Title: Reflected XSS in wordpress plugin learninglog v2.1.3 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2016-02-09 |
Download Site: https://wordpress.org/plugins/learninglog |
Downloads: 7510 |
Vendor Notified: 2016-02-09 |
Export: Json |
Vendor Contact: plugins@wordpress.org |
Plugin Name: learninglog |
Vulnerability: There is a reflected XSS vulnerability in the following php code ./learninglog/bp-bulk-import-blogs/bp-bulk-import-blogs.php:
336: <td><input type="text" id="institution_teacher_name" name="institution_teacher_name" value="<?php echo $_POST["institution_teacher_name"]; ?>" /></td>
340: <td><input type="text" id="institution_name" name="institution_name" value="<?php echo $_POST["institution_name"]; ?>" /></td>
344: <td><input type="text" id="institution_adress_1" name="institution_adress_1" value="<?php echo $_POST["institution_adress_1"]; ?>" /></td>
348: <td><input type="text" id="institution_adress_2" name="institution_adress_2" value="<?php echo $_POST["institution_adress_2"]; ?>" /></td>
352: <td><input type="text" id="institution_role" name="institution_role" value="<?php echo $_POST["institution_role"]; ?>" /></td>
356: <td><textarea id="institution_bemerkungen" name="institution_bemerkungen"><?php echo $_POST["institution_bemerkungen"]; ?></textarea></td>
523: <td><input name="username" id="username" value="<?php echo $_POST["username"]; ?>" /></td>
527: <td><input name="name" id="name" value="<?php echo $_POST["name"]; ?>" /></td>
531: <td><input name="email" id="email" value="<?php echo $_POST["email"]; ?>" /></td>
840: <td colspan="2"><textarea name="textarea_data" cols="90" rows="12" style="width:100%"><?php echo $_POST["textarea_data"]; ?></textarea></td>
The variable institution_teacher_name appears to send unsanitized data back to the users browser via POST request.
|
CVE-ID: Not Released |
File:./learninglog/bp-bulk-import-blogs/bp-bulk-import-blogs.php |
Exploit Code: Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
|