Wordpress Securepress Plugin Vulnerability

http://wordpress.org/extend/plugins/securepress-plugin/
While looking around in a Wordpress install, I found this little gem:
line 2218:
$back = isset($_POST['back']) ? $_POST['back'] : null;


Line 2349:
<input type="button" value="Cancel" 
onclick="eval(\'memos.\'+\''.addcslashes($back,"'").'\')" />

$back is never properly escaped for JS...
They should use json_encode instead.

I can inject arbitrary JavaScript into a post request for the "back" parameter and have it come out in your browser.
Tested on plugin version 8.4.01.

-0xKizano

Comments

Popular posts from this blog

Setup and Install Monero(d) -- p2pool -- xmrig

Build xmrig on Linux

Git: Process