wp-plugin : wp-responsive-preview – A3-Cross-Site Scripting (XSS)

 

Plugin Details

 

Plugin Name : wp-responsive-preview

 

Effected Version : 1.1 (and most probably lower version's if any)

 
Vulnerability : A3-Cross-Site Scripting (XSS)
 
Identified by : Anant Shrivastava

 

 

Technical Details

 

Minimum Level of Access Required : Unauthenticated

 

PoC - (Proof of Concept) :

 
http://localhost/wp-content/plugins/wp-responsive-preview/index.php?url=">alert(document.cookie)&

 

Vulnerable Parameter: url

 

Disclosure Timeline

 

Vendor Contacted : 2014-01-17

 
Plugin Status : Updated on 2014-02-02
 
Public Disclosure : June 12, 2014
 
CVE Number : CVE-2014-4594

 
Plugin Description :
 
=Preview your site at random page widths to test your Responsive design.=

WP Responsive Preview provides an additional previewing options for your site. Loading a Responsive Preview will load the page in a flexible framework at a random width, helping you see how your page looks at different widths. It also lets you re-randomise the width quickly, to test multiple widths.


This plugin is based entirley on [ish. from Brad Frost][http://bradfrostweb.com/demo/ish/] - a great standalone tool for previewing your site at random widths. His post does the best job of explaining the reasoning behind ish. (and therefore WP Responsive Preview).

"The real reasons for this tool is to educate and to facilitate a mental shift. Many clients, designers and developers get hung up on specific device widths, which is why this tool doesn’t include any such language, device chrome or anything like that. Ish. helps keep everyone focused on making a design that looks and functions great at any resolution."

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>