CVSS Summary
| Score | 5.8 Medium |
|---|---|
| Vector | Network |
| Complexity | Medium |
| Authentication | None |
| Confidentiality | Partial |
| Integrity | Partial |
| Availability | None |
Advisory:
Reflected XSS in GD bbPress Attachments allows an attacker to do almost anything an admin can
Vulnerability
Last revised:
This plugin outputs the value of $_GET[‘tab’] without escaping (see forms/panels.php lines 3 and 39). An attacker could easily construct an URL which performs virtually any action an admin is able to perform, including creating/deleting users/posts, injecting malicious HTML into user-facing pages, or editing PHP files (if that feature hasn’t been disabled).
Current state: Reported
Proof of concept
Visit the following URL in a browser with no reflected XSS protection (i.e. Firefox or older versions of IE):
http://localhost/wp-admin/edit.php?post_type=forum&page=gdbbpress_attachments&tab=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
Advisory timeline
- 2015-02-25: Discovered
- 2015-07-01: Reported to vendor via email form on https://www.dev4press.com/contact/
- 2015-07-01: Requested CVE
- 2015-07-01: Vendor responded
- 2015-07-04: Vendor confirmed fixed
- 2015-07-08: Published
Mitigation/further actions
Upgrade to version 2.3 or later