| Title: Persistent XSS in wordpress plugin rockhoist-badges v1.2.2 |
| Author: Larry W. Cashdollar, @_larry0 |
| Date: 2017-02-20 |
| CVE-ID:[CVE-2017-6102] |
| CWE: |
| Download Site: https://wordpress.org/plugins/rockhoist-badges/ |
| Vendor: https://profiles.wordpress.org/esserq/ |
| Vendor Notified: 2017-02-20 |
| Vendor Contact: |
| Advisory: http://www.vapidlabs.com/advisory.php?v=176 |
| Description: A Stack Overflow inspired plugin for WordPress which allows users to acquire badges for contributing website content. Badges are created and managed through the WordPress Dashboard. |
| Vulnerability: There is a persistent cross site scripting vulnerability in the plugin Rockhoist Badges. A user with the
ability to edit_posts can inject malicious javascript. Into the badge description or title field.
Line 603 doesn't sanitize user input before sending it to the browser in file ./rockhoist-badges/rh-badges.php:
-> 603: <span class="delete"><a href="?page=badges&action=deletecondition&badge_ID=<?php echo $_GET['badge_ID']; ?>&badge_condition_ID=<?php echo $badge_condition->badge_condition_id; ?>" class="delete-tag">Delete</a></span>
|
| Export: JSON TEXT XML |
Exploit Code:
|
| Screen Shots: [badges.jpg] |
| Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory
