WordPress Unlimited Pop-Ups 1.4.3 Cross Site Scripting
Posted on 26 April 2016
## FULL DISCLOSURE #Product : Unlimited Pop-Ups WordPress Plugin #Exploit Author : Rahul Pratap Singh #Version : 1.4.3 #Home page Link : http://codecanyon.net/item/unlimited-popups-wordpress-plugin/8575498 #Website : 0x62626262.wordpress.com #Linkedin : https://in.linkedin.com/in/rahulpratapsingh94 #Date : 21/4/2016 XSS Vulnerability: ---------------------------------------- Description: ---------------------------------------- "callback, shortcode, id, and page" parameters are not sanitized that leads to Reflected XSS. ---------------------------------------- Vulnerable Code: ---------------------------------------- File Name: testfiles/Unlimited Pop-Ups WordPress Plugin/upload/cj-popups/framework/includes/admin_form.php Found at line:1319 echo '<form action="'.admin_url('admin.php?page='.cjpopups_item_info('page_slug').'&callback='.@$_GET['callback'].'').'" method="post" enctype="multipart/form-data">'; File Name: testfiles/Unlimited Pop-Ups WordPress Plugin/upload/cj-popups/framework/includes/admin_ajax.php Found at line:162 echo '<form action="" method="post" id="cj-shortcode-settings-form" data-shortcode-stype="'.$shortcode_options['stype'].'" data-shortcode-name="'.$_POST['shortcode'].'">'; File Name: testfiles/Unlimited Pop-Ups WordPress Plugin/upload/cj-popups/framework/includes/sample-code/dynamic-sidebar-setup/theme_dynamic_sidebars.php Found at line:139 <td><?php echo $_GET['id']; ?></td> File Name: testfiles/Unlimited Pop-Ups WordPress Plugin/upload/cj-popups/framework/includes/options/core_import_export.php Found at line:94 echo '<form class="margin-30-top" action="'.admin_url('admin.php?page='.@$_GET['page'].'&callback='.@$_GET['callback'].'').'" method="post" enctype="multipart/form-data">'; ---------------------------------------- Fix: Update to 1.4.4 Vulnerability Disclosure Timeline: → March 12, 2016 – Bug discovered, initial report to Vendor → March 14, 2016 – Vendor Acknowledged → March 30, 2016 – Vendor Deployed a Patch Pub Ref: https://0x62626262.wordpress.com/2016/04/21/unlimited-pop-ups-wordpress-plugin-xss-vulnerability/ http://codecanyon.net/item/unlimited-popups-wordpress-plugin/8575498
