Title: Reflected XSS in wordpress plugin wordpress-theme-demo-bar v1.6.3 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2016-02-09 |
Download Site: https://wordpress.org/plugins/wordpress-theme-demo-bar |
Downloads: 33467 |
Vendor Notified: 2016-02-09 |
Export: Json |
Vendor Contact: plugins@wordpress.org |
Plugin Name: wordpress-theme-demo-bar |
Vulnerability: There is a reflected XSS vulnerability in the following php code ./wordpress-theme-demo-bar/edit-theme-options.php:
43:<a class="wptdb_qtip" title="Refresh this page back to <?php echo $editingtheme['Name']; ?> theme options." href="<?php echo $zv_wptdb_siteurl; ?>/wp-content/plugins/wordpress-theme-demo-bar/edit-theme-options.php?theme=<?php echo $_GET['theme']; ?>">Refresh</a>
45:<a target="_blank" class="wptdb_qtip" title="Preview this theme in a new window after you save the theme options." href="<?php echo $zv_wptdb_siteurl; ?>/?themedemo=<?php echo $_GET['theme']; ?>">Preview</a>
56:document.getElementById('iframe_container').innerHTML = '<iframe id="option-iframe" width="600" height="400" src="<?php echo $zv_wptdb_siteurl; ?>/wp-admin/themes.php?page=functions.php&themedemo=<?php echo $_GET['theme']; ?>&editfunctionsphp=1" style="margin:0px;padding:0px;border:5px solid #cccccc"></iframe>';
The variable theme appears to send unsanitized data back to the users browser.
|
CVE-ID: Not Released |
File:./wordpress-theme-demo-bar/edit-theme-options.php |
Exploit Code: Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
|