Reflected XSS Vulnerability in Wordpress Custom-metas plugin 1.5.1

[shravan kumar <cor3sm4sh3r () gmail com>]

Hello  ,


I would like to disclose a XSS vulnerability in Custom-metas plugin version
1.5.1  .

The Plugin can be found at https://wordpress.org/plugins/custom-metas/


Reproduction steps:

   - Install the plugin custom-metas
   - Log in to wp-admin as administrator (tested on firefox)
   - Pass the XSS payload as GET parameter to the
   /wp-admin/admin.php?page=custom-metas&paged=<XSS payload here>
   - example
   http://targetip/WPinstallationdir/wp-admin/admin.php?page=custom-metas&paged=
   "><script>alert(1);</script>
   - you will see a alert box.

Technical details:

This vulnerability is due to display of unsanitized GET parameters, which
are directly displayed on the page with-out any filters.

The vulnerable page is

/wp-content/plugins/custom-metas/tpl/meta-data-form-multiple.php


The Code responsible for the vulnerability is

LINE 10
 $currentPageNo = ( isset($_GET['paged']) && $_GET['paged'] != "")?
$_GET['paged']:1;

the currentPageNo variable is set using $_GET['paged'] .

It is then displayed in unsafe manner i.e without any filters. in following
line of code

LINE 43

<input type="text" size="2" value="<?php echo $currentPageNo;?>"
name="paged" title="Current page" id="postCurrent" class="current-page" />
of <span class="total-pages"><?php echo $tPostNumCount; ?></span>


-- 
Shravan Kumar