Metamorfosec Security Advisory METS-2019-002 Multiple stored cross-site scripting (XSS) in the MyThemeShop Launcher plugin v1.0.8 for WordPress FIRST PUBLISHED: February 16, 2019 VERSION: 1.0 VENDOR: MyThemeShop (https://mythemeshop.com/) PRODUCT: Launcher VERSION AFFECTED: 1.0.8 (maybe prior versions are also affected) CVE-ID: CVE-2019-7411 PRODUCT DESCRIPTION: (from official website: https://mythemeshop.com/plugins/launcher/) Launcher is the perfect WordPress plugin for anyone launching a new product, website or service. Stun visitors with one of our beautiful, ready-made templates or create your own. Build anticipation with timers, contact forms and other promotional features. FINDING: Multiple stored cross-site scripting (XSS) in the MyThemeShop Launcher plugin 1.0.8 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via fields as follows: (1) Title, (2) Favicon, (3) Meta Description, (4) Subscribe Form (Name field label, Last name field label, Email field label), (5) Contact Form (Name field label and Email field label), and (6) Social Links (Facebook Page URL, Twitter Page URL, Instagram Page URL, YouTube Page URL, Linkedin Page URL, Google+ Page URL, RSS URL). PROOF OF CONCEPT: In the identified vulnerable fields above, please enter "> or ">. After that, save and preview the Launcher page to trigger the alert. MITIGATION: Update to v1.0.11 or newer ADVISORY TIMELINE: Jan 16, 2019 - Vulnerability found, first contact to vendor via contact form at the official website, and got a response from vendor Jan 17, 2019 - Requested a CVE-ID Feb 6, 2019 - Received a CVE-ID (CVE-2019-7411, still RESERVED) and inform it to Vendor Feb 9, 2019 - Vendor released v1.0.9 and found that Page Title, Header Code, and Footer Code Fields still vulnerable to XSS Feb 11, 2019 - Vendor released V1.0.10 and found that Page Title, Header Code, and Footer Code Fields still vulnerable to XSS Feb 12, 2019 - Vendor released v1.0.11, Page Title patched, but Vendor cannot block Javascript in Header Code and Footer Code since these fields are designed for this purpose, such as to insert Analytics tracking script Feb 16, 2019 - Published this advisory (v1.0), updated description for CVE-2019-7411, and requested to publish CVE-2019-7411 REVISION HISTORY: Version 1.0 (Feb 16, 2019) - First release REFERENCES: https://wordpress.org/plugins/launcher/#developers https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7411 DISCLAIMER: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the our website.