wp-plugin : wp-picasa-image – A3-Cross-Site Scripting (XSS)


Plugin Details


Plugin Name : wp-picasa-image


Effected Version : 1.0 (and most probably lower version's if any)

Vulnerability : A3-Cross-Site Scripting (XSS)
Identified by : Anant Shrivastava



Technical Details


Minimum Level of Access Required : Unauthenticated


PoC - (Proof of Concept) :



Vulnerable Parameter : post_id


Disclosure Timeline


Vendor Contacted : 2014-01-17

Plugin Status : Closed
Public Disclosure : June 12, 2014
CVE Number : CVE-2014-4591

Plugin Description :
You just need to copy the address of the pictures from Picasa album, then this plugin will help you modify the address to show in you posts. If the address of picture is not from Picasa, it won't do anything.
The plugin has been embeded into backstage editor, so you don't need to modify the theme files.

If you found any problem, please let me know.

Leave a Reply

Your email address will not be published. Required fields are marked *