Persistent XSS in Media File Renamer plugin v1.7.0 for WordPres
Reporter | Title | Published | Views | Family All 8 |
---|---|---|---|---|
![]() | CVE-2014-2040 | 3 Mar 201418:00 | β | cvelist |
![]() | WordPress Media File Renamerζδ»Άε€δΈͺHTML注ε ₯ζΌζ΄ | 25 Feb 201400:00 | β | seebug |
![]() | CVE-2014-2040 | 3 Mar 201418:55 | β | nvd |
![]() | WordPress Media File Renamer Plugin <= 1.7.0 - Multiple XSS | 19 Feb 201400:00 | β | patchstack |
![]() | Media File Renamer <= 1.7.0 - Stored Cross-Site Scripting (XSS) | 31 Jan 201400:00 | β | wpvulndb |
![]() | Cross site scripting | 3 Mar 201418:55 | β | prion |
![]() | CVE-2014-2040 | 3 Mar 201418:55 | β | cve |
![]() | Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl) | 5 May 201400:00 | β | securityvulns |
`Title: Persistent XSS in Media File Renamer V1.7.0 wordpress plugin
Date: 1/31/2014
Author: Larry W. Cashdollar, @_larry0
Vendor: Notified 2/4/2014
CVE: 2014-2040
Download: http://www.meow.fr/media-file-renamer/
Vulnerability:
The following functions do not sanitize input before being echoed out:
In file mfrh_class.settings-api.php:
166 function callback_multicheck( $args ) {
167 $value = $this->get_option( $args['id'], $args['section'], $args['std'] );
168
169 $html = '';
170 foreach ( $args['options'] as $key => $label ) {
171 $checked = isset( $value[$key] ) ? $value[$key] : '0';
172 $html .= sprintf( '
', $args['section'], $a rgs['id'], $key, checked( $checked, $key, false ) );
173 $html .= sprintf( '
%3$s
', $args['section'], $args['id'], $label, $key );
174 }
175 $html .= sprintf( '
%s', $args['desc'] );
176
177 echo $html;
178 }
function callback_radio( $args ) {
186
187 $value = $this->get_option( $args['id'], $args['section'], $args['std'] );
188
189 $html = '';
190 foreach ( $args['options'] as $key => $label ) {
191 $html .= sprintf( '
', $args['section'], $args['id'], $ key, checked( $value, $key, false ) );
192 $html .= sprintf( '
%3$s
', $args['section'], $args['id'], $label, $key );
193 }
194 $html .= sprintf( '
%s', $args['desc'] );
195
196 echo $html;
197 }
function callback_wysiwyg( $args ) {
250
251 $value = wpautop( $this->get_option( $args['id'], $args['section'], $args['std'] ) );
252 $size = isset( $args['size'] ) && !is_null( $args['size'] ) ? $args['size'] : '500px';
253
254 echo '
';
255
256 wp_editor( $value, $args['section'] . '[' . $args['id'] . ']', array( 'teeny' => true, 'textarea_rows' => 10 ) );
257
258 echo '
';
259
260 echo sprintf( '
%s
', $args['desc'] );
261 }
PoC: If a user with permission to add media or edit media uploads a file with "<script>alert(1)</script>" as the title they can XSS the site admin user.
Full Advisory: http://www.vapid.dhs.org/advisories/wordpress/plugins/MediaFileRenamer-1.7.0/index.html
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. ContactΒ us for a demo andΒ discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo