EasyRotator for WordPress [Reflected XSS]

Description

Plugin EasyRotator for WordPress is vulnerable to Reflected XSS attacks by forging a malicious link and convince a legit user to use this link.

Plugin doesn’t properly escape user provided input prior to printing it in users browser, thus allowing to include malicious JS code. The vulnerable code is in method \EasyRotatorWP::renderRotator():

if (!preg_match('|/erc_[^/]+$|', $path) || !file_exists($path) || !is_dir($path))
{
    return ('<div style="background:#000; padding: 10px; color: #FFF;">Invalid rotator ID specified (path <em>' . $fullPath . '</em> doesn\'t exist).  Unable to display rotator.</div>');
}

Vulnerable param is $_GET['path']

PoC

http://sbwp1.dev/?action=renderFrame&path=%3Cscript%3Ealert(/XSS/)%3C/script%3E

WordPress Plugins Reflected XSS XSS

INFO

25 May 2016
Pan Vag
www.dwuser.com
EasyRotator for WordPress
1.0.13
WordPress 4.5
DWF-2016-87048