Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2015-9410: XSS Vulnerability in Blubrry PowerPress Podcasting plugin Version 6.0.4 · Issue #7 · cybersecurityworks/Disclosed

The Blubrry PowerPress Podcasting plugin 6.0.4 for WordPress has XSS via the tab parameter.

CVE
#xss#vulnerability#wordpress#php

Details

Word Press Product Bugs Report
Bug Name Cross Site Scripting (XSS)
Software: Blubrry PowerPress Podcasting plugin
Version: 6.0.4
Last Updated: 27-08-2015
Homepage: https://wordpress.org/plugins/powerpress/developers/
Compatible Up to Wordpress 4.3.0 Version (Requires: 3.6 or higher)
Severity High
Description: Cross Site Scripting (XSS) vulnerability in WordPress plugin NextGen Gallery

Proof of concept: (POC)

Visit the following page on a site with this plugin installed. http://yourwordpresssite.com/wordpress/wp-admin/admin.php?page=powerpress/powerpressadmin_basic.php and modify the value of tab variable with "></script><script>alert(document.cookie);</script> payload and send the request to the server.

Now, the added XSS payload will be echoed back from the server without validating the input. It also affects wp-config.php file, $table_prefix and corrupts the database connectivity.

Note: XSS payload has been tried with the application once after implementing Unfiltered Html Settings as defined to wp-config.php file.

define( 'DISALLOW_UNFILTERED_HTML’, true );

Issue 1:

The Post Request tab variable in the URL http://localhost/wordpress/wp-admin/admin.php?page=powerpress/powerpressadmin_basic.php is vulnerable to Cross Site Scripting (XSS)

Figure 1: Invalid HTTP script Request sent to the server through the vulnerable tab variable in the URL http://yourwordpresssite.com/wordpress/wp-admin/admin.php?page=powerpress/powerpressadmin_basic.php and its echoed back in the HTTP Response without validation.

Reproducing Steps

  1. Logon into any wordpress application (localhost or public host)
  2. Modifying the value of tab variable in Blubrry PowerPress Version 6.0.4
  3. Fill all the variables with "></script><script>alert(document.cookie);</script> payload and send the request to the server.
  4. Now, the added XSS payload will be echoed back from the server without validating the input even after wp-config.php file has been configured with XSS filter settings.

Timeline

2015-09-04 – Discovered in Blubrry PowerPress Podcasting plugin 6.0.4 version.
2015-09-04 – Reported to [email protected]
2015-09-07 – Vendor Responded, “Thank you for reporting this plugin. We’re looking into it right now.”
2015-09-09 – Fixed in Blubrry PowerPress Podcasting plugin 6.0.5 version.

Discovered by:
Sathish from Cyber Security Works Pvt Ltd

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907