Title: Reflected XSS in wordpress plugin mlm-social-buzz v1.2.1 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2016-02-09 |
Download Site: https://wordpress.org/plugins/mlm-social-buzz |
Downloads: 1480 |
Vendor Notified: 2016-02-09 |
Export: Json |
Vendor Contact: plugins@wordpress.org |
Plugin Name: mlm-social-buzz |
Vulnerability: There is a reflected XSS vulnerability in the following php code ./mlm-social-buzz/top-blog-posts.php:
179: document.domain = '<?php echo $_GET["tbpv_domain"]; ?>';
182: /*document.write('<div style="display:none;"><a id="tbpv_login" href="<?php //echo WEBSITE_URL; ?>wp-voting-login.php?redirect_to='+location1[0]+'&tbpv_affiliate=<?php //echo $_GET["tbpv_affiliate"]; ?>" target="_blank">Login</a></div>');
184: window.open("<?php echo WEBSITE_URL; ?>wp-voting-login.php?redirect_to="+location1[0]+"&tbpv_affiliate=<?php echo $_GET["tbpv_affiliate"]; ?>","","menubar=0,resizable=1,status=1,toolbar=0,location=0");
187: parent.show_login_form(<?php echo $_GET["tbpv_id"]; ?>, location.href, '<?php echo $_GET["tbpv_affiliate"]; ?>');
191: location.href = '<?php echo WEBSITE_URL; ?>top_blog_posts.php?tbpv_id=<?php echo $_GET["tbpv_id"]; ?>&tbpv_username=<?php echo urlencode($_GET["tbpv_username"]); ?>&tbpv_domain=<?php echo urlencode($_GET["tbpv_domain"]); ?>&tbpv_affiliate=<?php echo urlencode($_GET["tbpv_affiliate"]); ?>&tbpv_button_style=<?php echo urlencode($_GET["tbpv_button_style"]); ?>';
199: document.domain = '<?php echo $_GET["tbpv_domain"]; ?>';
202: /*document.write('<div style="display:none;"><a id="tbpv_login" href="<?php //echo WEBSITE_URL; ?>wp-voting-login.php?redirect_to='+location1[0]+'&tbpv_affiliate=<?php //echo $_GET["tbpv_affiliate"]; ?>" target="_blank">Login</a></div>');
204: window.open("<?php echo WEBSITE_URL; ?>wp-voting-login.php?redirect_to="+location1[0]+"&tbpv_affiliate=<?php echo $_GET["tbpv_affiliate"]; ?>","","menubar=0,resizable=1,status=1,toolbar=0,location=0");
207: parent.show_login_form_follow(location.href,'<?php echo $_GET["tbpv_affiliate"]; ?>');
The variable tbpv_domain appears to send unsanitized data back to the users browser.
|
CVE-ID: Not Released |
File:./mlm-social-buzz/top-blog-posts.php |
Exploit Code: Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
|