Reflected XSS in vospari forms plugin

Credit

This vulnerability has been discovered and reported by Carl Clegg (carl(at)cjc(dot)im)

Timeline

• 2016-07-31: Vendor Notified
• 2016-08-01: Vendor fixed plugin with version 1.4
• 2016-11-21: Advisory Published

Product

The plugin is designed to generate forms of registration and authorization, which transmit data TradeSmarter trading platform. Forms are generated by a simple shortcode.

Risk / Severity Rating

Not calculated

Description and Impact

The a_aid parameter on a page that has a form allows for reflected XSS

412: echo '<iframe src="'.$protocol.'://trading.vospari.com/ru?a_aid='.$_GET['a_aid'].'" style="display:none;" width="0" height="0"></iframe>';

Proof of Concept

http://wordpress.site/?page_id=2&a_aid="></iframe><script+src%3Ddata%3A%26comma%3Balert(1)%2F%2F

would execute alert(1) but could be used to run something more malicious

Solution

Upgrade to version 1.4

References

• Plugin
• XSS here
• CVE-2017-1000033

Legal

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.

home