Title: Reflected XSS in wordpress plugin bbpress-social-network v9.2 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2016-02-09 |
Download Site: https://wordpress.org/plugins/bbpress-social-network |
Downloads: 3365 |
Vendor Notified: 2016-02-09 |
Export: Json |
Vendor Contact: plugins@wordpress.org |
Plugin Name: bbpress-social-network |
Vulnerability: There is a reflected XSS vulnerability in the following php code ./bbpress-social-network/css/ln_livenotifications_css.php:
640: color: <?php echo $_GET['dropdown_color'];?>;
673: color: <?php echo $_GET['dropdown_color'];?>;
700: background-color: <?php echo $_GET['banner_bgcolor']?>;
1009:/*background: <?php echo $_GET['dropdown_hover_bgcolor'];?>;*/
1063: background: <?php echo $_GET['dropdown_bit_bgcolor'];?>;
1064: color: <?php echo $_GET['dropdown_link_color']?>;
1076: background: <?php echo $_GET['dropdown_hover_bgcolor'];?>;
1082: background: <?php echo $_GET['dropdown_bit_bgcolor'];?>;
1083: color: <?php echo $_GET['dropdown_link_color'];?>;
1095: background: <?php echo $_GET['dropdown_hover_bgcolor'];?>;
1135: background-color: <?php echo $_GET['dropdown_bit_bgcolor'];?>;
1143: background-color: <?php echo $_GET['dropdown_hover_bgcolor'];?>;
1150: background-color: <?php echo $_GET['dropdown_bit_bgcolor'];?>;
1183: color: <?php echo $_GET['dropdown_link_color'];?>;
1187: color: <?php echo $_GET['dropdown_link_color'];?> !important;
1191: color: <?php echo $_GET['dropdown_link_color'];?>;
1196: color: <?php echo $_GET['dropdown_link_color'];?>;
1201: color: <?php echo $_GET['dropdown_link_color'];?>;
1232: color:<?php echo $_GET['dropdown_color'];?>;
1240: color: <?php echo $_GET['dropdown_link_color'];?>;
1250: color: <?php echo $_GET['dropdown_link_color'];?>;
1285: color: <?php echo $_GET['dropdown_link_color'];?>;
1292: color: <?php echo $_GET['dropdown_link_color'];?>;
1325: /*background: <?php echo $_GET['dropdown_hover_bgcolor'];?> right center no-repeat;*/
1480: color: <?php echo $_GET['dropdown_link_color'];?> !important;
1493: color: <?php echo $_GET['dropdown_color'];?>;
1498: border-top:1px solid <?php echo $_GET['dropdown_boder_color'];?>;
1499: background: <?php echo $_GET['dropdown_bit_color'];?>;
1510: border-top:1px solid <?php echo $_GET['dropdown_bit_color'];?>;
1554: border-top:1px solid <?php echo $_GET['dropdown_boder_color'];?>;
1555: border-bottom:1px solid <?php echo $_GET['dropdown_boder_color'];?>;
1558: color: <?php echo $_GET['dropdown_color'];?>;
The variable dropdown_color appears to send unsanitized data back to the users browser.
|
CVE-ID: Not Released |
File:./bbpress-social-network/css/ln_livenotifications_css.php |
Exploit Code: Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
|