VaultPress - Remote Code Execution via Man in The Middle attack

[Summer of Pwnage <lists () securify nl>]

------------------------------------------------------------------------
VaultPress - Remote Code Execution via Man in The Middle attack
------------------------------------------------------------------------
David Vaartjes, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Man in The Middle (MiTM) vulnerability has been identified in the
VaultPress plugin of WordPress. This issue allows an attacker to to
sniff clear-text communication and to run arbitrary PHP code on the
affected WordPress host.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160728-0002

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on VaultPress WordPress Plugin
version 1.8.4

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/vaultpress___remote_code_execution_via_man_in_the_middle_attack.html

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/