From 0f72e2a78b56c7328718b93d6129bf5b3982bb6d Mon Sep 17 00:00:00 2001
From: ethicalhack3r <ryandewhurst@gmail.com>
Date: Sun, 27 Jan 2013 06:50:41 -0800
Subject: [PATCH] Initial commit

---
 WordPress-3.5-Issues.md | 47 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 WordPress-3.5-Issues.md

diff --git a/WordPress-3.5-Issues.md b/WordPress-3.5-Issues.md
new file mode 100644
index 0000000..7b8c087
--- /dev/null
+++ b/WordPress-3.5-Issues.md
@@ -0,0 +1,47 @@
+# WordPress 3.5
+
+WordPress released version 3.5.1 on January 24th 2013 which fixed a number of issues [0]:
+
+* Issue 1: "A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions."
+
+* Issue 2: "Two instances of cross-site scripting via shortcodes and post content."
+
+* Issue 3: "A cross-site scripting vulnerability in the external library Plupload."
+
+## Issue 1
+
+This issue was originally discovered by [@_FireFart_](https://twitter.com/@_FireFart_) a WPScan Team member. You can find his Pingback Port Scanner [here](https://github.com/FireFart/WordpressPingbackPortScanner). Additional [issues](http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html) were also identified with the pingback API.
+
+## Issue 2
+
+This issue was successfully investigated by [@erwan_lr](https://twitter.com/@erwan_lr), a WPScan Team member. 'Administrators and Editors have the unfiltered_html capability' [1] so they are permitted to insert raw JavaScript into blog posts, less privileged users should not be allowed to insert JavaScript into blog posts, however, with these PoCs it is possible.
+
+### Instance 1
+
+Proof of Concept: ```[gallery ids="20" icontag="script>alert(1)</script>"]```
+
+### Instance 2
+
+Proof of Concept: ```[embed]javascript:alert(document.cookie)[/embed]```
+
+## Issue 3
+
+This issue was successfully investigated by [@erwan_lr](https://twitter.com/@erwan_lr), a WPScan Team member. "[Plupload] Allows you to upload files using HTML5 Gears, Silverlight, Flash, BrowserPlus or normal forms, providing some unique features such as upload progress, image resizing and chunked uploads." [2] 
+
+Proof of Concept: ```wp-includes/js/plupload/plupload.flash.swf?id=\"));}catch(e){alert(1);}//```
+
+## References and Further Reading
+
+[0] http://wordpress.org/news/2013/01/wordpress-3-5-1/
+
+[1] http://core.trac.wordpress.org/ticket/22861
+
+[2] http://plupload.com/
+
+[3] https://github.com/wpscanteam/wpscan/issues/120
+
+[4] https://github.com/wpscanteam/wpscan/issues/119
+
+[5] https://github.com/FireFart/WordpressPingbackPortScanner
+
+[6] http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html
\ No newline at end of file