Home / exploits WordPress ABC-Test 0.1 Cross Site Scripting
Posted on 27 September 2012
This effects version 0.1 of abc-test the hole is fixed in version 0.2 --------- Affected products: --------- Product : wordpress plugin abc-test Affected file: abctest_config.php ---- Details: ---- The file abctest_config.php does not sanitize the input from $_GET ['id'] effectively. This allows a user to launch a cross site scripting attack against this file. While the effectiveness of such an attack is somewhat limited by the wordpress platform adding to quotes, it still may be possible to inject cookie stealing objects (flash files for example). Example code: http://localhost/blog/wp-admin/admin.php?page=abctest&do=edit&id=%22%3E%3Ch1 %3EXSS%3C/h1 ------- Suggested fix: ------- Sanitize the $_GET super global. ---- Timeline: ---- 24-Sept-2012 Vendor and wordpress informed. 25-Sept-2012 Vendor confirmed the security issue and patched. 26-Sept-2012 Public release of the vulnerability, via the full disclosure and http://scott-herbert.com/blog/2012/09/26/xss-vulnerability-in-wordpress-plug in-abc-test-1107