Home page logo

fulldisclosure logo Full Disclosure mailing list archives

XSS vulnerability in wordpress plugin abc-test
From: Scott Herbert <scott.a.herbert () googlemail com>
Date: Wed, 26 Sep 2012 07:31:47 +0100

This effects version 0.1 of abc-test the hole is fixed in version 0.2

Affected products:

Product : wordpress plugin abc-test
Affected file:   abctest_config.php


The file abctest_config.php does not sanitize the input from $_GET ['id']
effectively. This allows a user to launch a cross site scripting attack
against this file. While the effectiveness of such an attack is somewhat
limited by the wordpress platform adding \ to quotes, it still may be
possible to inject cookie stealing objects (flash files for example).

Example code:


Suggested fix:

Sanitize the $_GET super global.


24-Sept-2012 Vendor and wordpress informed.
25-Sept-2012 Vendor confirmed the security issue and patched.
26-Sept-2012 Public release of the vulnerability, via the full disclosure

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • XSS vulnerability in wordpress plugin abc-test Scott Herbert (Sep 26)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]