WordPress Google Adsense 1.29 Cross Site Scripting

2015.12.18
Credit: Madhu Akula
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Plugin Name : Google Adsense Effected Version : 1.29 (and most probably lower version's if any) Vulnerability : A3-Cross-Site Scripting (XSS) Identified by : Madhu Akula Technical Details Minimum Level of Access Required : Administrator PoC - (Proof of Concept) : http://localhost/wp-admin/admin.php?page=bws_plugins&action=system_status In the field send to custom email put payload as -> ("><img src=x onerror=prompt(document.cookie)>) Video Demonstration : http://www.youtube.com/watch?v=jM0DuD-mtxk Type of XSS : Reflected Disclosure Timeline Vendor Contacted : 2014-08-04 Plugin Status : Updated on 2014-08-07 Public Disclosure : October 3, 2015 CVE Number : Not assigned yet Plugin Description : Google AdSense Plugin creates blocks to display ads on your website. It allows to customize the ads displaying, such as format (text ad, image, text with an image or link), size, color of the elements in the ad block, rounded corners and the ad block position on the website. It provides possibility to make ads unique and original.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top