The AddToAny Share Buttons WordPress Plugin was, until recently, vulnerable to a DOM-based cross-site scripting issue. The file in question is hosted on the author’s site, so you’re not vulnerable anymore (you’re welcome). If you just want the vulnerability details, go here. Now for the story of this bug.
The “snippet preview” functionality of the Yoast WordPress SEO plugin was susceptible to cross-site scripting in versions before 2.2 (<= 2.1.1). This vulnerability appears to have been reported 2 years ago by someone named “badconker”, but the plugin author said that it was already patched. Unfortunately, it appears that this is not the case. If you are running this plugin, I recommend updating to the latest version.
Yoast WordPress SEO XSS in action
I noticed a while back that when I carelessly entered my login credentials to the form for registering a new user account on the front page of the DigitalOcean site, it would still log me in. Neato.
However, I was slightly less amused when I noticed that the login event didn’t show an IP address in my security history.
User.login event with IP address conspicuously missing
I reported this at the time the screenshot was taken several months ago. It appears they have recently fixed the issue.
Just a reminder that not all vulnerabilities are obvious, and you can’t find them all with BURP.
