WordPress Tweet-Wheel plugin version 1.0.3.2 suffers from a cross site scripting vulnerability.
8d2914a71d4ff443cfcf79b23168cfe5ec719cbb01f6054d5570aa5be2b3f230
## FULL DISCLOSURE
#Product :Tweet-wheel
#Exploit Author : Rahul Pratap Singh
#Version :1.0.3.2
#Home page Link : https://wordpress.org/plugins/tweet-wheel/
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 21/4/2016
XSS Vulnerability:
----------------------------------------
Description:
----------------------------------------
Following parameters are not sanitized that leads to XSS Vulnerability.
consumer_key,consumer_secret,access_token,access_token_secret
----------------------------------------
Vulnerable Code:
----------------------------------------
File Name: testfiles/tweet-wheel/includes/views/auth.php
Found at line:34
<input style="width:400px" type="text" name="consumer_key" value="<?php
echo isset( $_POST['consumer_key'] ) ? $_POST['consumer_key'] : ''; ?>">
Found at line:40
<input style="width:400px" type="text" name="consumer_secret" value="<?php
echo isset( $_POST['consumer_secret'] ) ? $_POST['consumer_secret'] : '';
?>">
Found at line:46
<input style="width:400px" type="text" name="access_token" value="<?php
echo isset( $_POST['access_token'] ) ? $_POST['access_token'] : ''; ?>">
Found at line:52
<input style="width:400px" type="text" name="access_token_secret"
value="<?php echo isset( $_POST['access_token_secret'] ) ?
$_POST['access_token_secret'] : ''; ?>">
----------------------------------------
Fix:
Update to 1.0.4
Vulnerability Disclosure Timeline:
→ March 14, 2016 – Bug discovered, initial report to Vendor.
→ March 22, 2016 – No Response. Report sent again.
→ March 23, 2016 – WordPress Acknowledged.
→ April 21, 2016 – Full Disclosure.
Pub Ref:
https://0x62626262.wordpress.com/2016/04/21/tweet-wheel-xss-vulnerability/
https://wordpress.org/plugins/tweet-wheel/changelog/