Wordfence Bug Bounty Program - DOM Based XSS on Main Site! Patched Without Even Reply!

Few days ago, i read about the new Bug Bounty Program started by Wordfence. Link

Wordfence is the Leading CyberSecurity solution for WordPress. They provide a Complete Anti-Virus and Firewall Package for your WordPress Website including Two Factor Authentication, a Firewall incorporating Machine Learning and Tools to help Recover from a Hack. Wordfence is available free. Simply sign into your WordPress website, Go to Plugins > Add New > And search for 'wordfence' without quotes. Our premium version includes enterprise features like Two Factor Authentication and Country Blocking. 
As a Bounty they were offering Wordfence 5 year Premium license per bug reported. These licenses are priced at $146.25. Its Cool. I thought why not to try my hands on this bounty program.

When i visited the site, i noticed that the site is using a WordPress CMS. The version was 3.6 and almost all the known vulnerabilities seems to be patched. Then i checked the page source and Plugins. I found that the site is integrated with a plugin named WordPress prettyPhoto. I reviewed the JavaScript source of the Plugin and Found that it is vulnerable to DOM based Cross Site Scripting as it is accepting the input without sanitizing. So i generated  my payload and crafted the URL as follows:

http://www.wordfence.com/#!prettyPhoto/<a onclick="alert(/XSS by Tushar Kumbhare/);">/
I typed this URL in address bar and hit Enter and Bang!!! I Got a prompt showing XSS Vulnerability. I Immediately reported the vulnerability and they patched the vulnerability within a hour. They are really very fast as compared to Others. 

But these days, cant trust any one. Leave about the Bounty, they patched the vulnerability without even reply or a message of thanks. I don't know why these Bug Bounty Vendors doesn't play a fair game. They are just using our talent to secure their vulnerable ass and didn't even give a reply of thanks. To be very frank, i am loosing trust on these bug bounty programs due to some recent experiences which i got in these few days.

Let it be, but fortunately, i recorded the video as a Proof Of Concept. Its attached as follows:

After reporting 3 times and no reply my message to wordfence team. I have still 1 sqli and 2 XSS on your site and this time i will not report but do only one thing.

Reach me at Facebook - https://www.facebook.com/heartstlear

Reach me at twitter - https://www.twitter.com/tush2388

Reach me at LinkedIn - http://www.linkedin.com/pub/tushar-kumbhare/69/8a7/9b8


{ 0 comments... read them below or add one }

Post a Comment


Receive All Free Updates Via Facebook.