wp-plugin : athlon-manage-calameo-publications – A3-Cross-Site Scripting (XSS)


Plugin Details


Plugin Name : athlon-manage-calameo-publications


Effected Version : 1.1.0 (and most probably lower version's if any)

Vulnerability : A3-Cross-Site Scripting (XSS)
Identified by : Anant Shrivastava



Technical Details


Minimum Level of Access Required : Unauthenticated


PoC - (Proof of Concept) :



Vulnerable Parameter : attachment_id


Type of XSS : Reflected


Fixed in : 1.1.1


Trac Changelog : https://plugins.trac.wordpress.org/changeset/834393/athlon-manage-calameo-publications/trunk/thickbox_content.php?old=690538&old_path=athlon-manage-calameo-publications%2Ftrunk%2Fthickbox_content.php


Disclosure Timeline


Vendor Contacted : 2014-01-04

Plugin Status : Updated on 2014-01-07
Public Disclosure : July 7, 2014
CVE Number : Not assigned yet

Plugin Description :
This plugin allows managing Calameo account(s) through WordPress.
It gives users the ability to upload documents to Calameo and update or delete them afterwards.
Once a document is uploaded its preview can be easily embedded into blog posts or pages using the custom "Calameo" button in the WYSIWYG text editor.
WP Calameo plugin must be installed in order to use `Athlon Manage Calameo Publication` plugin's all features.


Leave a Reply

Your email address will not be published. Required fields are marked *