Home / os / winmobile

WordPress Google Adsense 1.29 Cross Site Scripting

Posted on 17 December 2015

Plugin Name : Google Adsense Effected Version : 1.29 (and most probably lower version's if any) Vulnerability : A3-Cross-Site Scripting (XSS) Identified by : Madhu Akula Technical Details Minimum Level of Access Required : Administrator PoC - (Proof of Concept) : http://localhost/wp-admin/admin.php?page=bws_plugins&action=system_status In the field send to custom email put payload as -> ("><img src=x onerror=prompt(document.cookie)>) Video Demonstration : http://www.youtube.com/watch?v=jM0DuD-mtxk Type of XSS : Reflected Disclosure Timeline Vendor Contacted : 2014-08-04 Plugin Status : Updated on 2014-08-07 Public Disclosure : October 3, 2015 CVE Number : Not assigned yet Plugin Description : Google AdSense Plugin creates blocks to display ads on your website. It allows to customize the ads displaying, such as format (text ad, image, text with an image or link), size, color of the elements in the ad block, rounded corners and the ad block position on the website. It provides possibility to make ads unique and original.

 

TOP