Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 01 Mar 2017 04:38:07 -0500
From: "Larry W. Cashdollar" <larry0@...com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: Persistent XSS in wordpress plugin rockhoist-badges v1.2.2

Title: Persistent XSS in wordpress plugin rockhoist-badges v1.2.2
Author: Larry W. Cashdollar, @_larry0
Date: 2017-02-20
Download Site: https://wordpress.org/plugins/rockhoist-badges/
Vendor: https://profiles.wordpress.org/esserq/
Vendor Notified: 2017-02-20
Vendor Contact:
Description: A Stack Overflow inspired plugin for WordPress which allows users to acquire badges for contributing website content. Badges are created and managed through the WordPress Dashboard.
Vulnerability:
There is a persistent cross site scripting vulnerability in the plugin Rockhoist Badges.  A user with the 
ability to edit_posts can inject malicious javascript.  Into the badge description or title field.

Line 603 doesn't sanitize user input before sending it to the browser in file ./rockhoist-badges/rh-badges.php:

-> 603: <span class="delete"><a href="?page=badges&action=deletecondition&badge_ID=<?php echo $_GET['badge_ID']; ?>&badge_condition_ID=<?php echo $badge_condition->badge_condition_id; ?>" class="delete-tag">Delete</a></span>

CVE-ID: CVE-2017-6102
Exploit Code:
	• "><script>alert(1);</script> in the title or description field will inject js.
Screen Shots: [http://www.vapidlabs.com/m/badges.jpg]
Advisory: http://www.vapidlabs.com/advisory.php?v=176

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ