WordPress Advanced Custom Fields 4.4.7 Cross Site Scripting
Posted on 03 May 2016
## FULL DISCLOSURE #Product : Advanced Custom Fields #Exploit Author : Rahul Pratap Singh #Version : 4.4.7 #Home page Link :https://wordpress.org/plugins/advanced-custom-fields/ #Website : https://0x62626262.wordpress.com #Linkedin : https://in.linkedin.com/in/rahulpratapsingh94 #Date : 1/5/2016 Authenticated XSS Vulnerability: ---------------------------------------- Description: ---------------------------------------- "type, label, name and field" parameters are not sanitized that leads to XSS. ---------------------------------------- Vulnerable Code: ---------------------------------------- File Name: testfiles/advanced-custom-fields/core/views/meta_box_fields.php Found at line:97 <div class="field field_type-<?php echo $field['type']; ?> field_key-<?php echo $field['key']; ?>" data-type="<?php echo $field['type']; ?>" data-id="<?php echo $field['key']; ?>"> Found at line:105 <a class="acf_edit_field row-title" title="<?php _e("Edit this Field",'acf'); ?>" href="javascript:;"><?php echo $field['label']; ?></a> Found at line:113 <td class="field_name"><?php echo $field['name']; ?></td> Found at line:251 <input class="conditional-logic-field" type="hidden" name="fields[<?php echo $field['key']; ?>][conditional_logic][rules][<?php echo $rule_i; ?>][field]" value="<?php echo $rule['field']; ?>" /> ---------------------------------------- POC: ---------------------------------------- https://0x62626262.files.wordpress.com/2016/05/advanced-custom-fields-xss1.png Fix: No Fix Vulnerability Disclosure Timeline: → April 24, 2016 – Contact to Vendor via support → April 24, 2015 – Vendor Response → April 27, 2015 – Bug Report Sent → April 27, 2015 – Vendor Response, asked for more info → April 28, 2015 – More info sent → April 29, 2015 – No fix. To do list for version 5.0 Pub Ref: https://0x62626262.wordpress.com/2016/05/01/advanced-custom-fields-auth-xss-vulnerability
