Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 01 Mar 2017 04:39:21 -0500
From: "Larry W. Cashdollar" <>
To: Open Source Security <>
Subject: Persistent XSS Vulnerability in Wordpress plugin AnyVar v0.1.1

Title: Persistent XSS Vulnerability in Wordpress plugin AnyVar v0.1.1
Author: Larry W. Cashdollar, @_larry0
Date: 2017-02-21
Download Site:
Vendor Notified: 2017-02-28
Vendor Contact:
Description: AnyVar is a simple search and replace plugin. It lets you add changeable variables (text snippets) to posts, sidebars, widgets, links & themes.
$var_name and $var_text aren't sanitized before being sent to the webpage.  $var_name only can contain text so only $var_text is exploitable
In file ./anyvar/anyvar.php:

202                         echo "<tr id='anyvar-$var_name' $class>
203                                 <th scope='row' class='check-column'><input     type='checkbox' name='delete[]' value='$var_name' /></th>
204                                 <td><a class='row-title' href='?page=".$_GET    ['page']."&action=edit&amp;var=$var_name' title='Edit &quot;$var_name&quot;'    > $var_name</a></td>
205                                 <td>[$var_name]</td>
206                                 <td><textarea name='anyvar_text_$var_name' i    d='anyvar_text_$var_name' cols='60' rows='3' readonly>$var_text</textarea></    td>

CVE-ID: CVE-2017-6103
Exploit Code:
	• In the text field box the following will trigger a JS alert popup:
	• </textarea><script>alert(1);</script><textarea>
Screen Shots: []

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.