Wp-D3 [Reflected XSS]
Description
Many of this plugin AJAX actions are not properly handled. One of them
is previewContent. This action prints user input without validating
or escaping.
Because the vulnerable action we use is a privileged one, it takes a registered user to click the link, for this to work.
Vulnerable param is $_REQUEST['editor']
PoC
http://sbwp2.dev/wp-admin/admin-ajax.php?action=previewContent&postId=1&editor="><script>alert(/XSS/)</script>
INFO
- 13 June 2016
- Pan Vag
- www.figurebelow.com
- Wp-D3
- WordPress 4.5.2
- DWF-2016-87031