wp-plugin : garagesale – A3-Cross-Site Scripting (XSS)


Plugin Details


Plugin Name : garagesale


Effected Version : 1.2.2 (and most probably lower version's if any)

Vulnerability : A3-Cross-Site Scripting (XSS)
Identified by : Prajal Kulkarni



Technical Details


Minimum Level of Access Required : Unauthenticated


PoC - (Proof of Concept) :




Disclosure Timeline


Vendor Contacted : 2014-01-21

Plugin Status : Updated on 2014-01-11
Public Disclosure : April 25, 2014
CVE Number : CVE-2014-4532

Plugin Description :
This plugin is a lightweight solution to put a kind of garage sale on your wordpress page.

Users can put their stuff with a picture, description, price and contact on a wordpress site.
The users are wordpress users with access right Subscriber (so every registered user can use the garage sale).

Put the string "[GarageSaleList]" on any page or article post where you want to display the list of sale items.

This Plugin creates an own subfolder within the upload folder for the pictures.

look at http://www.eibler.at/garagesale/ for detailled description of usage and installation

Leave a Reply

Your email address will not be published. Required fields are marked *