WP Lead Management v3.0.0 Persistent XSS

2012.08.05

Credit: Chris Kellum

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

# Exploit Title: WP Lead Management v3.0.0 Persistent XSS
# Date: 8/5/12
# Exploit Author: Chris Kellum
# Software Link: http://downloads.wordpress.org/plugin/wp-effective-lead-management.3.0.1.zip
# Version: 3.0.0
=====================
Vulnerability Details
=====================
The form does not properly sanitize input fields, allowing for XSS.
Example:
<script>alert('xss')</script>
XSS will fire when the admin views the lead management page if the javascript is included in the name, otherwise the javascript can be included in the "requirements" field and will fire when an admin "picks" the lead.
===================
Disclosure Timeline
===================
8/4/12 - Vulnerability discovered. No author contact information available. Public disclosure.

References:

http://downloads.wordpress.org/plugin/wp-effective-lead-management.3.0.1.zip

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WP Lead Management v3.0.0 Persistent XSS

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.