# Exploit Title: WordPress RSVPMaker v2.5.4 Persistent XSS
# Date: 8/12/12
# Exploit Author: Chris Kellum
# Vendor Homepage: http://rsvpmaker.com/
# Software Link: http://downloads.wordpress.org/plugin/rsvpmaker.zip
# Version: 2.5.4

Vulnerability Details

The RSVP form does not properly sanitize input fields, allowing for XSS.



Plugin appears to escape apostrophes and quotes, but this can easily be circumvented.

XSS will fire when the admin views the event's attendance list in the RSVP report section.

Disclosure Timeline

8/4/12 - Vulnerability discovered.
8/4/12 - Vendor notified.
8/10/12 - Version 2.5.5 released.
8/12/12 - Public disclosure.
Rate this post
Брой прочитания на тази страница: 561
WordPress RSVPMaker v2.5.4 Persistent XSS
Tagged on:     

Вашият коментар

Вашият имейл адрес няма да бъде публикуван. Задължителните полета са отбелязани с *