Subject: Persistent XSS in Broken Link manager Ver 0.5.5
Date: Thu, 16 Jul 2015 10:13:59 +0200


Plugin: Broken Link manager Ver 0.5.5

Unauthenticated attackers can inject malicious html/javascript. Referer and user-agent headers are not sanitized when displayed in log (http://localhost/wp-admin/admin.php?page=wblm-log) which leads to persistent XSS vulnerability.

1. XSS (_custom_redirect())

Url: Non-existent (that produces 404)
Function: _custom_redirect
Vulnerable header parameters: Referer, User-Agent


curl -A "<script>alert(1);</script>" -e "<script>alert(2);</script>" http://localhost/index.php/some/url/that/does/not/exist

And visit http://localhost/wp-admin/admin.php?page=wblm-log

Marcin Probola,