Share
## https://sploitus.com/exploit?id=PACKETSTORM:214772
BulletProof Security 0.53.3 - Multiple Cross-site Scripting
    Advisory ID: RO-16-007
    Severity: Medium
    Vendor: AITpro
    Product: BulletProof Security
    Version: 0.53.3
    
    
    Overview #
    
    Multiple Cross-site Scripting (XSS) vulnerabilities exist in BulletProof Security WordPress Plugin version 0.53.3.
    
    
    Vulnerability Details #
    
    Affected Versions: 0.53.3 and earlier
    
    Root Cause: Insufficient input validation in security log page.
    Technical Details #
    
    Vulnerable URL: /wp-admin/admin.php?page=bulletproof-security/admin/security-log/security-log.php
    
    Vulnerable Parameter (POST): user-agent-ignore
    
    Attack Pattern:
    
    '"--></style></scRipt><scRipt>alert(0x001E32)</scRipt>
    
    
    
    Exploitation Requirements #
    
        Admin authentication required
        Victim must interact with the malicious element
    
    Impact #
    
    Remote attackers can exploit these vulnerabilities to:
    
        Steal admin session cookies
        Perform administrative actions
        Bypass security logging features
    
    
    
    Solution #
    
    Update to the latest version. See BPS Changelog.
    
    
    References #
    
        Invicti Advisory NS-16-003
    
    Timeline:
    
        [2016-03-15] - First Contact
        [2016-03-23] - Vendor Fixed
        [2016-05-09] - Advisory Released
    
    Credits: Omar Kurt