HTB22938: Multiple XSS in Universal Post Manager wordpress plugin

2011-04-19T00:00:00
ID SECURITYVULNS:DOC:26149
Type securityvulns
Reporter Securityvulns
Modified 2011-04-19T00:00:00

Description

Vulnerability ID: HTB22938 Reference: http://www.htbridge.ch/advisory/multiple_xss_in_universal_post_manager_wordpress_plugin.html Product: Universal Post Manager wordpress plugin Vendor: ProfProjects ( Artyom Chakhoyan ) ( http://www.profprojects.com/ ) Vulnerable Version: 1.0.9 Vendor Notification: 05 April 2011 Vulnerability Type: XSS (Cross Site Scripting) Risk level: Medium Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ )

Vulnerability Details: The vulnerability exists due to failure in the "/wp-content/plugins/universal-post-manager/template/email_screen_1.php" script to properly sanitize user-supplied input in "num" variable then register_qlobals is on. User can execute arbitrary JavaScript code within the vulnerable application. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. The following PoC is available:

[code] http://[host]/wp-content/plugins/universal-post-manager/template/email_screen_1.php?unit=1&num=%27%29%3E%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E [/code]

The vulnerability exists due to failure in the "/wp-content/plugins/universal-post-manager/template/bookmarks_slider_h.php" script to properly sanitize user-supplied input in "number" variable then register_qlobals is on. The following PoC is available:

[code] http://[host]/wp-content/plugins/universal-post-manager/template/bookmarks_slider_h.php?number=%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E [/code]

The vulnerability exists due to failure in the "/wp-content/plugins/universal-post-manager/template/email_screen_2.php" script to properly sanitize user-supplied input in "num" variable then register_qlobals is on. The following PoC is available:

[code] http://wordpress/wp-content/plugins/universal-post-manager/template/email_screen_2.php?unit=1&num=%22%3E%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E [/code]