Release Date
14 October 2013
Vendor
Sam Brishes – http://www.pytes.net/
Affected Product
Dexs PM System WordPress Plugin Version 1.0.1
Vulnerability Class
Persistent Cross-Site Scripting
Vulnerability Details
The Dexs PM System suffers from a persistent Cross-Site Scripting vulnerability when sending a message to another user.
Proof of Concept
The following text can be entered into the subject field when sending a message to another user.
<script>alert('xss');</script>
When the receiving user opens the message, a JavaScript alert dialog box will appear containing the text ‘xss.’
Impact
If exploited, an attacker could then conduct request for attacks against the WordPress installation. Depending on the role of the victim user, this could allow for a compromise of CMS WordPress install itself.