Release Date

14 October 2013

Vendor

Sam Brishes – http://www.pytes.net/

Affected Product

Dexs PM System WordPress Plugin Version 1.0.1

Vulnerability Class

Persistent Cross-Site Scripting

Vulnerability Details

The Dexs PM System suffers from a persistent Cross-Site Scripting vulnerability when sending a message to another user.

Proof of Concept

The following text can be entered into the subject field when sending a message to another user.

When the receiving user opens the message, a JavaScript alert dialog box will appear containing the text ‘xss.’

Impact

If exploited, an attacker could then conduct request for attacks against the WordPress installation. Depending on the role of the victim user, this could allow for a compromise of CMS WordPress install itself.

You May Also Enjoy