Title: Reflected XSS in wordpress plugin xcloner-backup-and-restore v3.1.3 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2016-02-09 |
Download Site: https://wordpress.org/plugins/xcloner-backup-and-restore |
Downloads: 433362 |
Vendor Notified: 2016-02-09 |
Export: Json |
Vendor Contact: plugins@wordpress.org |
Plugin Name: xcloner-backup-and-restore |
Vulnerability: There is a reflected XSS vulnerability in the following php code ./xcloner-backup-and-restore/admin.cloner.html.php:
427: recurseUrl = "admin-ajax.php?action=json_return&task=recurse_database&nohtml=1&dbbackup_comp=<?php echo $_REQUEST['dbbackup_comp']?>&dbbackup_drop=<?php echo $_REQUEST['dbbackup_drop']?>";
2276: <td><input type='text' size='30' name='ftp_url' value='<?php echo $_REQUEST[ftp_url]?>'></td>
2284: <td><input type='text' size='30' name='ftp_server' value='<?php echo $_REQUEST[ftp_server]?>'></td>
2290: <td><input type='text' size='30' name='ftp_user' value='<?php echo $_REQUEST[ftp_user]?>'></td>
2296: <td><input type='text' size='30' name='ftp_pass' value='<?php echo $_REQUEST[ftp_pass]?>'></td>
2302: <td><input type='text' size='30' name='ftp_dir' value='<?php echo $_REQUEST[ftp_dir]?>'></td>
2317: <input type="hidden" name="task2" value="<?php if($_REQUEST[task2]!="") echo $_REQUEST[task2]; else echo $task;?>" />
The variable dbbackup_comp appears to send unsanitized data back to the users browser.
|
CVE-ID: Not Released |
File:./xcloner-backup-and-restore/admin.cloner.html.php |
Exploit Code: Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
|