oss-sec mailing list archives
Persistent XSS Vulnerability in Wordpress plugin AnyVar v0.1.1
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Wed, 01 Mar 2017 04:39:21 -0500
Title: Persistent XSS Vulnerability in Wordpress plugin AnyVar v0.1.1 Author: Larry W. Cashdollar, @_larry0 Date: 2017-02-21 Download Site: https://wordpress.org/plugins/anyvar Vendor: https://profiles.wordpress.org/matt_dev/ Vendor Notified: 2017-02-28 Vendor Contact: plugins () wordpress org Description: AnyVar is a simple search and replace plugin. It lets you add changeable variables (text snippets) to posts, sidebars, widgets, links & themes. Vulnerability: $var_name and $var_text aren't sanitized before being sent to the webpage. $var_name only can contain text so only $var_text is exploitable In file ./anyvar/anyvar.php: 202 echo "<tr id='anyvar-$var_name' $class> 203 <th scope='row' class='check-column'><input type='checkbox' name='delete[]' value='$var_name' /></th> 204 <td><a class='row-title' href='?page=".$_GET ['page']."&action=edit&var=$var_name' title='Edit "$var_name"' > $var_name</a></td> 205 <td>[$var_name]</td> 206 <td><textarea name='anyvar_text_$var_name' i d='anyvar_text_$var_name' cols='60' rows='3' readonly>$var_text</textarea></ td> CVE-ID: CVE-2017-6103 Exploit Code: • In the text field box the following will trigger a JS alert popup: • • </textarea><script>alert(1);</script><textarea> Screen Shots: [http://www.vapidlabs.com/m/xssvar.png] Advisory: http://www.vapidlabs.com/advisory.php?v=177
Current thread:
- Persistent XSS Vulnerability in Wordpress plugin AnyVar v0.1.1 Larry W. Cashdollar (Mar 01)