Anti-Malware Security & Brute-Force Firewall < 4.15.44 – XSS & CSRF

Description

The Anti-Malware Security and Brute-Force Firewall WordPress plugin was affected by a XSS & CSRF security vulnerability.

Proof of Concept

XSS vulnerability in https://wordpress.org/plugins/gotmls/ has been identified.

While I  scan a  site with that plugin , i had  a file '"><img src=xx onerror=prompt(0)>.png and it was skippped , but result was javascript execution , confirming the existence of XSS vulnerability .


An attacker , when have access to files , can modify file and can stop scanning , can hijack cookies , can bypass malware checks / stop scanning process or redirect to malicious websites as well .

CSRF Vulnerability :- 

All the forms on Anti-Malware Security and Brute-Force Firewall Plugin were vulnerable to CSRF vulnerability as they lack wp_nonce parameter in all forms they had .