CVSS Summary
| Score | 6.8 Medium |
|---|---|
| Vector | Network |
| Complexity | Medium |
| Authentication | None |
| Confidentiality | Partial |
| Integrity | Partial |
| Availability | Partial |
Advisory:
Reflected XSS in Fourteen Extended allows arbitrary javascript to be run in administrator session
Vulnerability
Last revised:
This plugin is vulnerable to a reflected XSS attack. An attacker able to convince a logged in admin to visit a particular URL will be able to do anything an admin can do.
Current state: Fixed
Proof of concept
Log in as an admin on a multisite installation, visit this URLĀ in firefox or internet explorer (replacing localhost with the appropriate domain name):
http://localhost:3000/wp-admin/?cmb_force_send=true&cmb_send_label=</script><img src=/ onerror=alert(String.fromCharCode(88,83,83));>
An alert should pop up saying “XSS”.
Advisory timeline
- 2014-07-01: Discovered
- 2014-07-07: Reported to WordPress.org; unable to find author contact information. WP.org passed the report on.
- 2014-07-30: No response from author to us. Published.
- 2015 -03-23: Author contacted us and informed us of the fixed version
Mitigation/further actions
Update to versionĀ 1.2.32 or later