wp-plugin : clicksold-wordpress-plugin – A3-Cross-Site Scripting (XSS)

 

Plugin Details

 

Plugin Name : clicksold-wordpress-plugin

 

Effected Version : 1.48 (and most probably lower version's if any)

 
Vulnerability : A3-Cross-Site Scripting (XSS)
 
Identified by : Anant Shrivastava

 

 

Technical Details

 

Minimum Level of Access Required : Unauthenticated

 

PoC - (Proof of Concept) :

 
 http://localhost/wp-content/plugins/clicksold-wordpress-plugin/cs_listing_404_page_editor.php?id=id'><script>alert(document.cookie)</script>&

 

Vulnerable Parameter : id

 

Fixed Version : 1.49

 

Type of XSS : Reflected

 

Trac Changelog : https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=834036%40clicksold-wordpress-plugin&old=820059%40clicksold-wordpress-plugin&sfp_email=&sfph_mail=#file2

 

Disclosure Timeline

 

Vendor Contacted : 2014-01-04

 
Plugin Status : Updated on 2014-01-11
 
Public Disclosure : July 7, 2014
 
CVE Number : Not assigned yet

 
Plugin Description :
 
ClickSold adds real estate related features to Agent and Brokerage websites built on WordPress. Features include:

* Adding / Displaying real estate listings
* Adding Team members / office agents
* Customizable real estate widgets
* Optional MLS ® Integration
* Mobile listing browsing and searching
* Search Engine Optimized design

**See ClickSold in Action**

* Responsive Design: [Eleven40 Theme](http://eleven40demo.clicksold.com/)
* Gorgeous IDX Search: [Associate Theme](http://associatedemo.clicksold.com/mls-search/)

**How Much?**

From FREE to $45/month.

**Work with REALTORS®?**

Sign up to become a ClickSold Affiliate and earn revenue from every Silver, Gold or Platinum ClickSold plugin you use.

* ClickSold Affiliate Program: [Click Here](http://www.clicksold.com/affiliate-program/)
* Our Existing Affiliates: [Click Here](http://www.clicksold.com/our-affiliates/)

Leave a Reply

Your email address will not be published. Required fields are marked *