WordPress CMS Tree Page View Plugin 'cms_tpv_view' Parameter Cross Site Scripting Vulnerability

Bugtraq ID:	52708
Class:	Input Validation Error
CVE:	CVE-2012-1834
Remote:	Yes
Local:	No
Published:	Mar 26 2012 12:00AM
Updated:	Apr 17 2014 01:02AM
Credit:	High-Tech Bridge SA
Vulnerable:	WordPress CMS Tree Page View 0.8.8
Not Vulnerable:	WordPress CMS Tree Page View 0.8.9

WordPress CMS Tree Page View Plugin 'cms_tpv_view' Parameter Cross Site Scripting Vulnerability

CMS Tree Page View for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

CMS Tree Page View 0.8.8 is vulnerable; other versions may also be affected.

WordPress CMS Tree Page View Plugin 'cms_tpv_view' Parameter Cross Site Scripting Vulnerability

Attackers can exploit this issue by enticing an unsuspecting victim to follow a malicious URI.

WordPress CMS Tree Page View Plugin 'cms_tpv_view' Parameter Cross Site Scripting Vulnerability

References:

• Changeset 523576 for cms-tree-page-view (WordPress)
  
• CMS Tree Page View Homepage (WordPress)
  
• XSS vulnerability in CMS Tree Page View Wordpress Plugin (High-Tech Bridge SA Security Research Lab)