WordPress Plugin MDC Private Message 1.0.0 - Persistent Cross-Site Scripting

Author: Chris Kellum
type: webapps
platform: php
port: 80.0
date_added: 2015-08-21 
date_updated: 2015-08-21 
verified: 0 
codes: CVE-2015-6805;OSVDB-126598 
tags: WordPress Plugin
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.commdc-private-message.zip

# Exploit Title: WordPress MDC Private Message Persistent XSS
# Date: 8/20/15
# Exploit Author: Chris Kellum
# Vendor Homepage: http://medhabi.com/
# https://wordpress.org/plugins/mdc-private-message/
# Version: 1.0.0



=====================
Vulnerability Details
=====================

The 'message' field doesn't sanitize input, allowing a less privileged user (Editor, Author, etc.)
to execute an XSS attack against an Administrator.

Proof of Concept:

Place <script>alert('Hello!')</script> in the message field of a private message and then submit.

Open the message and the alert window will fire.

===================
Disclosure Timeline
===================

8/16/15 - Vendor notified.
8/19/15 - Version 1.0.1 released.
8/20/15 - Public Disclosure.