Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 16 Apr 2016 13:59:06 +0530
From: shravan kumar <>
Subject: Reflected XSS Vulnerability in Wordpress Custom-metas plugin 1.5.1

Hello  ,

I would like to disclose a XSS vulnerability in Custom-metas plugin version
1.5.1  .

The Plugin can be found at

Reproduction steps:

   - Install the plugin custom-metas
   - Log in to wp-admin as administrator (tested on firefox)
   - Pass the XSS payload as GET parameter to the
   /wp-admin/admin.php?page=custom-metas&paged=<XSS payload here>
   - example
   - you will see a alert box.

Technical details:

This vulnerability is due to display of unsanitized GET parameters, which
are directly displayed on the page with-out any filters.

The vulnerable page is


The Code responsible for the vulnerability is

 $currentPageNo = ( isset($_GET['paged']) && $_GET['paged'] != "")?

the currentPageNo variable is set using $_GET['paged'] .

It is then displayed in unsafe manner i.e without any filters. in following
line of code


<input type="text" size="2" value="<?php echo $currentPageNo;?>"
name="paged" title="Current page" id="postCurrent" class="current-page" />
of <span class="total-pages"><?php echo $tPostNumCount; ?></span>

Shravan Kumar

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ