Title: Reflected XSS in wordpress plugin wp-guest-book v1.6 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2016-02-09 |
Download Site: https://wordpress.org/plugins/wp-guest-book |
Downloads: 87 |
Vendor Notified: 2016-02-09 |
Export: Json |
Vendor Contact: plugins@wordpress.org |
Plugin Name: wp-guest-book |
Vulnerability: There is a reflected XSS vulnerability in the following php code ./wp-guest-book/index.php:
232: <input type="text" name="guest_name" id="guest_name" value="<?php if(isset($_POST['guest_name'])) echo $_POST['guest_name'];?>" class="guest_input" />
237: <input type="text" name="guest_email" id="guest_email" value="<?php if(isset($_POST['guest_email'])) echo $_POST['guest_email'];?>" />
242: <input type="text" name="guest_website" id="guest_website" value="<?php if(isset($_POST['guest_website'])) echo $_POST['guest_website'];?>" />
246: <input type="text" name="guest_fb" id="guest_fb" value="<?php if(isset($_POST['guest_fb'])) echo $_POST['guest_fb'];?>" />
250: <input type="text" name="guest_tw" id="guest_tw" value="<?php if(isset($_POST['guest_tw'])) echo $_POST['guest_tw'];?>" />
254: <input type="text" name="guest_title" id="guest_title" value="<?php if(isset($_POST['guest_title'])) echo $_POST['guest_title'];?>" class="required" />
288: <textarea name="detail_review" id="detail_review" rows="10" cols="100"><?php if(isset($_POST['detail_review'])) { if(function_exists('stripslashes')) { echo stripslashes($_POST['detail_review']); } else { echo $_POST['detail_review']; } } ?></textarea>
313: <input type="text" name="guest_name" id="guest_name" value="<?php if(isset($_POST['guest_name'])) echo $_POST['guest_name'];?>" class="guest_input" />
318: <input type="text" name="guest_email" id="guest_email" value="<?php if(isset($_POST['guest_email'])) echo $_POST['guest_email'];?>" />
323: <input type="text" name="guest_website" id="guest_website" value="<?php if(isset($_POST['guest_website'])) echo $_POST['guest_website'];?>" />
327: <input type="text" name="guest_fb" id="guest_fb" value="<?php if(isset($_POST['guest_fb'])) echo $_POST['guest_fb'];?>" />
331: <input type="text" name="guest_tw" id="guest_tw" value="<?php if(isset($_POST['guest_tw'])) echo $_POST['guest_tw'];?>" />
335: <input type="text" name="guest_title" id="guest_title" value="<?php if(isset($_POST['guest_title'])) echo $_POST['guest_title'];?>" class="required" />
368: <textarea name="detail_review" id="detail_review" rows="10" cols="100"><?php if(isset($_POST['detail_review'])) { if(function_exists('stripslashes')) { echo stripslashes($_POST['detail_review']); } else { echo $_POST['detail_review']; } } ?></textarea>
The variable guest_name appears to send unsanitized data back to the users browser via POST request.
|
CVE-ID: Not Released |
File:./wp-guest-book/index.php |
Exploit Code: Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
|