WordPress Echosign 1.1 Cross Site Scripting

`## FULL DISCLOSURE  
  
  
#Product : Echosign Plugin  
#Exploit Author : Rahul Pratap Singh  
#Version :1.1  
#Home page Link : https://wordpress.org/plugins/echosign/  
#Website : 0x62626262.wordpress.com  
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94  
#Date : 21/4/2016  
  
XSS Vulnerability:  
  
----------------------------------------  
Description:  
----------------------------------------  
"Page" and "id" parameters are not sanitized that leads to XSS  
Vulnerability.  
  
----------------------------------------  
Vulnerable Code:  
----------------------------------------  
File Name: testfiles/echosign/inc.php  
  
Found at line:199  
  
<input type="hidden" name="page" value="<?php echo $_REQUEST['page']; ?>" />  
  
File Name: testfiles/echosign/templates/add_templates.php  
  
Found at line:31  
<input type = 'hidden' name = 'id' value = '<?php echo $_REQUEST['id'];  
?>'>  
  
----------------------------------------  
  
Fix:  
No fix Available  
  
Vulnerability Disclosure Timeline:  
→ March 03, 2016 – Bug discovered, initial report to WordPress.  
→ March 07, 2016 – No, response. Report sent again.  
→ March 08, 2016 – WordPress Acknowledged. Plugin taken down.  
→ April 21, 2016 – Plugin still down. No patch available.  
  
Pub Ref:  
https://0x62626262.wordpress.com/2016/04/21/echosign-plugin-for-wordpress-xss-vulnerability/  
https://wordpress.org/plugins/echosign/  
`