CVE-2015-9410: XSS in Blubrry PowerPress Plugin 6.0.4

01/Description

What this actually is.

Technical background, root cause, and affected surface.

A Cross-Site Scripting (XSS) vulnerability was identified on the WordPress plugin NextGen Gallery before 6.0.4.

Vendor: Blubrry PowerPress
Affected Product: Blubrry PowerPress Podcasting
CVE: CVE-2015-9410
Securin ID: 2015-CSW-09-1006
Status: Fixed
Date: September 4, 2015
Severity: Medium
CVSS Score: 5.4
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

PoC · Exploitation Steps▲ trigger

01Visit the following page on a site with this plugin02http://yourwordpresssite.com/wordpress/wpadmin/admin.php?page=powerpress/powerpressadmin_basic.php and modify the value of tab variable with “></script><script>alert(document.cookie);</script> payload and send the request to the server. Now, the added XSS payload is echoed back from the server without validating the input. It also affects the wp-config.php file, $table_prefix, and corrupts the database connectivity.03Note: XSS payload has been tried with the application once after implementing Unfiltered Html Settings as defined to the wp-config.php file.04define( ‘DISALLOW_UNFILTERED_HTML’, true );05Issue 1: The Post Request tab variable in the URL http://localhost/wordpress/wp-admin/admin.php?page=powerpress/powerpressadmin_basic.php is vulnerable to Cross-Site Scripting (XSS).06Figure 01: Invalid HTTP script Request sent to the server through the vulnerable tab variable in the URL http://yourwordpresssite.com/wordpress/wp-admin/admin.php?page=powerpress/powerpressadmin_basic.php and its echoed back in the HTTP Response without validation.

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

An XSS vulnerability allows an attacker to inject malicious code into the applications via the images [1] [alttext] parameter.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the latest updated version of Blubrry PowerPress Podcasting and apply the patch as per vendor advisory.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2015-9410, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Sep 04, 2015

Discovered in Blubrry PowerPress Podcasting plugin 6.0.4 version.

Sep 04, 2015

Reported to WordPress.

Sep 07, 2015

The vendor acknowledged the issue.

Sep 09, 2015

Fixed in Blubrry PowerPress Podcasting plugin 6.0.5 version.

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2015-9410

nvd.nist.gov/vuln/detail/CVE-2015-9410 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

01/Description

What this actually is.

Technical background, root cause, and affected surface.

A Cross-Site Scripting (XSS) vulnerability was identified on the WordPress plugin NextGen Gallery before 6.0.4.

Vendor: Blubrry PowerPress
Affected Product: Blubrry PowerPress Podcasting
CVE: CVE-2015-9410
Securin ID: 2015-CSW-09-1006
Status: Fixed
Date: September 4, 2015
Severity: Medium
CVSS Score: 5.4
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

PoC · Exploitation Steps▲ trigger

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

An XSS vulnerability allows an attacker to inject malicious code into the applications via the images [1] [alttext] parameter.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the latest updated version of Blubrry PowerPress Podcasting and apply the patch as per vendor advisory.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2015-9410, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Sep 04, 2015

Discovered in Blubrry PowerPress Podcasting plugin 6.0.4 version.

Sep 04, 2015

Reported to WordPress.

Sep 07, 2015

The vendor acknowledged the issue.

Sep 09, 2015

Fixed in Blubrry PowerPress Podcasting plugin 6.0.5 version.

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2015-9410

nvd.nist.gov/vuln/detail/CVE-2015-9410 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Cross Site Scripting Vulnerability in Blubrry PowerPress

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in Blubrry PowerPress Podcasting plugin 6.0.4 version.

Reported to WordPress.

The vendor acknowledged the issue.

Fixed in Blubrry PowerPress Podcasting plugin 6.0.5 version.

Cite, verify, go deeper.

NVD — CVE-2015-9410

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Cross Site Scripting Vulnerability in Blubrry PowerPress

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in Blubrry PowerPress Podcasting plugin 6.0.4 version.

Reported to WordPress.

The vendor acknowledged the issue.

Fixed in Blubrry PowerPress Podcasting plugin 6.0.5 version.

Cite, verify, go deeper.

NVD — CVE-2015-9410

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Cross Site Scripting Vulnerability in Blubrry PowerPress

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in Blubrry PowerPress Podcasting plugin 6.0.4 version.

Reported to WordPress.

The vendor acknowledged the issue.

Fixed in Blubrry PowerPress Podcasting plugin 6.0.5 version.

Cite, verify, go deeper.

NVD — CVE-2015-9410

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Cross Site Scripting Vulnerability in Blubrry PowerPress

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in Blubrry PowerPress Podcasting plugin 6.0.4 version.

Reported to WordPress.

The vendor acknowledged the issue.

Fixed in Blubrry PowerPress Podcasting plugin 6.0.5 version.

Cite, verify, go deeper.

NVD — CVE-2015-9410

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.