Published:2021/06/22  Last Updated:2021/06/22

JVN#93799513
WordPress plugin "Fudousan plugin" series vulnerable to cross-site scripting

Overview

Some of WordPress plugin "Fudousan plugin" series contain a cross-site scripting vulnerability.

Products Affected

The following products and versions of "Fudousan plugin" series are affected.

  • Fudousan plugin ver5.7.0 and earlier
  • Fudousan Plugin Pro Single-User Type ver5.7.0 and earlier
  • Fudousan Plugin Pro Multi-User Type ver5.7.0 and earlier

Description

Some of WordPress plugin "Fudousan plugin" series provided by nendeb contain a cross-site scripting vulnerability (CWE-79).

Impact

An arbitrary script may be executed on the web browser of the user who accessed the site using the product.

Solution

Update the plugin
Update the plugin according to the information provided by the developer.

Vendor Status

Vendor Link
nendeb Fudousan plugin (Japanese text only)
[Important] "Fudosan plugin" series 2021 June Update containing some bug fixes, security updates, and a fix for XSS vulnerability (Japanese text only)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Base Score: 5.4
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N
Base Score: 4.0
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Yu Iwama of Secure Sky Technology Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-20749
JVN iPedia JVNDB-2021-000055