Quick Paypal Payments - Persistent Cross Site Scripting Vulnerability
AUTHOR
======
Zy0d0x
BLOG
====
https://zy0d0x.com
DATE
====
10/08/2013
VENDOR
======
Quick Plugins - http://quick-plugins.com/
AFFECTED PRODUCT
================
Quick Paypal Payments Wordpress Plugin Version 3.0 possibly earlier
VULNERABILITY CLASS
===================
Cross-Site Scripting
DESCRIPTION
===========
Quick Paypal Payments suffers from a persistent Cross-Site Scripting vulnerability due to a lack
of input validation and output sanitization of the "reference" and "amount" paramaters.
Other input fields are also effective to reflective cross site scripting.
PROOF OF CONCEPT
================
Enter the following into the field where Quick Paypal Payments requests a Payment reference.
If the message has been sent successfully a alert diolog will apear containing Zy0d0x when an user checks there message in the dashboard.
IMPACT
======
An attacker could potentially hijack session authentication tokes of remote users and leverage the
vulnerability to increase the attack vector to the underlying software and operating system of the victim.