WordPress Plugin MDC Private Message 1.0.0 - Persistent Cross-Site Scripting







Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

# Exploit Title: WordPress MDC Private Message Persistent XSS
# Date: 8/20/15
# Exploit Author: Chris Kellum
# Vendor Homepage: http://medhabi.com/
# https://wordpress.org/plugins/mdc-private-message/
# Version: 1.0.0

Vulnerability Details

The 'message' field doesn't sanitize input, allowing a less privileged user (Editor, Author, etc.)
to execute an XSS attack against an Administrator.

Proof of Concept: 

Place <script>alert('Hello!')</script> in the message field of a private message and then submit.

Open the message and the alert window will fire.

Disclosure Timeline

8/16/15 - Vendor notified.
8/19/15 - Version 1.0.1 released.
8/20/15 - Public Disclosure.