WordPress Tweet-Wheel 1.0.3.2 Cross Site Scripting
Posted on 26 April 2016
## FULL DISCLOSURE #Product :Tweet-wheel #Exploit Author : Rahul Pratap Singh #Version :1.0.3.2 #Home page Link : https://wordpress.org/plugins/tweet-wheel/ #Website : 0x62626262.wordpress.com #Linkedin : https://in.linkedin.com/in/rahulpratapsingh94 #Date : 21/4/2016 XSS Vulnerability: ---------------------------------------- Description: ---------------------------------------- Following parameters are not sanitized that leads to XSS Vulnerability. consumer_key,consumer_secret,access_token,access_token_secret ---------------------------------------- Vulnerable Code: ---------------------------------------- File Name: testfiles/tweet-wheel/includes/views/auth.php Found at line:34 <input style="width:400px" type="text" name="consumer_key" value="<?php echo isset( $_POST['consumer_key'] ) ? $_POST['consumer_key'] : ''; ?>"> Found at line:40 <input style="width:400px" type="text" name="consumer_secret" value="<?php echo isset( $_POST['consumer_secret'] ) ? $_POST['consumer_secret'] : ''; ?>"> Found at line:46 <input style="width:400px" type="text" name="access_token" value="<?php echo isset( $_POST['access_token'] ) ? $_POST['access_token'] : ''; ?>"> Found at line:52 <input style="width:400px" type="text" name="access_token_secret" value="<?php echo isset( $_POST['access_token_secret'] ) ? $_POST['access_token_secret'] : ''; ?>"> ---------------------------------------- Fix: Update to 1.0.4 Vulnerability Disclosure Timeline: → March 14, 2016 – Bug discovered, initial report to Vendor. → March 22, 2016 – No Response. Report sent again. → March 23, 2016 – WordPress Acknowledged. → April 21, 2016 – Full Disclosure. Pub Ref: https://0x62626262.wordpress.com/2016/04/21/tweet-wheel-xss-vulnerability/ https://wordpress.org/plugins/tweet-wheel/changelog/
