wp-plugin : wp-microblogs – A3-Cross-Site Scripting (XSS)


Plugin Details


Plugin Name : wp-microblogs


Effected Version : 0.4.0 (and most probably lower version's if any)

Vulnerability : A3-Cross-Site Scripting (XSS)
Identified by : Anant Shrivastava



Technical Details


Minimum Level of Access Required : Unauthenticated


PoC - (Proof of Concept) :


http://localhost/wp-content/plugins/wp-microblogs/get.php?oauth_verifier=// &oauth_token=oauth_token


Vulnerable Parameter: oauth_verifier


Disclosure Timeline


Vendor Contacted : 2014-01-17

Plugin Status : Closed
Public Disclosure : June 12, 2014
CVE Number : CVE-2014-4590

Plugin Description :
WP Microblogs displays the latest microblog in WordPress, support for Twitter, Sina Weibo, Tencent Weibo, fanfou
 and other microblogs.

**Chinese version ONLY temporarily**.

WP Microblogs 可以在 WordPress 中显示最新微博推文,目前支持新浪微博、腾讯微博、Twitter、网易微博、搜狐微博、饭否、豆瓣
除 XAuth 之外的所有可用的认证方式。对于更加开放的微博(例如 Twitter、饭否),只输入用户名即可展示推文。


*   提供一种直接展示最新微博推文的小工具;
*   智能过滤重复推文,为推文中提到的 URL 添加链接;
*   使用 `wm_tweet()`、`wm_tweets()`(函数) 或 `[wm_tweet]`、`[wm_tweets]`(短代码) 在指定位置展示最新的一条或数条推文;
*   使用 `wm_get_tweet_arr()` 或 `wm_get_tweets_arr()` 获得微博原始数据;
*   较完善的缓存机制,减少资源占用;
*   提供数个过滤器(filter)与动作(action)自定义展示方式。

请访问[插件主页](http://beamnote.com/2011/wp-microblogs.html "WP Microblogs 插件主页")以获取更多信息。

Leave a Reply

Your email address will not be published. Required fields are marked *