wp-plugin : flog

Plugin Details
Plugin Name: wp-plugin : flog
Effected Version : 1.0beta3 (and most probably lower version's if any)
Vulnerability : ssrf
Identified by : prajalkulkarni
WPScan Reference URL

Technical Details
Minimum Level of Access Required : Unauthenticated
PoC - (Proof of Concept) :

Disclosure Timeline
Vendor Contacted : 2013-12-17
Plugin Status : Updated on
Public Disclosure : May 28, 2014
CVE Number :
Plugin Description :
[| **Provide your visitors a Flash equivalent of your website / Convert your WordPress blog into a Flash application.** > Turn any WordPress blog into a full Flash site, keep an HTML version, take advantage of (http://silex-ria.org/ "Silex to customize the provided Flash templates") The original WordPress site remains visible to those who do not have the Flash plugin or wish to see the HTML version. For mobile phones, another WordPress theme is displayed automatically (iphone, windows mobile). Finally, for optimal SEO, search engines will see an optimized HTML version of the site. Since the Flash version has deep linking, the permalinks are valid, they are shared by the HTML and the Flash versions. The selection of the Flash theme is made in the WordPress settings page, and the themes are editable with (http://silex-ria.org/ "Silex WYSIWYG"), without programming skills and **without Flash lisense**. * **search engines** or **portable phones** will see the appropriate HTML theme * keeps the **posts and comments** unchanged. Keeps comments related functionnalities. * keeps **the structure of your blog**: posts, categories, tags, pages, archives, start page... * use both WP URL rewrite and **deep linking** * choose one of the **provided Flash templates** - **all free and open source** from the admin pannel * create your own dynamic Flash templates with *Silex WYSIWYG* * compatible with **WordPress Mu** Look at [the screenshots of the prototypes](http://wordpress.org/extend/plugins/flog/screenshots/ "screenshots") __Latest stable version: v1.0beta2 - Work is in progress__ **Links** * [Demo, Work in progress can be seen here](http://projects.silexlabs.com/wpplugintest/ "Work in progress can be seen here") * [source code](http://plugins.svn.wordpress.org/flog/trunk/ "source code") * [flog for WordPress download](http://wordpress.org/extend/plugins/flog/ "flog for WordPress download") * [flog project page (several CMS, galeries, etc)] (http://flog.sourceforge.net/ "flog project page (all CMS)") **compatibility with other plugins** * MobilePress: YES * private blog: NO **compatibility with WordPress versions** * 2.8.1 * 2.8.4 **Description** flog is SEO friendly and makes use of [Silex the #1 opensource Flash CMS](http://silex-ria.org/ "Silex project website"), to build dynamic Flash templates without the Flash IDE. These templates can display your blog data, the posts, pages and comments. And you will be able to modify the appearance in [Silex WYSIWYG](http://www.youtube.com/watch?v=rzFqfuiLQ4k&hl=fr "Silex WYSIWYG video demo"). [Sha](http://silex-ria.org/sha "Sha cv") has allready done [a website with Silex driven by WordPress](http://flashcms.fr/ "flashcms, a Silex-WP site (in French)"). And [here is a video of an other test I did](http://www.screentoaster.com/watch/stUkxdQ0VLR15cR19dU1le "Silex Wordpress video")). These prototypes are not SEO friendly and a classical WordPress blog could not be converted easily. Now I want flog to let Silex themes be Flash equivalents of WordPress themes. ]