CVE-2015-8350 Scanner

The "WordPress Calls to Action" plugin is widely used by WordPress website administrators to create customizable calls to action, improve engagement with site visitors, and track conversion activities. Developed and maintained by Inbound Now, this plugin facilitates marketing strategies by allowing the creation of numerous call-to-action variants. Its functions are integral to driving traffic and collecting valuable user data for analytics. However, like any other piece of software, it is susceptible to security vulnerabilities if not kept up-to-date. Site administrators often rely on this tool to keep their sites competitive and user-friendly, integrating it into broader digital marketing frameworks.

The identified vulnerability is a type of Cross-Site Scripting (XSS), specifically a reflected XSS found in the WordPress Calls to Action plugin. This vulnerability allows attackers to inject arbitrary web scripts or HTML into the application. If exploited, it could lead to unintended actions executed in a user's browser session. It requires the attacker to trick users into executing crafted requests. XSS vulnerabilities pose significant security risks as they can be used for session hijacking, defacement, or redirecting users to malicious sites.

At a technical level, the vulnerability lies in the plugin's failure to sanitize input parameters like "open-tab" in wp-admin/edit.php and "wp-cta-variation-id" in specific paths. These parameters can be manipulated to inject script tags or other HTML elements, which execute when a user with sufficient privileges accesses the crafted URL. The vulnerability affects versions up to and including 2.4.3, and its exploitation necessitates sending crafted requests that are executed by privileged users. This lack of input validation provides a pathway for malicious script execution, endangering user security.

If exploited, this vulnerability can severely impact both the compromised site and its users. It can lead to users' session data being accessed by unauthorized parties, resulting in potential information theft. The site's content could be altered, leading to unintentional redirects or defacements that damage the site's reputation. Furthermore, the exploitation of this vulnerability could be part of a larger attack strategy aimed at compromising user data en masse. It's crucial for site administrators to address this vulnerability to safeguard their site and its visitors.

REFERENCES

• https://www.immuniweb.com/advisory/HTB23274
• https://seclists.org/bugtraq/2015/Dec/9
• https://nvd.nist.gov/vuln/detail/CVE-2015-8350
• https://plugins.trac.wordpress.org/changeset/1274208/cta
• http://packetstormsecurity.com/files/134598/WordPress-Calls-To-Action-2.4.3-Cross-Site-Scripting.html