goYWP WebPress 13.00.06 Cross Site Scripting

`*CVE-2014-8751 goYWP WebPress Multiple XSS (Cross-Site Scripting) Security  
Vulnerabilities*  
  
  
  
  
  
  
  
Exploit Title: goYWP WebPress Multiple XSS (Cross-Site Scripting) Security  
Vulnerabilities  
Product: WebPress  
Vendor: goYWP  
Vulnerable Versions: 13.00.06  
Tested Version: 13.00.06  
Advisory Publication: Dec 09, 2014  
Latest Update: Dec 09, 2014  
Vulnerability Type: Cross-Site Scripting [CWE-79]  
CVE Reference: CVE-2014-8751  
Credit: Wang Jing [SPMS, Nanyang Technological University, Singapore]  
  
  
  
  
  
  
  
*Advisory Details:*  
  
*(1) Product*  
"WebPress is the foundation on which we build web sites. It’s our unique  
Content Management System (CMS), flexible enough for us to build your dream  
site, and easy enough for you to maintain it yourself."  
  
  
  
*(2) Vulnerability Details:*  
goYWP WebPress is vulnerable to XSS attacks.  
  
*(2.1)* The first security vulnerability occurs at "/search.php" page with  
"&search_param" parameter in HTTP GET.  
  
*(2.2)* The second security vulnerability occurs at "/forms.php" (form  
submission ) page with "&name", "&address" "&comment" parameters in HTTP  
POST.  
  
  
  
  
  
  
  
  
  
  
*References:*  
http://tetraph.com/security/cves/cve-2014-8751-goywp-webpress-multiple-xss-cross-site-scripting-security-vulnerabilities/  
http://www.goywp.com/view/cms  
http://www.goywp.com/demo.php  
http://cwe.mitre.org  
http://cve.mitre.org/  
  
  
`