## FULL DISCLOSURE #Product : Soundy Background Music #Exploit Author : Rahul Pratap Singh #Version : 3.1 #Home page Link : https://wordpress.org/plugins/soundy-background-music/ #Website : 0x62626262.wordpress.com #Linkedin : https://in.linkedin.com/in/rahulpratapsingh94 #Date : 12/3/2016 XSS Vulnerability: ---------------------------------------- Description: ---------------------------------------- "war_soundy_audio_volume" parameter is not sanitized that leads to Reflected XSS. ---------------------------------------- Vulnerable Code: ---------------------------------------- soundy.php 1462-1473 if( $audio_volume_def == 'default' ) { $audio_volume = 'default'; } else { $audio_volume = $_POST[ 'war_soundy_audio_volume' ]; } update_post_meta( $post_id, 'war_soundy_audio_volume', $audio_volume ); ---------------------------------------- POC: ---------------------------------------- https://0x62626262.files.wordpress.com/2016/03/soundy_background_music_xss.png Fix: Update to 3.2 Vulnerability Disclosure Timeline: → March 3, 2016 – Bug discovered, initial report to WordPress → March 7, 2016 – No response, Report sent again. → March 8, 2016 – WordPress response, plugin taken down → March 10, 2016 – Vendor deployed a patch ####################################### #CTG SECURITY SOLUTIONS # #www.ctgsecuritysolutions.com # ####################################### Pub Ref: https://wordpress.org/plugins/soundy-background-music/changelog/
Attachment:
0x9ACF7D5F.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
