Back to all zero days
XSS Vulnerability in Blubrry PowerPress
4th Sep, 2015
A Cross-Site Scripting (XSS) vulnerability was identified on the WordPress plugin NextGen Gallery before 6.0.4.
Proof of concept: (POC)
Visit the following page on a site with this plugin
http://yourwordpresssite.com/wordpress/wpadmin/admin.php?page=powerpress/powerpressadmin_basic.php and modify the value of tab variable with "></script><script>alert(document.cookie);</script> payload and send the request to the server. Now, the added XSS payload is echoed back from the server without validating the input. It also affects the wp-config.php file, $table_prefix, and corrupts the database connectivity.
Note: XSS payload has been tried with the application once after implementing Unfiltered Html Settings as defined to the wp-config.php file.
define( 'DISALLOW_UNFILTERED_HTML', true );
Issue 1: The Post Request tab variable in the URL http://localhost/wordpress/wp-admin/admin.php?page=powerpress/powerpressadmin_basic.php is vulnerable to Cross-Site Scripting (XSS).
Figure 01: Invalid HTTP script Request sent to the server through the vulnerable tab variable in the URL http://yourwordpresssite.com/wordpress/wp-admin/admin.php?page=powerpress/powerpressadmin_basic.php and its echoed back in the HTTP Response without validation.
An XSS vulnerability allows an attacker to inject malicious code into the applications via the images  [alttext] parameter.
Download the latest updated version of Blubrry PowerPress Podcasting and apply the patch as per vendor advisory.
Sep 04, 2015: Discovered in Blubrry PowerPress Podcasting plugin 6.0.4 version.
Sep 04, 2015: Reported to WordPress.
Sep 07, 2015: The vendor acknowledged the issue.
Sep 09, 2015: Fixed in Blubrry PowerPress Podcasting plugin 6.0.5 version.
Cyber Security Works Pvt. Ltd.
- Affected VendorBlubrry PowerPress
- Bug NameCross-Site-Scripting (XSS)
- CVE NumberCVE-2015-9410
- CWE IDCWE - 79
- CSW ID2015-CSW-09-1006
- CVSSv3 Score5.4
- Affected Version6.0.4
- Affected ProductBlubrry PowerPress Podcasting