WordPress Cart66 Lite 1.5.4 Cross Site Scripting

2015-02-09T00:00:00
ID PACKETSTORM:130307
Type packetstorm
Reporter Morten Nortoft
Modified 2015-02-09T00:00:00

Description

                                        
                                            `Title: WordPress 'Cart66 Lite :: WordPress Ecommerce' plugin - Reflected XSS  
Version: 1.5.4  
Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej  
Date: 2015/01/26  
Download: https://wordpress.org/plugins/cart66-lite/  
Contacted WordPress: 2015/01/26  
================================================================  
  
  
## Description:   
================================================================  
Cart66 is a simple to use yet powerful ecommerce plugin for WordPress. Sell digital products   
and/or physical products with Cart66. The easiest to use WordPress ecommerce shopping cart plugin.  
  
  
## Reflected XSS  
================================================================  
The plugin suffers from a reflected cross site scripting in the file orders.php  
which is loaded in /wp4/wp-admin/admin.php?page=cart66_admin by viewing the orders.  
The vulnerability can be exploited by tricking a logged in admin to click an URL  
  
  
## PoC  
================================================================  
The vulnerable parameter is called "status". The "status" parameter is retrieved from a $_GET['status'] call  
But is not further sanitized before printing the variable.   
  
The vulnerability can be exploited using the following link:  
  
/wp4/wp-admin/admin.php?page=cart66_admin&status=</script><script>alert(document.cookie);</script>  
  
## Solution  
================================================================  
Update to version 1.5.5.  
`