vendor:
FuneralPress
by:
Rob Armstrong
3,3
CVSS
LOW
Stored XSS
79
CWE
Product Name: FuneralPress
Affected Version From: 1.1.6
Affected Version To: 1.1.6
Patch Exists: YES
Related CWE: N/A
CPE: a:wpfuneralpress:funeralpress
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: WordPress
2013
WP FuneralPress – stored xss in guestbook
A low-privilege or guest user can inject code via the <textareaname="photo-message">, <textarea name="youtube-message"> and <textarea name="message"> elements which are part of the wpfh_upload_form form in http://site/obituaries/?id=[ID]&f=guestbook&m=add. Scripts injected via the "photo-message" and "youtube-message" elements will be executed by the admin user when they browse to the guestbook admin page at http://site/wp-admin/admin.php?page=wpfh-guestbook. If a malicious post is approved by the admin, the script will be run by anyone viewing the guestbook.
Mitigation:
Ensure that all user input is properly sanitized and validated before being used in the application.
