Title: Reflected XSS in wordpress plugin cigicigi-post-guest v1.0.5 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2016-02-09 |
Download Site: https://wordpress.org/plugins/cigicigi-post-guest |
Downloads: 4535 |
Vendor Notified: 2016-02-09 |
Export: Json |
Vendor Contact: plugins@wordpress.org |
Plugin Name: cigicigi-post-guest |
Vulnerability: There is a reflected XSS vulnerability in the following php code ./cigicigi-post-guest/cigicigi_post_guest.php:
580: <a class="next-page" href="admin.php?page=cigicigi_post_guest_posts&sayfa=<?php echo $s; ?>&do=<?php echo $_GET['do']; ?>"><?php echo $s; ?></a>
642: <a class="next-page" href="admin.php?page=cigicigi_post_guest_posts&sayfa=<?php echo $s; ?>&do=<?php echo $_GET['do']; ?>"><?php echo $s; ?></a>
663: <input type="button" value="<< <?php _e('Back', 'cigicigi-post-guest'); ?>" onclick=parent.location="admin.php?page=cigicigi_post_guest_posts&sayfa=<?php echo $_GET['sayfa']; ?>">
664: <input type="button" value="<?php _e('Edit'); ?>" onclick=parent.location="admin.php?page=cigicigi_post_guest_posts&sayfa=<?php echo $_GET['sayfa']; ?>&do=edit&id=<?php echo $single_cigi_post_sorgu[0]->ID; ?>">
665: <input type="button" class="cigicigi_delete_button" value="<?php _e('Delete'); ?>" onclick="delete_confirm('admin.php?page=cigicigi_post_guest_posts&sayfa=<?php echo $_GET['sayfa']; ?>&do=delete&id=<?php echo $single_cigi_post_sorgu[0]->ID; ?>')">
666: <input type="button" class="cigicigi_publish_button" value="<?php _e('Publish'); ?>" onclick=parent.location="admin.php?page=cigicigi_post_guest_posts&sayfa=<?php echo $_GET['sayfa']; ?>&do=publish&id=<?php echo $single_cigi_post_sorgu[0]->ID; ?>">
700: <form method="POST" action="admin.php?page=cigicigi_post_guest_posts&sayfa=<?php echo $_GET['sayfa']; ?>&do=edit&id=<?php echo $_GET['id']; ?>" id="cigicigi_post_guest_form" enctype="multipart/form-data">
751: <input type="button" class="cigicigi_post_guest_submit" value="<< <?php _e('Back', 'cigicigi-post-guest'); ?>" onclick=parent.location="admin.php?page=cigicigi_post_guest_posts&sayfa=<?php echo $_GET['sayfa']; ?>">
773: <input type="button" value="<< <?php _e('Back', 'cigicigi-post-guest'); ?>" onclick=parent.location="admin.php?page=cigicigi_post_guest_posts&sayfa=<?php echo $_GET['sayfa']; ?>">
816: <input type="button" value="<< <?php _e('Back', 'cigicigi-post-guest'); ?>" onclick=parent.location="admin.php?page=cigicigi_post_guest_posts&sayfa=<?php echo $_GET['sayfa']; ?>">
821: <input type="button" value="<< <?php _e('Back', 'cigicigi-post-guest'); ?>" onclick=parent.location="admin.php?page=cigicigi_post_guest_posts&sayfa=<?php echo $_GET['sayfa']; ?>">
827: <input type="button" value="<< <?php _e('Back', 'cigicigi-post-guest'); ?>" onclick=parent.location="admin.php?page=cigicigi_post_guest_posts&sayfa=<?php echo $_GET['sayfa']; ?>">
859: <input type="button" value="<< <?php _e('Back', 'cigicigi-post-guest'); ?>" onclick=parent.location="admin.php?page=cigicigi_post_guest_posts&sayfa=<?php echo $_GET['sayfa']; ?>">
The variable do sayfa and id appear to send unsanitized data back to the users browser.
|
CVE-ID: Not Released |
File:./cigicigi-post-guest/cigicigi_post_guest.php |
Exploit Code: Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
|