14 October 2013
Sam Brishes – http://www.pytes.net/
Dexs PM System WordPress Plugin Version 1.0.1
Persistent Cross-Site Scripting
The Dexs PM System suffers from a persistent Cross-Site Scripting vulnerability when sending a message to another user.
Proof of Concept
The following text can be entered into the subject field when sending a message to another user.
If exploited, an attacker could then conduct request for attacks against the WordPress installation. Depending on the role of the victim user, this could allow for a compromise of CMS WordPress install itself.