Title: Reflected XSS in wordpress plugin classyfrieds v3.8 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2016-02-09 |
Download Site: https://wordpress.org/plugins/classyfrieds |
Downloads: 8698 |
Vendor Notified: 2016-02-09 |
Export: Json |
Vendor Contact: plugins@wordpress.org |
Plugin Name: classyfrieds |
Vulnerability: There is a reflected XSS vulnerability in the following php code ./classyfrieds/themefiles/page-classyfried_add_listing.php:
227: <input type="text" name="titel" class="inputy" maxlength="50" required value="<?PHP echo $_POST['titel']; ?>" >
238: <input type="text" name="subtitle" class="inputy" maxlength="50" value="<?PHP echo $_POST['subtitle']; ?>">
252: <textarea name="omschrijving" class="texty" rows="8" required ><?PHP echo $_POST['omschrijving']; ?></textarea>
539: <input type="text" name="zip" class="inputy" maxlength="50" value="<?PHP echo $_POST['zip']; ?>">
555: <input type="text" name="versie" class="inputy" maxlength="50" value="<?PHP echo $_POST['versie']; ?>">
578: <input type="text" name="create_cat" class="inputy" maxlength="49" value="<?PHP echo $_POST['create_cat']; ?>">
593: <textarea name="installatie" class="texty" rows="6" ><?PHP echo $_POST['installatie']; ?></textarea>
606: <input type="url" name="url" class="inputy" maxlength="50" value="<?PHP echo $_POST['url']; ?>">
619: <input type="text" name="prijs" size="7" maxlength="7" value="<?PHP echo $_POST['prijs']; ?>"><?PHP echo $cfl[f_prexpl]; ?>
671: <input type="text" name="sleutelwoorden" class="inputy" maxlength="50" value="<?PHP echo $_POST['sleutelwoorden']; ?>" ><?PHP echo $cfl[f_keyexpl]; ?>
684: <input type="text" name="contactname" class="inputy" maxlength="50" value="<?PHP if (!empty($current_user->user_login)) echo $current_user->user_login; else echo $_POST['contactname']; ?>" >
697: <input type="text" name="contactmail" class="inputy" maxlength="50" value="<?PHP if (!empty($current_user->user_email)) echo $current_user->user_email; else echo $_POST['contactmail']; ?>" >
The variable titel appears to send unsanitized data back to the users browser via POST request.
|
CVE-ID: Not Released |
File:./classyfrieds/themefiles/page-classyfried_add_listing.php |
Exploit Code: Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
|