## FULL DISCLOSURE
#Product : Unlimited Pop-Ups WordPress Plugin
#Exploit Author : Rahul Pratap Singh
#Version : 1.4.3
#Home page Link :
http://codecanyon.net/item/
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/
#Date : 21/4/2016
XSS Vulnerability:
------------------------------
Description:
------------------------------
"callback, shortcode, id, and page" parameters are not sanitized that
leads to Reflected XSS.
------------------------------
Vulnerable Code:
------------------------------
File Name: testfiles/Unlimited Pop-Ups WordPress
Plugin/upload/cj-popups/
Found at line:1319
echo '<form
action="'.admin_url('admin.
method="post" enctype="multipart/form-data">
File Name: testfiles/Unlimited Pop-Ups WordPress
Plugin/upload/cj-popups/
Found at line:162
echo '<form action="" method="post" id="cj-shortcode-settings-
data-shortcode-stype="'.$
data-shortcode-name="'.$_POST[
File Name: testfiles/Unlimited Pop-Ups WordPress
Plugin/upload/cj-popups/
Found at line:139
<td><?php echo $_GET['id']; ?></td>
File Name: testfiles/Unlimited Pop-Ups WordPress
Plugin/upload/cj-popups/
Found at line:94
echo '<form class="margin-30-top"
action="'.admin_url('admin.
method="post" enctype="multipart/form-data">
------------------------------
Fix:
Update to 1.4.4
Vulnerability Disclosure Timeline:
→ March 12, 2016 – Bug discovered, initial report to Vendor
→ March 14, 2016 – Vendor Acknowledged
→ March 30, 2016 – Vendor Deployed a Patch
Pub Ref:
https://0x62626262.wordpress.
http://codecanyon.net/item/
#Product : Unlimited Pop-Ups WordPress Plugin
#Exploit Author : Rahul Pratap Singh
#Version : 1.4.3
#Home page Link :
http://codecanyon.net/item/
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/
#Date : 21/4/2016
XSS Vulnerability:
------------------------------
Description:
------------------------------
"callback, shortcode, id, and page" parameters are not sanitized that
leads to Reflected XSS.
------------------------------
Vulnerable Code:
------------------------------
File Name: testfiles/Unlimited Pop-Ups WordPress
Plugin/upload/cj-popups/
Found at line:1319
echo '<form
action="'.admin_url('admin.
method="post" enctype="multipart/form-data">
File Name: testfiles/Unlimited Pop-Ups WordPress
Plugin/upload/cj-popups/
Found at line:162
echo '<form action="" method="post" id="cj-shortcode-settings-
data-shortcode-stype="'.$
data-shortcode-name="'.$_POST[
File Name: testfiles/Unlimited Pop-Ups WordPress
Plugin/upload/cj-popups/
Found at line:139
<td><?php echo $_GET['id']; ?></td>
File Name: testfiles/Unlimited Pop-Ups WordPress
Plugin/upload/cj-popups/
Found at line:94
echo '<form class="margin-30-top"
action="'.admin_url('admin.
method="post" enctype="multipart/form-data">
------------------------------
Fix:
Update to 1.4.4
Vulnerability Disclosure Timeline:
→ March 12, 2016 – Bug discovered, initial report to Vendor
→ March 14, 2016 – Vendor Acknowledged
→ March 30, 2016 – Vendor Deployed a Patch
Pub Ref:
https://0x62626262.wordpress.
http://codecanyon.net/item/
Komentarų nėra:
Rašyti komentarą