WordPress Altos Connect Widget 1.3.0 Cross Site Scripting

Posted on Posted in Exploit

WordPress Altos Connect Widget plugin version 1.3.0 suffers from a cross site scripting vulnerability.

Title: WordPress 'Altos Connect Widget' Plugin 
Version: 1.3.0
Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej
Date: 2015-06-15
Download: 
- https://wordpress.org/plugins/altos-connect/
- https://plugins.svn.wordpress.org/altos-connect/
Notified WordPress: 2015-06-21
==========================================================

## Plugin description
==========================================================
Description: Altos Connect registration widget for WordPress®. Altos Connect registration widget for WordPress®. The Altos Connect plugin can be us

## XSS vulnerability
==========================================================
The _SERVER variable 'PHP_SELF' is printed without sanitization in a captcha demo page (which is not removed when installing). This can be exploited with a direct link to the vulnerable file.

PoC:
[URL]/wp-content/plugins/altos-connect/jquery-validate/demo/demo/captcha/index.php/"><script>alert(1)</script>

It seems like this is fixed in the newest version of jquery-validate, but this plugin has not been patched.

## Solution
==========================================================
No fix available

==========================================================
Vulnerability found using Eir; an early stage static vulnerability scanner for PHP applications.

Quelle: Packet storm Security

Facebooktwittergoogle_plus