User Access Manager [Reflected XSS]

Description

This is a typical Reflected XSS. Vulnerable param is $_GET['id'] in plugin settings page UAM → Manage User Groups (wp-admin/admin.php?page=uam_usergroup). Param is printed inside an HTML value attribute.

Param $_GET['action'] must be also present and set to editGroup for this attack to work.

PoC

http://wp.dev/1/wp-admin/admin.php?page=uam_usergroup&action=editGroup&id="><script>alert(1)</script>

---

WordPress Plugins Reflected XSS

---

INFO

• 17 August 2016
• Pan Vag
• gm-alex.de
• User Access Manager
• 1.2.6.8
• WordPress 4.5.3
• DWF-2016-87119