WordPress Altos Connect Widget 1.3.0 Cross Site Scripting

2015-07-30T00:00:00
ID PACKETSTORM:132908
Type packetstorm
Reporter Morten Nortoft
Modified 2015-07-30T00:00:00

Description

                                        
                                            `Title: WordPress 'Altos Connect Widget' Plugin   
Version: 1.3.0  
Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej  
Date: 2015-06-15  
Download:   
- https://wordpress.org/plugins/altos-connect/  
- https://plugins.svn.wordpress.org/altos-connect/  
Notified WordPress: 2015-06-21  
==========================================================  
  
## Plugin description  
==========================================================  
Description: Altos Connect registration widget for WordPress®. Altos Connect registration widget for WordPress®. The Altos Connect plugin can be us  
  
## XSS vulnerability  
==========================================================  
The _SERVER variable 'PHP_SELF' is printed without sanitization in a captcha demo page (which is not removed when installing). This can be exploited with a direct link to the vulnerable file.  
  
PoC:  
[URL]/wp-content/plugins/altos-connect/jquery-validate/demo/demo/captcha/index.php/"><script>alert(1)</script>  
  
It seems like this is fixed in the newest version of jquery-validate, but this plugin has not been patched.  
  
## Solution  
==========================================================  
No fix available  
  
==========================================================  
Vulnerability found using Eir; an early stage static vulnerability scanner for PHP applications.  
`