WordPress Token Manager Plug-in version 1.0.2 contains a vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks on a targeted system.
The vulnerability is due to insufficient sanitization of user-supplied input by the affected software when page is set to tokenmanageredit
. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to open a URL that has crafted input in the tid
parameter that is supplied to the wp-admin/admin.php
script. If successful, it could allow the attacker to execute arbitrary script code in the user's browser session under the context of the affected site.
Proof-of-concept code that exploits this vulnerability is publicly available.
Users should verify that unsolicited links are safe to follow.
For additional information about cross-site scripting attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors.
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
WordPress has released a changelog at the following link: Token Manager
. WordPress has released updated software at the following link: Token Manager 1.0.3 or later