wp-plugin : aprils-super-functions-pack – A3-Cross-Site Scripting (XSS)


Plugin Details


Plugin Name : aprils-super-functions-pack


Effected Version : 1.4.7 (and most probably lower version's if any)

Vulnerability : A3-Cross-Site Scripting (XSS)
Identified by : Anant Shrivastava



Technical Details


Minimum Level of Access Required : Unauthenticated


PoC - (Proof of Concept) :



Vulnerable Parameter : page, type


Type of XSS : Reflected


Fixed in : 1.4.8


Trac Changelog : https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=833934%40aprils-super-functions-pack&old=742940%40aprils-super-functions-pack&sfp_email=&sfph_mail=


Disclosure Timeline


Vendor Contacted : 2014-01-04

Plugin Status : Updated on 2014-01-06
Public Disclosure : July 7, 2014
CVE Number : Not assigned yet

Plugin Description :
This plugin contains a large number of shortcodes that makes it easy to lay out text on your site in more exciting ways than simply paragraphs, headers, and lists. There are also some template functions and useful javascript that theme developers may find useful.


* Columns - 2, 3, or 4
* Boxes with particular color, height, title
* Tabs (js-driven)
* Expand/Hide (js-driven)
* Buttons and icons
* Pull-quotes
* Dropcaps
* ... and more

Other Functions:

* Template function for displaying pages 'in the current section'
* Template function for displaying the image that belongs to a post
* JS to remove 'title' tags from WP-generated menus
* JS to allow pre-selecting a recipient from certain CForms forms
* JS to make suckerfish menus work in IE


* A replacement Text widget that lets you specify a class

Leave a Reply

Your email address will not be published. Required fields are marked *