wp-plugin : fancy-cats – A3-Cross-Site Scripting (XSS)


Plugin Details


Plugin Name : fancy-cats


Effected Version : 1.1 (and most probably lower version's if any)

Vulnerability : A3-Cross-Site Scripting (XSS)
Identified by : Anant Shrivastava



Technical Details


Minimum Level of Access Required : Unauthenticated


PoC - (Proof of Concept) :



Vulnerable Parameter : catSlug, showAllText


Type of XSS : Reflected


Disclosure Timeline


Vendor Contacted : 2014-01-04

Plugin Status : Closed
Public Disclosure : July 7, 2014
CVE Number : Not assigned yet

Plugin Description :
This is an extended categories widget.

When the user clicks on a category from the widget, rather than loading a page with all of the posts in that category, a space will expand within the widget, showing the titles of all posts in that category.

There are several configurable settings, so that the widget will fit in with the look and feel of your blog. You can set:

* A limit on the height of the expanded area, so that a scroll bar will show if you have lots of posts in a category
* The indentation of the post items
* The title text, the instructional text, and the 'show all' text

The expanding/collapsing of category post lists is done via AJAX, so the entire page doesn't have to continuously reload to perform the operation.

If there is an extra feature you would like added, or something that you don't like and want to be able to change yourself, contact me and I will see about adding it in the next version.

Leave a Reply

Your email address will not be published. Required fields are marked *