Title: Reflected XSS in wordpress plugin blunt-ga v4.0.0 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2016-02-09 |
Download Site: https://wordpress.org/plugins/blunt-ga |
Downloads: 896 |
Vendor Notified: 2016-02-09 |
Export: Json |
Vendor Contact: plugins@wordpress.org |
Plugin Name: blunt-ga |
Vulnerability: There is a reflected XSS vulnerability in the following php code ./blunt-ga/blunt.ga.class.php:
308: echo $_POST['bluntGA']['ga_account'];
348: echo $_POST['bluntGA']['custom_domain'];
490: echo $_POST['bluntGA']['external']['category'];
597: echo $_POST['bluntGA']['mailto']['category'];
670: echo $_POST['bluntGA']['click_to_call']['category'];
743: echo $_POST['bluntGA']['document']['category'];
777: echo $_POST['bluntGA']['document']['extensions'];
856: echo $_POST['bluntGA']['anchors']['category'];
933: echo $_POST['bluntGA']['not_found']['category'];
1034: echo $_POST['bluntGA']['form']['category'];
1112: echo $_POST['bluntGA']['conversions']['category'];
1122: echo $_POST['bluntGA']['conversions']['pages'];
1191: echo $_POST['bluntGA']['cross_site']['domain'];
1202: echo $_POST['bluntGA']['cross_site']['prefix'];
1296: echo $_POST['bluntGA']['cross_link']['domains'];
The variable bluntGA appears to send unsanitized data back to the users browser via POST request.
|
CVE-ID: Not Released |
File:./blunt-ga/blunt.ga.class.php |
Exploit Code: Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
|