Title: Reflected XSS in wordpress plugin bbpress-social-network v9.2 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2016-02-09 |
Download Site: https://wordpress.org/plugins/bbpress-social-network |
Downloads: 3365 |
Vendor Notified: 2016-02-09 |
Export: Json |
Vendor Contact: plugins@wordpress.org |
Plugin Name: bbpress-social-network |
Vulnerability: There is a reflected XSS vulnerability in the following php code ./bbpress-social-network/css/ln_livenotifications_cssback.php:
145:/*-moz-box-shadow: 10px 10px 5px <?php echo $_GET['dropdown_bgcolor'];?>;
146: -webkit-box-shadow: 10px 10px 5px <?php echo $_GET['dropdown_bgcolor'];?>;
147: box-shadow: 10px 10px 5px <?php echo $_GET['dropdown_bgcolor'];?>;
290: color: <?php echo $_GET['dropdown_color'];?>;
296: color: <?php echo $_GET['dropdown_color'];?>;
302: background-color: <?php echo $_GET['banner_bgcolor']?>;
486: /*background: <?php echo $_GET['dropdown_hover_bgcolor'];?>;*/
578: background: <?php echo $_GET['dropdown_bit_bgcolor'];?>;
579: color: <?php echo $_GET['dropdown_link_color']?>;
591: background: <?php echo $_GET['dropdown_hover_bgcolor'];?>;
597: background: <?php echo $_GET['dropdown_bit_bgcolor'];?>;
598: color: <?php echo $_GET['dropdown_link_color'];?>;
610: background: <?php echo $_GET['dropdown_hover_bgcolor'];?>;
643: background: <?php echo $_GET['dropdown_bit_bgcolor'];?>;
650: background-color: <?php echo $_GET['dropdown_bit_bgcolor'];?>;
658: background-color: <?php echo $_GET['dropdown_hover_bgcolor'];?>;
665: background-color: <?php echo $_GET['dropdown_bit_bgcolor'];?>;
698: color: <?php echo $_GET['dropdown_link_color'];?>;
702: color: <?php echo $_GET['dropdown_link_color'];?> !important;
706: color: <?php echo $_GET['dropdown_link_color'];?>;
711: color: <?php echo $_GET['dropdown_link_color'];?>;
716: color: <?php echo $_GET['dropdown_link_color'];?>;
747: color:<?php echo $_GET['dropdown_color'];?>;
755: color: <?php echo $_GET['dropdown_link_color'];?>;
765: color: <?php echo $_GET['dropdown_link_color'];?>;
799: color: <?php echo $_GET['dropdown_link_color'];?>;
806: color: <?php echo $_GET['dropdown_link_color'];?>;
828: /*background: <?php echo $_GET['dropdown_hover_bgcolor'];?> right center no-repeat;*/
848: color: <?php echo $_GET['dropdown_link_color'];?> !important;
861: color: <?php echo $_GET['dropdown_color'];?>;
866: border-top:1px solid <?php echo $_GET['dropdown_boder_color'];?>;
867: background: <?php echo $_GET['dropdown_bit_color'];?>;
872: background: <?php echo $_GET['dropdown_hover_bgcolor'];?>;
877: border-top:1px solid <?php echo $_GET['dropdown_bit_color'];?>;
920: border-top:1px solid <?php echo $_GET['dropdown_boder_color'];?>;
921: border-bottom:1px solid <?php echo $_GET['dropdown_boder_color'];?>;
924: color: <?php echo $_GET['dropdown_color'];?>;
The variable dropdown_bgcolor appears to send unsanitized data back to the users browser.
|
CVE-ID: Not Released |
File:./bbpress-social-network/css/ln_livenotifications_cssback.php |
Exploit Code: Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
|