Stored XSS vulnerability in BP Group Documents 1.2.1

Vulnerability

Last revised: February 18, 2014

“Display name” and “Description” fields are not escaped, meaning any tags including script tags can be stored in them.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score	8 High
Vector	Network
Complexity	Low
Authentication	Single
Confidentiality	Partial
Integrity	Partial
Availability	Complete

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Go to the upload form, select a document to upload, set the “Display name” to “photograph of a cute puppy<script>alert(‘xss’)</script>” and set the “Description” to “this is an innocuous description<script>alert(‘xss again’)</script>”.

Advisory timeline

2013-09-26: Discovered
2013-09-30: Reported to plugins@wordpress.org
2013-10-04: Fix released (1.2.2)

Mitigation/further actions

Update to version 1.2.2.

dxw advisories

Advisory: