User Submitted Posts [Persistent XSS]

User Submitted Posts plugin for WordPress suffers from a XSS vulnerability

Description

User Submitted Posts plugin for WordPress suffers from a XSS vulnerability. The user-submitted-content field of the new post submission form is not properly sanitized, thus allowing users to include JS code to submitted post content.

Normally only users with unfiltered_html capability are allowed to include JS code to post content. By default Administrators or Super Administrators have this capability, so this is considered as Persistent XSS vulnerability.

Vulnerable code is in user-submitted-posts/trunk/user-submitted-posts.php file:

if (isset($_POST['user-submitted-content']))  $content  = stripslashes($_POST['user-submitted-content']);

PoC

  1. Submit the form inserting JS code to post content
  2. View the newly created post
  3. JS code is executed

Solution

Upgrade to v20160215


WordPress Plugins Persistent XSS
INFO
TIMELINE
  • 2016-02-10:
    Vendor notified via contact form at his website
  • 2016-02-10:
    Vendor responded and received details about the issue
  • 2016-02-14:
    Vendor released version 20160215