Title: Reflected XSS in wordpress plugin wpdudes-survey v1.0.4 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2016-02-09 |
Download Site: https://wordpress.org/plugins/wpdudes-survey |
Downloads: 582 |
Vendor Notified: 2016-02-09 |
Export: Json |
Vendor Contact: plugins@wordpress.org |
Plugin Name: wpdudes-survey |
Vulnerability: There is a reflected XSS vulnerability in the following php code ./wpdudes-survey/wpdudes_survey.php:
264: <input type="text" placeholder="Title" value="<?php echo $_POST['wpdudes_survey_title']; ?>" name="wpdudes_survey_title"/><br>
265: <input type="text" placeholder="Set the percentage of surveys submitted before publishing results. Enter between 1 and 100 only. Default is 50." name="wpdudes_survey_percentage_result" value="<?php echo $_POST['wpdudes_survey_percentage_result']; ?>"/><br>
266: <textarea placeholder="Provide a description or a short write-up for the purpose of this survey. People who receive this survey should get an idea of what this survey is for by reading this information." name="wpdudes_survey_desc"><?php echo $_POST['wpdudes_survey_desc']; ?></textarea><br>
267: <textarea placeholder="Add the names of the people for which this rating is being provided (Enter one name per line) " name="wpdudes_survey_names"><?php echo $_POST['wpdudes_survey_names']; ?></textarea><br>
269: <input placeholder='RATING TYPE. Enter a description for the type of rating. Example: Excellent performer or Poor Communications Skills etc.' type='text' name='desc_1' value="<?php echo $_POST['desc_1']; ?>">
270: <input placeholder='RATING TYPE. Enter a description for the type of rating. Example: Excellent performer or Poor Communications Skills etc.' type='text' name='desc_2' value="<?php echo $_POST['desc_2']; ?>">
273: <textarea placeholder="Add the list of email addresses of the people who need to submit this survey (Enter one email address per line) " name="wpdudes_survey_emails"><?php echo $_POST['wpdudes_survey_emails']; ?></textarea><br>
The variable wpdudes_survey_title appears to send unsanitized data back to the users browser via POST request.
|
CVE-ID: Not Released |
File:./wpdudes-survey/wpdudes_survey.php |
Exploit Code: Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
|