Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormHarry MetcalfePACKETSTORM:133350
HistoryAug 27, 2015 - 12:00 a.m.

WordPress Navis DocumentCloud 0.1 Cross Site Scripting

2015-08-2700:00:00
Harry Metcalfe
packetstormsecurity.com
38

EPSS

0.003

Percentile

69.3%

JSON
`Details  
================  
Software: Navis DocumentCloud  
Version: 0.1  
Homepage: https://wordpress.org/plugins/navis-documentcloud/  
Advisory report: https://security.dxw.com/advisories/publicly-exploitable-xss-in-wordpress-plugin-navis-documentcloud/  
CVE: CVE-2015-2807  
CVSS: 6.4 (Medium; AV:N/AC:L/Au:N/C:P/I:P/A:N)  
  
Description  
================  
Publicly exploitable XSS in WordPress plugin Navis Documentcloud  
  
Vulnerability  
================  
This plugin contains the following code in js/window.php:  
$SITEURL .= $_GET[ β€˜wpbase’ ];  
// snip  
<script src=”https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js”></script>  
<script src=”<?php echo $SITEURL; ?>wp-includes/js/tinymce/tiny_mce_popup.js”></script>  
Which is a trivially exploitable XSS.  
  
  
Proof of concept  
================  
Visit the following page on a site with this plugin installed. Note that the plugin need not be active:  
http://yourwordpresssite/wp-content/plugins/navis-documentcloud/js/window.php?wpbase=%22%3Ealert(%27xss%27)%3C/script%3E%3Cscript%20src=%22  
NB: this proof of concept may not work in browsers with XSS protection features.  
  
Mitigations  
================  
This plugin is no longer maintained, so if at all possible, switch to using the DocumentCloud plugin https://wordpress.org/plugins/documentcloud/.  
If this is not possible, upgrade to version 0.1.1 or later.  
  
Disclosure policy  
================  
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/  
  
Please contact us on [email protected] to acknowledge this report if you received it via a third party (for example, [email protected]) as they generally cannot communicate with us on your behalf.  
  
This vulnerability will be published if we do not receive a response to this report with 14 days.  
  
Timeline  
================  
  
2015-03-31 – Discovered  
2015-03-31 – Requested CVE  
2015-07-14 – Reported to [email protected]  
2015-07-14 – Vendor responded saying they’ll get in touch with the developer  
2015-08-24 – Vendor reported the issue fixed in version 0.1.1  
  
  
  
Discovered by dxw:  
================  
Harry Metcalfe  
Please visit security.dxw.com for more information.  
  
  
  
  
`

Related

prion 1
nuclei 1
cvelist 1
patchstack 1
wpvulndb 1
nvd 1
zdt 1
cve 1
prion
prion
Cross site scripting
2015-09-01 14:59:00
nuclei
nuclei
Navis DocumentCloud <0.1.1 - Cross-Site Scripting
2021-08-03 17:09:09
cvelist
cvelist
CVE-2015-2807
2015-09-01 14:00:00
patchstack
patchstack
WordPress Navis DocumentCloud Plugin <= 0.1.0 - XSS
2015-03-31 00:00:00
wpvulndb
wpvulndb
Navis DocumentCloud 0.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
2015-08-26 00:00:00
nvd
nvd
CVE-2015-2807
2015-09-01 14:59:02
zdt
zdt
WordPress Navis DocumentCloud 0.1 Cross Site Scripting Vulnerability
2015-08-28 00:00:00
cve
cve
CVE-2015-2807
2015-09-01 14:59:02

EPSS

0.003

Percentile

69.3%

JSON
Related for PACKETSTORM:133350
prion1nuclei1cvelist1patchstack1wpvulndb1nvd1zdt1cve1