User Submitted Posts [Persistent XSS]
User Submitted Posts plugin for WordPress suffers from a XSS vulnerability
Description
User Submitted Posts plugin for WordPress suffers from a XSS vulnerability. The user-submitted-content field of the new post submission form is not properly sanitized, thus allowing users to include JS code to submitted post content.
Normally only users with unfiltered_html capability are allowed to include JS code to post content. By default Administrators or Super Administrators have this capability, so this is considered as Persistent XSS vulnerability.
Vulnerable code is in user-submitted-posts/trunk/user-submitted-posts.php file:
if (isset($_POST['user-submitted-content'])) $content = stripslashes($_POST['user-submitted-content']);
PoC
- Submit the form inserting JS code to post content
- View the newly created post
- JS code is executed
Solution
Upgrade to v20160215
INFO
- 10 February 2016
- Pan Vag
- plugin-planet.com
- wordpress.org
- 20151113
- WordPress 4.4.2
TIMELINE
- 2016-02-10:
Vendor notified via contact form at his website - 2016-02-10:
Vendor responded and received details about the issue - 2016-02-14:
Vendor released version 20160215