Anti-Malware Security & Brute-Force Firewall <= 4.15.42 - XSS & CSRF



Proof of Concept
XSS vulnerability in https://wordpress.org/plugins/gotmls/ has been identified.

While I  scan a  site with that plugin , i had  a file '"><img src=xx onerror=prompt(0)>.png and it was skippped , but result was javascript execution , confirming the existence of XSS vulnerability .


An attacker , when have access to files , can modify file and can stop scanning , can hijack cookies , can bypass malware checks / stop scanning process or redirect to malicious websites as well .

CSRF Vulnerability :- 

All the forms on Anti-Malware Security and Brute-Force Firewall Plugin were vulnerable to CSRF vulnerability as they lack wp_nonce parameter in all forms they had .

Affects Plugin

fixed in version 4.15.44

References

URL https://wordpress.org/plugins/gotmls/changelog/

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter blinkms
Submitter Twitter blinkms
Views 4327
Verified No
WPVDB ID 8421

Timeline

Publicly Published 2016-03-23 (over 3 years ago)
Added 2016-03-23 (over 3 years ago)
Last Updated 2019-06-25 (about 2 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin