wp-plugin : blogroll-fun

Plugin Details
Plugin Name: wp-plugin : blogroll-fun
Effected Version : 0.8.4 (and most probably lower version's if any)
Vulnerability : Cross-Site Scripting (XSS)
Identified by : anantshri
WPScan Reference URL

Technical Details
Minimum Level of Access Required : Unauthenticated
PoC - (Proof of Concept) :


Vulnerable Parameter : k


Type of XSS : Reflected


Fixed in : 0.8.5


Trac Changelog : https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=833165%40blogroll-fun&old=833158%40blogroll-fun&sfp_email=&sfph_mail=

Disclosure Timeline
Vendor Contacted : 2014-01-04
Plugin Status : Updated on 2014-01-05
Public Disclosure : July 7, 2014
CVE Number :
Plugin Description :
[| Blogroll Fun uses a subscription to a free service that allows it to easily determine the last update time and the last post for all of the links in your blogroll without slowing down the loading time of your blog. It allows you to choose if you want to display this information in your blogroll or not. It simply replaces the standard wordpress link widget while providing additional functionality. Blogroll Fun can be compared to the feed reading blogroll. However, unlike feed reading blogroll the last post information is sent to your blog and stored with your blogroll. It does not rely on your visitors to load this information, or any javascript tricks. Settings can be updated by going to manage, widgets, then edit on the links widget. Currently, no ads are being delivered through this plugin. ]