WordPress Video Whisper Cross Site Scripting

`#################################  
  
# Iranian Exploit DataBase Forum  
  
# http://iedb.ir/acc  
  
# http://iedb.ir  
  
#################################  
  
# Exploit Title : Wordpress videowhisper-live-streaming-integration Plugin Xss vulnerabilities  
  
# Author : Iranian Exploit DataBase  
  
# Discovered By : IeDb  
  
# Email : [email protected]  
  
# Home : http://iedb.ir - http://iedb.ir/acc  
  
# Software Link : http://wordpress.org/plugins/videowhisper-live-streaming-integration/  
  
# Security Risk : High  
  
# Tested on : Linux  
  
# Dork : inurl:/videowhisper-live-streaming-integration/ls/htmlchat.php  
  
#################################  
  
# C0de :  
  
<?php  
$room = $_GET['n'];  
if (!$room) $room = $_POST['n'];  
  
//do not allow access to other folders  
if ( strstr($room,"/") || strstr($room,"..") )   
{  
echo "Access denied.";  
exit;  
}  
  
$name = $_POST['name'];  
$message = $_POST['message'];  
  
$day=date("y-M-j",time());  
$chatfile = "uploads/$room/Log$day.html";  
?>  
  
# Exploit :  
  
Please open the site vulnerable.  
Put the script in the Field Name or Message  
  
# Dem0 :  
  
http://fmi.gov.ng/wp-content/plugins/videowhisper-live-streaming-integration/ls/htmlchat.php  
http://www.tambasurfcompany.com/wp-content/plugins/videowhisper-live-streaming-integration/ls/htmlchat.php  
http://www.galactic.to/NETI/wp-content/plugins/videowhisper-live-streaming-integration/ls/htmlchat.php  
http://www.piggybankblog.com/wp-content/plugins/videowhisper-live-streaming-integration/ls/htmlchat.php  
http://pecelifijianmethodist.org/wp-content/plugins/videowhisper-live-streaming-integration/ls/htmlchat.php  
  
#################################  
  
# Exploit Archive = http://www.iedb.ir/exploits-402.html  
  
#################################  
`