exploit the possibilities

WordPress GD bbPress Attachments 2.1 Cross Site Scripting

WordPress GD bbPress Attachments 2.1 Cross Site Scripting
Posted Jul 12, 2015
Authored by Tom Adams

WordPress GD bbPress Attachments plugin version 2.1 suffers from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | c4c2f46ab844bdf8be36e1a6dc47cd39

WordPress GD bbPress Attachments 2.1 Cross Site Scripting

Change Mirror Download
Details
================
Software: GD bbPress Attachments
Version: 2.1
Homepage: http://wordpress.org/plugins/gd-bbpress-attachments/
Advisory report: https://security.dxw.com/advisories/reflected-xss-in-gd-bbpress-attachments-allows-an-attacker-to-do-almost-anything-an-admin-can/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)

Description
================
Reflected XSS in GD bbPress Attachments allows an attacker to do almost anything an admin can

Vulnerability
================
This plugin outputs the value of $_GET[‘tab’] without escaping (see forms/panels.php lines 3 and 39). An attacker could easily construct an URL which performs virtually any action an admin is able to perform, including creating/deleting users/posts, injecting malicious HTML into user-facing pages, or editing PHP files (if that feature hasn’t been disabled).

Proof of concept
================
Visit the following URL in a browser with no reflected XSS protection (i.e. Firefox or older versions of IE):
http://localhost/wp-admin/edit.php?post_type=forum&page=gdbbpress_attachments&tab=%22%3E%3Cscript%3Ealert(1)%3C/script%3E

Mitigations
================
Upgrade to version 2.3 or later

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/

Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.

Timeline
================

2015-02-25: Discovered
2015-07-01: Reported to vendor via email form on https://www.dev4press.com/contact/
2015-07-01: Requested CVE
2015-07-01: Vendor responded
2015-07-04: Vendor confirmed fixed
2015-07-08: Published



Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.




Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    11 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    2 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    19 Files
  • 21
    Aug 21st
    17 Files
  • 22
    Aug 22nd
    9 Files
  • 23
    Aug 23rd
    3 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close