Vulnerability in Multiple Sidebars plugin (used by a lot of themes on Themeforest)

Hi,

There are some vulnerabilities in Multiple Sidebars plugin, which is used by a lot of themes. I already notified Envato about this half a year ago, and they promised that they will take care of the issue, however, nothing happened.

A few days ago, I notified some authors about it, some of them already fixed it, some of them didn’t even reply.

Given that some changelogs already contain the note about the fix, I decided to publish it here, so every author who uses the plugin in their products can be notified about it.

The main problem is that it doesn’t verify the user roles, and there is some unfiltered output, which leads to a reflected XSS.

I won’t publish an exploit, but here is a fixed version if someone needs it:
http://swte.ch/tmp/sidebar_generator

Have you tried to contact the plugin author instead?

No.

First: it is a pretty old plugin, I am not sure that he supports it (the plugin’ site doesn’t load at all :http://www.getson.info)

Second: I notified Envato because a lot of top theme, (eg Avada) are using it (and who knows how many less popular), and I ask them to check which themes use it, and notify the authors in the same time. They told me that they will contact the develpoer first, and take care about it, but I think they didn’t do anything. XSS in Avada? Who cares…