oss-sec mailing list archives
Persistent XSS in wordpress plugin rockhoist-badges v1.2.2
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Wed, 01 Mar 2017 04:38:07 -0500
Title: Persistent XSS in wordpress plugin rockhoist-badges v1.2.2 Author: Larry W. Cashdollar, @_larry0 Date: 2017-02-20 Download Site: https://wordpress.org/plugins/rockhoist-badges/ Vendor: https://profiles.wordpress.org/esserq/ Vendor Notified: 2017-02-20 Vendor Contact: Description: A Stack Overflow inspired plugin for WordPress which allows users to acquire badges for contributing website content. Badges are created and managed through the WordPress Dashboard. Vulnerability: There is a persistent cross site scripting vulnerability in the plugin Rockhoist Badges. A user with the ability to edit_posts can inject malicious javascript. Into the badge description or title field. Line 603 doesn't sanitize user input before sending it to the browser in file ./rockhoist-badges/rh-badges.php: -> 603: <span class="delete"><a href="?page=badges&action=deletecondition&badge_ID=<?php echo $_GET['badge_ID']; ?>&badge_condition_ID=<?php echo $badge_condition->badge_condition_id; ?>" class="delete-tag">Delete</a></span> CVE-ID: CVE-2017-6102 Exploit Code: • "><script>alert(1);</script> in the title or description field will inject js. Screen Shots: [http://www.vapidlabs.com/m/badges.jpg] Advisory: http://www.vapidlabs.com/advisory.php?v=176
Current thread:
- Persistent XSS in wordpress plugin rockhoist-badges v1.2.2 Larry W. Cashdollar (Mar 01)