Title: Reflected XSS in wordpress plugin wp-mailings v0.1-will-not-work |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2016-02-09 |
Download Site: https://wordpress.org/plugins/wp-mailings |
Downloads: 292 |
Vendor Notified: 2016-02-09 |
Export: Json |
Vendor Contact: plugins@wordpress.org |
Plugin Name: wp-mailings |
Vulnerability: There is a reflected XSS vulnerability in the following php code ./wp-mailings/admin.users.php:
398: <input type="hidden" name="_wpnonce" value="<?php echo $_POST['_wpnonce'] ?>" />
399: <input type="hidden" name="_wp_http_referer" value="<?php echo $_POST['_wp_http_referer'] ?>" />
420: '_wpnonce': "<?php echo $_POST['_wpnonce'] ?>",
421: '_wp_http_referer': "<?php echo $_POST['_wp_http_referer'] ?>",
453: <input type="hidden" name="_wpnonce" value="<?php echo $_POST['_wpnonce'] ?>" />
454: <input type="hidden" name="_wp_http_referer" value="<?php echo $_POST['_wp_http_referer'] ?>" />
484: '_wpnonce': "<?php echo $_POST['_wpnonce'] ?>",
485: '_wp_http_referer': "<?php echo $_POST['_wp_http_referer'] ?>",
552: '_wpnonce': "<?php echo $_POST['_wpnonce'] ?>",
553: '_wp_http_referer': "<?php echo $_POST['_wp_http_referer'] ?>",
565: '_wpnonce': "<?php echo $_POST['_wpnonce'] ?>",
566: '_wp_http_referer': "<?php echo $_POST['_wp_http_referer'] ?>",
607: '_wpnonce': "<?php echo $_POST['_wpnonce'] ?>",
608: '_wp_http_referer': "<?php echo $_POST['_wp_http_referer'] ?>",
622: '_wpnonce': "<?php echo $_POST['_wpnonce'] ?>",
623: '_wp_http_referer': "<?php echo $_POST['_wp_http_referer'] ?>",
The variable _wpnonce appears to send unsanitized data back to the users browser via POST request.
|
CVE-ID: Not Released |
File:./wp-mailings/admin.users.php |
Exploit Code: Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
|