mailing list archives
XSS vulnerability in wordpress plugin abc-test
From: Scott Herbert <scott.a.herbert () googlemail com>
Date: Wed, 26 Sep 2012 07:31:47 +0100
This effects version 0.1 of abc-test the hole is fixed in version 0.2
Product : wordpress plugin abc-test
Affected file: abctest_config.php
The file abctest_config.php does not sanitize the input from $_GET ['id']
effectively. This allows a user to launch a cross site scripting attack
against this file. While the effectiveness of such an attack is somewhat
limited by the wordpress platform adding \ to quotes, it still may be
possible to inject cookie stealing objects (flash files for example).
Sanitize the $_GET super global.
24-Sept-2012 Vendor and wordpress informed.
25-Sept-2012 Vendor confirmed the security issue and patched.
26-Sept-2012 Public release of the vulnerability, via the full disclosure
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- XSS vulnerability in wordpress plugin abc-test Scott Herbert (Sep 26)