WordPress Navis DocumentCloud 0.1 Cross Site Scripting Vulnerability

ID 1337DAY-ID-24158
Type zdt
Reporter Harry Metcalfe
Modified 2015-08-28T00:00:00


Exploit for php platform in category web applications

Software: Navis DocumentCloud
Version: 0.1
Homepage: https://wordpress.org/plugins/navis-documentcloud/
Advisory report: https://security.dxw.com/advisories/publicly-exploitable-xss-in-wordpress-plugin-navis-documentcloud/
CVE: CVE-2015-2807
CVSS: 6.4 (Medium; AV:N/AC:L/Au:N/C:P/I:P/A:N)

Publicly exploitable XSS in WordPress plugin Navis Documentcloud

This plugin contains the following code in js/window.php:
$SITEURL .= $_GET[ ‘wpbase’ ];
// snip
<script src=”https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js”></script>
<script src=”<?php echo $SITEURL; ?>wp-includes/js/tinymce/tiny_mce_popup.js”></script>
Which is a trivially exploitable XSS.

Proof of concept
Visit the following page on a site with this plugin installed. Note that the plugin need not be active:
NB: this proof of concept may not work in browsers with XSS protection features.

This plugin is no longer maintained, so if at all possible, switch to using the DocumentCloud plugin https://wordpress.org/plugins/documentcloud/.
If this is not possible, upgrade to version 0.1.1 or later.

Disclosure policy
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/

Please contact us on [email protected] to acknowledge this report if you received it via a third party (for example, [email protected]) as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.


2015-03-31 – Discovered
2015-03-31 – Requested CVE
2015-07-14 – Reported to [email protected]
2015-07-14 – Vendor responded saying they’ll get in touch with the developer
2015-08-24 – Vendor reported the issue fixed in version 0.1.1

Discovered by dxw:
Harry Metcalfe
Please visit security.dxw.com for more information.

#  0day.today [2018-01-03]  #