Persistent XSS vulnerability in WP-UserOnline

["MustLive" <mustlive () websecurity com ua>]

Hello list!

in 2010 I've disclosed multiple vulnerabilities (Cross-Site Scripting and 
Full path disclosure) in WordPress plugin WP-UserOnline 
(http://securityvulns.ru/Ydocument162.html, 
http://seclists.org/fulldisclosure/2010/Jul/8). And recently I've disclosed 
the exploit for persistent XSS vulnerability in WP-UserOnline. It must be 
interesting for those who want to test this vulnerability.

Exploit:

http://websecurity.com.ua/uploads/2012/WP-UserOnline.txt

This perl exploit I've developed at 26.04.2010.

As I've wrote earlier, vulnerable are WP-UserOnline 2.62 and previous 
versions. After my informing the developer released WP-UserOnline 2.70 (at 
07.05.2010). In version 2.70 he fixed XSS, but not Full path disclosure 
vulnerabilities.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/