ThreatPress

WordPress Vulnerabilities Database

Back

WordPress FuneralPress Plugin 1.1.6 - Persistent XSS

Product
FuneralPress
Description
FuneralPress plugin is prone to a persistent cross-site scripting vulnerabilities. These vulnerabilities allow attackers to host malicious Javascript on another site, enter a path to a local image in <input type="file" name="photo" id="wpfh_message_file">, if Photo was selected. Also, attackers can submit the form with the following entered into <textareastyle="width:100%;height:70px" name="photo-message"></textarea>.
Solution
For some basics XSS protection, use <textarea name="message">. Or update the plugin.
Classification
Type XSS (Cross Site Scripting)
OWASP Top 10 A3: Cross Site Scripting (XSS)
References
Exploit-DB
CVE
Name CVE-2013-3529
Versions
Affected In <= 1.1.6
Fixed In 1.1.7
Disclosure date
2013-04-02
Credits
Rob Armstrong