oss-sec mailing list archives
Reflected XSS Vulnerability in Wordpress Custom-metas plugin 1.5.1
From: shravan kumar <cor3sm4sh3r () gmail com>
Date: Sat, 16 Apr 2016 13:59:06 +0530
Hello , I would like to disclose a XSS vulnerability in Custom-metas plugin version 1.5.1 . The Plugin can be found at https://wordpress.org/plugins/custom-metas/ Reproduction steps: - Install the plugin custom-metas - Log in to wp-admin as administrator (tested on firefox) - Pass the XSS payload as GET parameter to the /wp-admin/admin.php?page=custom-metas&paged=<XSS payload here> - example http://targetip/WPinstallationdir/wp-admin/admin.php?page=custom-metas&paged= "><script>alert(1);</script> - you will see a alert box. Technical details: This vulnerability is due to display of unsanitized GET parameters, which are directly displayed on the page with-out any filters. The vulnerable page is /wp-content/plugins/custom-metas/tpl/meta-data-form-multiple.php The Code responsible for the vulnerability is LINE 10 $currentPageNo = ( isset($_GET['paged']) && $_GET['paged'] != "")? $_GET['paged']:1; the currentPageNo variable is set using $_GET['paged'] . It is then displayed in unsafe manner i.e without any filters. in following line of code LINE 43 <input type="text" size="2" value="<?php echo $currentPageNo;?>" name="paged" title="Current page" id="postCurrent" class="current-page" /> of <span class="total-pages"><?php echo $tPostNumCount; ?></span> -- Shravan Kumar
Current thread:
- Reflected XSS Vulnerability in Wordpress Custom-metas plugin 1.5.1 shravan kumar (Apr 16)