wp-plugin : webengage

Plugin Details
Plugin Name: wp-plugin : webengage
Effected Version : 2.0.0 (and most probably lower version's if any)
Vulnerability : Cross-Site Scripting (XSS)
Identified by : prajalkulkarni
WPScan Reference URL

Technical Details
Minimum Level of Access Required : Unauthenticated
PoC - (Proof of Concept) :


Vulnerable Parameter : height

Trac ChangeLog : https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=844373%40webengage&old=788585%40webengage&sfp_email=&sfph_mail=

Disclosure Timeline
Vendor Contacted : 2014-01-21
Plugin Status : Updated on 2014-01-24
Public Disclosure : May 28, 2014
CVE Number : CVE-2014-4574
Plugin Description :
[| With WebEngage you can do the following: 1. **Get feedback from your customers**. We make it easy for them to report issues or suggest ideas. And we make it easier for you by offering a nice management console to reply back, keep a track and anlayze all your data. 2. **Collect customer insights by conducting in-site short surveys**. You can run product feedback survey, customer satisfaction surveys, lead generation surveys etc. Analyze all the data using our powerful reporting and analytics modules. 3. **Drive conversion and push sales on your website using our in-site notifications**. You can use notifications to offer discount code, push a feature update message to all your visitors or announce a downtime on your website. You can target these messages at specific audiences on your website to create an effective campaign. We offer powerful analytics for each of your notifications including statistics like clickthrough rates, country wise distribution etc. This is an offical WebEngage plugin which lets you embed the Javascript integration code in to your pages without editing templates. Install the plugin once. No need to change or write a single line of code to make it work. Ever! Here's a quick 2 minute explainer video: https://www.youtube.com/watch?v=5poyDyvHApw [youtube https://www.youtube.com/watch?v=5poyDyvHApw] More on WebEngage here - [webengage.com](http://webengage.com/) = Features = * Places a customizable "Feedback" tab to your site - customize colors and placement. * Receive unlimited feedback. Automatic screengrab of the page that a user submits the feedback on. * Recieve email notifications. Reply to feedback via email or from your WebEngage dashboard. * Mark feedback threads as resolved, open or unread. * Create short surveys for all or particular pages on your site. * Target these surveys on multiple parameters - visitor geography, site referrals, cookies, first-time-visitors etc. * Collect responses for these surveys, view and download reports. See demographic distribution. * Display push notifications on your website. * Target these notification messages at certain audience segments on your website. * Get detailed stats on the performance of these push notifications including data like clickthrough rate etc. * Works in all browsers (including IE6!). * Non-blocking, high-performance code. Details and product screenshots: Feedback - [webengage.com/feedback](http://webengage.com/feedback) Survey - [webengage.com/survey](http://webengage.com/survey) Notification - [webengage.com/notification](http://webengage.com/notification) = Localization = WebEngage is currently available in 31 languages - English, Arabic, Bulgarian, Chinese (Traditional), Czech, Danish, Dutch, Estonian, Finnish, French, Georgian, German, Greek, Hebrew, Hindi, Hungarian, Italian, Japanese, Korean, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Slovenian, Spanish, Swedish, Thai, Turkish and Vietnamese. If your language is missing, you can help us translate. There are just 30 odd phrases that need to be translated. [Let us know](http://webengage.com/contact) if you are interested. = Demo = Take an online demo to get an idea of how the feedback tab, survey windows and notification messages will look on your website - [demo.webengage.com](http://demo.webengage.com/) = Free Plan And Paid Plans = * We offer WebEngage as a free plan. You can use the free plan as long as you want without paying. * We also offer different pricing plans with assortment of features and capabilities. For further details please visit : [webengage.com/pricing](http://webengage.com/pricing) * We offer 14 days free trial period on all the paid plans. = Go Premium = * Get SSL support. * Add more fields to your feedback form - dropdowns, checkboxes, files, radio button, textarea, input boxes etc. * Remove "Powered by WebEngage" logos in the feedback, survey and notification windows. Change email templates. * Increase your upper limit on the number of surveys you can create and responses that you can collect per survey. * Increase your upper limit on the number of clickthroughs allowed per notification. * Add you own style using a CSS editor. * Enhanced targeting capabilities for your surveys and notications. * Add more account manangers. * Get multi-question surveys. With the free plan, we let you add a single question survey only. * Run exit surveys by targeting visitors when they are about to leave your website. * Measure your Net Promoter Score by running NPS surveys. See plans and pricing - [webengage.com/pricing](http://webengage.com/pricing) For personal websites and blogs, have a FREE plan too. - [webengage.com/pricing-features](http://webengage.com/pricing-features#full) = Support = Email us on support {at} webengage dot com or [contact us](http://webengage.com/contact) for any kind of support. We assure you of a quick revert. ]