*WordPress "Max Banner Ads" Plug-in XSS (Cross-site Scripting) Security
Vulnerabilities*
Exploit Title: Wordpress "Max Banner Ads" Plugin /info.php &zone_id
Parameter XSS Security Vulnerabilities
Product: Wordpress "Max Banner Ads" Plugin
Vendor: MaxBlogPress
Vulnerable Versions: 1.9 1.8 1.4 1.3.* 1.2.* 1.1 1.09
Tested Version: Check All Related Versions' Source Code
Advisory Publication: Mar 04, 2015
Latest Update: Mar 04, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Credit: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]
*Advisory Details:*
*(1) Vendor & Product Description:*
*Vendor:*
MaxBlogPress
*Product & Version:*
Wordpress "Max Banner Ads" Plugin
1.9 1.8 1.4 1.3.7 1.3.6 1.3.5 1.3.4 1.3.3 1.3.2 1.3.1
1.3
1.2.7 1.2.6 1.2.5 1.2 1.1 1.09
*Vendor URL & Download:*
Wordpress "Max Banner Ads" Plugin can be downloaded from here,
http://www.maxblogpress.com/plugins/
*Product Introduction:*
"Easily add and rotate banners in your wordpress blog anywhere you like
without editing any themes or touching any codes"
*(2) Vulnerability Details:*
Wordpress "Max Banner Ads" Plugin has a web application security bug
problem. It can be exploited by XSS (Cross-site Scripting) attacks.
*(2.1) *The vulnerability occurs at "info.php?" page with "zone_id"
parameter.
*References:*
http://tetraph.com/security/xss-vulnerability/wordpress-max-banner-ads-plug-in-xss-cross-site-scripting-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/03/wordpress-max-banner-ads-plug-in-xss.html
http://www.inzeed.com/kaleidoscope/computer-web-security/wordpress-max-banner-ads-plug-in-xss-cross-site-scripting-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/wordpress-max-banner-ads-plug-in-xss-cross-site-scripting-security-vulnerabilities/
https://itinfotechnology.wordpress.com/2015/03/04/wordpress-max-banner-ads-plug-in-xss-cross-site-scripting-security-vulnerabilities/
http://lists.kde.org/?a=139222176300014&r=1&w=2
--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts