CVE-2015-9294

Vulnerability

The All-in-One WP Security and Firewall plugin for WordPress (versions before 3.9.5) contains a cross-site scripting (XSS) vulnerability in its use of the add_query_arg and remove_query_arg functions. These WordPress functions are used to manipulate query strings, and the plugin failed to properly escape or validate output, allowing injection of arbitrary HTML and JavaScript. The vulnerability is present in all versions prior to 3.9.5 [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL that includes a query string parameter containing XSS payload. When a user visits the crafted URL, the plugin's code processes the query arguments using the vulnerable functions, and the unsanitized input is reflected back in the page output. No authentication is required; the attacker only needs to trick a logged-in or logged-out user into clicking the link.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, or redirection to malicious sites. The impact is limited to the client side, but can affect any user who interacts with the crafted link.

Mitigation

The vulnerability was fixed in version 3.9.5 of the plugin. Users should update to version 3.9.5 or later. The current version (5.4.7) is not affected. No workarounds are documented; updating is the recommended action [1].