Product: WordPress Concours Plugin - https://wordpress.org/plugins/wp-concours/
Vendor: Olyos
Tested version: 1.1
CVE ID: CVE-2017-17719
** CVE description **
A cross-site scripting (XSS) vulnerability in the wp-concours plugin through 1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the result_message parameter to includes/concours_page.php.
** Technical details **
In wp-concours/includes/concours_page.php:18, $_REQUEST['result_message'] is stored in the $message_str variable without proper sanitization. This variable is then echoed back to user on line 28.
Vulnerable code:
https://plugins.trac.wordpress.org/browser/wp-concours/trunk/includes/concours_page.php#L18
** Proof of Concept **
http://<host>/wordpress/wp-admin/admin.php?page=concours&result_message=<script>alert(document.cookie);</script>
** Solution **
No fix available yet.
** Timeline **
28/09/2017: vendor contacted; vendor asks for technical report
06/10/2017: requested an update regarding the fix; vendor says in November
05/12/2017: sent an e-mail to warn about the release of that advisory; no reply
19/12/2017: report published
** Credits **
Vulnerability discovered by Nicolas Buzy-Debat working at Orange Cyberdefense Singapore (CERT-LEXSI).
--
Best Regards,
Nicolas Buzy-Debat
Orange Cyberdefense Singapore (CERT-LEXSI)