Product: WordPress Concours Plugin - https://wordpress.org/plugins/wp-concours/
Tested version: 1.1
CVE ID: CVE-2017-17719
** CVE description **
A cross-site scripting (XSS) vulnerability in the wp-concours plugin through 1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the result_message parameter to includes/concours_page.php.
** Technical details **
In wp-concours/includes/concours_page.php:18, $_REQUEST['result_message'] is stored in the $message_str variable without proper sanitization. This variable is then echoed back to user on line 28.
** Proof of Concept **
** Solution **
No fix available yet.
** Timeline **
28/09/2017: vendor contacted; vendor asks for technical report
06/10/2017: requested an update regarding the fix; vendor says in November
05/12/2017: sent an e-mail to warn about the release of that advisory; no reply
19/12/2017: report published
** Credits **
Vulnerability discovered by Nicolas Buzy-Debat working at Orange Cyberdefense Singapore (CERT-LEXSI).
Orange Cyberdefense Singapore (CERT-LEXSI)