Title: Reflected XSS in wordpress plugin ajs-instagram-feed v1.0 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2016-02-09 |
Download Site: https://wordpress.org/plugins/ajs-instagram-feed |
Downloads: 836 |
Vendor Notified: 2016-02-09 |
Export: Json |
Vendor Contact: plugins@wordpress.org |
Plugin Name: ajs-instagram-feed |
Vulnerability: There is a reflected XSS vulnerability in the following php code ./ajs-instagram-feed/admin/partials/ajs-instagram-feed.php:
91: <input type="text" name="ajs_access_token" id="ajs_access_token" value="<?php echo $_POST['ajs_access_token']; ?>" size="60" />
96: <td><input type="text" name="ajs_user_id" id="ajs_user_id" value="<?php echo $_POST['ajs_user_id']; ?>" size="20" /> <span class="ajs-help-text"><?php _e('To display photos from other peoples Instagram accounts, you can use <a href="http://www.otzberg.net/iguserid/" target="_blank">this tool</a> to find their User ID.', 'ajs-instagram-feed'); ?></span></td>
98: </table>
<input type="hidden" name="ajs_show_username" value="<?php echo $_POST['ajs_show_username']?>" />
99: <input type="hidden" name="ajs_show_follow_btn" value="<?php echo $_POST['ajs_show_follow_btn']?>" />
116: <td><input type="text" name="ajs_count" id="ajs_count" value="<?php echo $_POST['ajs_count']; ?>" size="17" /></td>
124: <td><input type="text" name="ajs_username_text_color" value="<?php echo $_POST['ajs_username_text_color']; ?>" class="ajs-color-field" data-default-color="#1c5380" /></td>
130: <tr>
<th><label for="show_follow_btn"><?php _e('Show Follow Button', 'ajs-instagram-feed'); ?></label></th>
<td><input type="checkbox" name="ajs_show_follow_btn" value="yes" <?php if ($_POST['ajs_show_follow_btn']=="yes") { echo 'checked="checked"';} ?> /></td>
</tr>
<tr>
<th><label for="follow_btn_text_color"><?php _e('Text Color', 'ajs-instagram-feed'); ?></label></th>
<td><input type="text" name="ajs_follow_btn_text_color" value="<?php echo $_POST['ajs_follow_btn_text_color']; ?>" class="ajs-color-field" data-default-color="#effeff" /></td>
</tr>
<tr>
<th><label for="follow_btn_bg_color"><?php _e('Background Color', 'ajs-instagram-feed'); ?></label></th>
<td><input type="text" name="ajs_follow_btn_bg_color" value="<?php echo $_POST['ajs_follow_btn_bg_color']; ?>" class="ajs-color-field" data-default-color="#effeff" /></td>
</tr>
<tr>
<th><label for="follow_btn_text"><?php _e('Button Text', 'ajs-instagram-feed'); ?></label></th>
<td><input type="text" name="ajs_follow_btn_text" id="ajs_follow_btn_text" value="<?php echo $_POST['ajs_follow_btn_text']; ?>" size="30" /></td>
</tr>
The variable ajs_access_token appears to send unsanitized data back to the users browser via POST request.
|
CVE-ID: Not Released |
File:./ajs-instagram-feed/admin/partials/ajs-instagram-feed.php |
Exploit Code: Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
|