[Vulnerability] Wordpress Plugin 'List Draft Posts' - Stored XSS

DamnSecure.org used this plugin and noticed this vulnerability. Vulnerability occurs because the ‘Title’ of a post is printed directly into the widget without processing it.

# Exploit Title: Wordpress plugin 'List Draft Posts' - Stored XSS
# Date: [2011/10/21]
# Author: [Ruben]
# Software Link: http://wordpress.org/extend/plugins/list-draft-posts/
# Version: Tested and verifyed on version 3.0.1; My guess, all version are affected, but I cannot verify this.
# Developer notified?: No (plugin is no longer under development)
# Google-Dork: intext:listdrafts-widget-3

Stored XSS is possible by creating a new post using the 'Title' as the injection field.
Exploitation can only occur when an already existing user is allowed to write posts.

For more information checkout http://blog.damnsecure.org/?tag=xss

FYI: Plugin is not being used by DamnSecure.org anymore ;)

Ruben.

Comments