WordPress MDC Private Message Persistent XSS

vendor:

MDC Private Message

by:

Chris Kellum

7,5

CVSS

HIGH

Persistent XSS

CWE

Product Name: MDC Private Message

Affected Version From: 1.0.0

Affected Version To: 1.0.0

Patch Exists: YES

Related CWE: N/A

CPE: 2.3:a:wordpress:mdc_private_message:1.0.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2015

WordPress MDC Private Message Persistent XSS

The 'message' field doesn't sanitize input, allowing a less privileged user (Editor, Author, etc.) to execute an XSS attack against an Administrator. Place <script>alert('Hello!')</script> in the message field of a private message and then submit. Open the message and the alert window will fire.

Mitigation:

Upgrade to version 1.0.1 or later

Source

Exploit-DB raw data:

# Exploit Title: WordPress MDC Private Message Persistent XSS
# Date: 8/20/15
# Exploit Author: Chris Kellum
# Vendor Homepage: http://medhabi.com/
# https://wordpress.org/plugins/mdc-private-message/
# Version: 1.0.0



=====================
Vulnerability Details
=====================

The 'message' field doesn't sanitize input, allowing a less privileged user (Editor, Author, etc.)
to execute an XSS attack against an Administrator.

Proof of Concept: 

Place <script>alert('Hello!')</script> in the message field of a private message and then submit.

Open the message and the alert window will fire.

===================
Disclosure Timeline
===================

8/16/15 - Vendor notified.
8/19/15 - Version 1.0.1 released.
8/20/15 - Public Disclosure.