Reflected XSS in Fourteen Extended allows arbitrary javascript to be run in administrator session


Last revised:

This plugin is vulnerable to a reflected XSS attack. An attacker able to convince a logged in admin to visit a particular URL will be able to do anything an admin can do.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 6.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity Partial
Availability Partial
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Log in as an admin on a multisite installation, visit this URLĀ in firefox or internet explorer (replacing localhost with the appropriate domain name):

http://localhost:3000/wp-admin/?cmb_force_send=true&cmb_send_label=</script><img src=/ onerror=alert(String.fromCharCode(88,83,83));>

An alert should pop up saying “XSS”.

Advisory timeline

  • 2014-07-01: Discovered
  • 2014-07-07: Reported to; unable to find author contact information. passed the report on.
  • 2014-07-30: No response from author to us. Published.
  • 2015 -03-23: Author contacted us and informed us of the fixed version

Mitigation/further actions

Update to versionĀ 1.2.32 or later