Unlimited Pop-Ups WordPress Plugin XSS Vulnerability

## FULL DISCLOSURE

#Product : Unlimited Pop-Ups WordPress Plugin
#Exploit Author : Rahul Pratap Singh
#Version : 1.4.3
#Home page Link : http://codecanyon.net/item/unlimited-popups-wordpress-plugin/8575498
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 21/4/2016

XSS Vulnerability:

—————————————-
Description:
—————————————-
“callback, shortcode, id, and page”  parameters are not sanitized that leads to Reflected XSS.

—————————————-
Vulnerable Code:
—————————————-

File Name: testfiles/Unlimited Pop-Ups WordPress Plugin/upload/cj-popups/framework/includes/admin_form.php
Found at line:1319

echo ‘<form action=”‘.admin_url(‘admin.php?page=’.cjpopups_item_info(‘page_slug’).’&callback=’.@$_GET[‘callback’].”).'” method=”post” enctype=”multipart/form-data”>’;

File Name: testfiles/Unlimited Pop-Ups WordPress Plugin/upload/cj-popups/framework/includes/admin_ajax.php
Found at line:162

echo ‘<form action=”” method=”post” id=”cj-shortcode-settings-form” data-shortcode-stype=”‘.$shortcode_options[‘stype’].'” data-shortcode-name=”‘.$_POST[‘shortcode’].'”>’;

File Name: testfiles/Unlimited Pop-Ups WordPress Plugin/upload/cj-popups/framework/includes/sample-code/dynamic-sidebar-setup/theme_dynamic_sidebars.php
Found at line:139

<td><?php echo $_GET[‘id’]; ?></td>

File Name: testfiles/Unlimited Pop-Ups WordPress Plugin/upload/cj-popups/framework/includes/options/core_import_export.php
Found at line:94

echo ‘<form class=”margin-30-top” action=”‘.admin_url(‘admin.php?page=’.@$_GET[‘page’].’&callback=’.@$_GET[‘callback’].”).'” method=”post” enctype=”multipart/form-data”>’;

—————————————-

Fix:
Update to 1.4.4

Vulnerability Disclosure Timeline:
→ March 12, 2016  – Bug discovered, initial report to Vendor
→ March 14, 2016  – Vendor Acknowledged
→ March 30, 2016  – Vendor Deployed a Patch

#######################################
#                    CTG SECURITY SOLUTIONS                          #
#                www.ctgsecuritysolutions.com                        #
#######################################

Pub Ref:
http://codecanyon.net/item/unlimited-popups-wordpress-plugin/8575498

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s