vulnerability :- 

All the forms on Anti-Malware Security and Brute-Force Firewall Plugin was vulnerable to CSRF vulnerability as they lack wp_nonce parameter in all forms they had .

Affects

Plugin gotmls
fixed in version 4.15.43

References

URL https://wordpress.org/plugins/gotmls/changelog/

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter blinkms
Submitter Twitter blinkms
Views 207
Verified No
WPVDB ID 8421

Timeline

Publicly Published 2016-03-23 (9 months ago)
Added 2016-03-23 (9 months ago)
Last Updated 2016-04-23 (8 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.