WordPress Advanced Custom Fields 4.4.7 Cross Site Scripting Vulnerability

{"type": "zdt", "lastseen": "2016-05-04T08:58:13", "bulletinFamily": "exploit", "cvelist": [], "history": [], "title": "WordPress Advanced Custom Fields 4.4.7 Cross Site Scripting Vulnerability", "published": "2016-05-03T00:00:00", "href": "http://0day.today/exploit/description/25275", "cvss": {"vector": "NONE", "score": 0}, "description": "WordPress Advanced Custom Fields plugin version 4.4.7 suffers from a cross site scripting vulnerability.", "hash": "7cd2de826b4b01a3b7ce8e64ec6d396dd7409187487b6bf1ceedc62a89debba1", "references": [], "objectVersion": "1.0", "edition": 1, "sourceData": "## FULL DISCLOSURE\r\n\r\n#Product : Advanced Custom Fields\r\n#Exploit Author : Rahul Pratap Singh\r\n#Version : 4.4.7\r\n#Home page Link :https://wordpress.org/plugins/advanced-custom-fields/\r\n#Website : https://0x62626262.wordpress.com\r\n#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94\r\n#Date : 1/5/2016\r\n\r\nAuthenticated XSS Vulnerability:\r\n\r\n----------------------------------------\r\nDescription:\r\n----------------------------------------\r\n\"type, label, name and field\" parameters are not sanitized that leads to\r\nXSS.\r\n\r\n----------------------------------------\r\nVulnerable Code:\r\n----------------------------------------\r\n\r\nFile Name: testfiles/advanced-custom-fields/core/views/meta_box_fields.php\r\n\r\nFound at line:97\r\n<div class=\"field field_type-<?php echo $field['type']; ?>\r\nfield_key-<?php echo $field['key']; ?>\" data-type=\"<?php echo\r\n$field['type']; ?>\" data-id=\"<?php echo $field['key']; ?>\">\r\n\r\nFound at line:105\r\n<a class=\"acf_edit_field row-title\" title=\"<?php _e(\"Edit this\r\nField\",'acf'); ?>\" href=\"javascript:;\"><?php echo $field['label']; ?></a>\r\n\r\nFound at line:113\r\n<td class=\"field_name\"><?php echo $field['name']; ?></td>\r\n\r\nFound at line:251\r\n<input class=\"conditional-logic-field\" type=\"hidden\" name=\"fields[<?php\r\necho $field['key']; ?>][conditional_logic][rules][<?php echo $rule_i;\r\n?>][field]\" value=\"<?php echo $rule['field']; ?>\" />\r\n\r\n----------------------------------------\r\nPOC:\r\n----------------------------------------\r\nhttps://0x62626262.files.wordpress.com/2016/05/advanced-custom-fields-xss1.png\r\n\r\nFix:\r\nNo Fix\r\n\r\nVulnerability Disclosure Timeline:\r\n\u2192 April 24, 2016 \u2013 Contact to Vendor via support\r\n\u2192 April 24, 2015 \u2013 Vendor Response\r\n\u2192 April 27, 2015 \u2013 Bug Report Sent\r\n\u2192 April 27, 2015 \u2013 Vendor Response, asked for more info\r\n\u2192 April 28, 2015 \u2013 More info sent\r\n\u2192 April 29, 2015 \u2013 No fix. To do list for version 5.0\r\n\r\nPub Ref:\r\nhttps://0x62626262.wordpress.com/2016/05/01/advanced-custom-fields-auth-xss-vulnerability\n\n# 0day.today [2016-05-04] #", "id": "1337DAY-ID-25275", "sourceHref": "http://0day.today/exploit/25275", "modified": "2016-05-03T00:00:00", "reporter": "Rahul Pratap Singh", "viewCount": 2, "enchantments": {"vulnersScore": 6.0}}