cjc.im / advisories / 0007

Reflected XSS in vospari forms plugin

Credit

This vulnerability has been discovered and reported by Carl Clegg (carl(at)cjc(dot)im)

Timeline

Product

The plugin is designed to generate forms of registration and authorization, which transmit data TradeSmarter trading platform. Forms are generated by a simple shortcode.

Risk / Severity Rating

Not calculated

Description and Impact

The a_aid parameter on a page that has a form allows for reflected XSS

412: echo '<iframe src="'.$protocol.'://trading.vospari.com/ru?a_aid='.$_GET['a_aid'].'" style="display:none;" width="0" height="0"></iframe>';

Proof of Concept

http://wordpress.site/?page_id=2&a_aid="></iframe><script+src%3Ddata%3A%26comma%3Balert(1)%2F%2F

would execute alert(1) but could be used to run something more malicious

Solution

Upgrade to version 1.4

References

Legal

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.