wp-plugin : malware-finder – A3-Cross-Site Scripting (XSS)


Plugin Details


Plugin Name : malware-finder


Effected Version : 1.1 (and most probably lower version's if any)

Vulnerability : A3-Cross-Site Scripting (XSS)
Identified by : Prajal Kulkarni



Technical Details


Minimum Level of Access Required : Unauthenticated


PoC - (Proof of Concept) :




Vulnerable Parameter : query


Disclosure Timeline


Vendor Contacted : 2014-01-21

Plugin Status : Closed
Public Disclosure : May 28, 2014
CVE Number : CVE-2014-4538

Plugin Description :
Malware is a huge challenge in managing a Wordpress blog, not to mention that it can take hours to find where malicious code is hiding. But most likely you have access to at least one file (i.e. your homepage) that has been infected with malicious code.  Just paste a small piece of that code below and the plugin will search through your entire Wordpress installation, providing the EXACT locations of the infected files!  Please note that you WILL NOT be able to use this plugin if you are UNABLE to access your Wordpress Dashboard.

Leave a Reply

Your email address will not be published. Required fields are marked *