Title: Reflected XSS in wordpress plugin wiziq v1.0 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2016-02-09 |
Download Site: https://wordpress.org/plugins/wiziq |
Downloads: 209 |
Vendor Notified: 2016-02-09 |
Export: Json |
Vendor Contact: plugins@wordpress.org |
Plugin Name: wiziq |
Vulnerability: There is a reflected XSS vulnerability in the following php code ./wiziq/frontend/shortcode/wiziq_frontend_classes.php:
1343: <input maxlength= "70" type = "text" class = "regular-text" id = "class_name" name = "class_name" value = "<?php if (isset($_POST['class_name'])) echo $_POST['class_name']; ?>" />
1415: <input type = "text" class = "regular-text" id = "class_start_date" name="class_time" value = "<?php if (isset($_POST['class_time'])) echo $_POST['class_time']; ?>" />
1476: <input type = "text" class = "regular-text" id = "class_duration" name = "duration" value = "<?php if (isset($_POST['duration'])) { echo $_POST['duration']; } else { echo '60'; } ?>" />
1762: <input maxlength= "10" type = "text" class = "regular-text" id = "class_attendee_limit" name = "attendee_limit" value = "<?php if (isset($_POST['attendee_limit'])) { echo $_POST['attendee_limit']; } else { echo '10'; } ?>" />
The variable class_name appears to send unsanitized data back to the users browser via POST request.
|
CVE-ID: Not Released |
File:./wiziq/frontend/shortcode/wiziq_frontend_classes.php |
Exploit Code: Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
|