Media File Renamer V1.7.0 wordpress plugin XSS

2014-02-24 / 2014-03-04
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 2.1/10
Impact Subscore: 2.9/10
Exploitability Subscore: 3.9/10
Exploit range: Remote
Attack complexity: High
Authentication: Single time
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Title: Persistent XSS in Media File Renamer V1.7.0 wordpress plugin Date: 1/31/2014 Author: Larry W. Cashdollar, @_larry0 Vendor: Notified 2/4/2014 CVE: 2014-2040 Download: http://www.meow.fr/media-file-renamer/ Vulnerability: The following functions do not sanitize input before being echoed out: In file mfrh_class.settings-api.php: 166 function callback_multicheck( $args ) { 167 $value = $this->get_option( $args['id'], $args['section'], $args['std'] ); 168 169 $html = ''; 170 foreach ( $args['options'] as $key => $label ) { 171 $checked = isset( $value[$key] ) ? $value[$key] : '0'; 172 $html .= sprintf( ' ', $args['section'], $a rgs['id'], $key, checked( $checked, $key, false ) ); 173 $html .= sprintf( ' %3$s ', $args['section'], $args['id'], $label, $key ); 174 } 175 $html .= sprintf( ' %s', $args['desc'] ); 176 177 echo $html; 178 } function callback_radio( $args ) { 186 187 $value = $this->get_option( $args['id'], $args['section'], $args['std'] ); 188 189 $html = ''; 190 foreach ( $args['options'] as $key => $label ) { 191 $html .= sprintf( ' ', $args['section'], $args['id'], $ key, checked( $value, $key, false ) ); 192 $html .= sprintf( ' %3$s ', $args['section'], $args['id'], $label, $key ); 193 } 194 $html .= sprintf( ' %s', $args['desc'] ); 195 196 echo $html; 197 } function callback_wysiwyg( $args ) { 250 251 $value = wpautop( $this->get_option( $args['id'], $args['section'], $args['std'] ) ); 252 $size = isset( $args['size'] ) && !is_null( $args['size'] ) ? $args['size'] : '500px'; 253 254 echo ' '; 255 256 wp_editor( $value, $args['section'] . '[' . $args['id'] . ']', array( 'teeny' => true, 'textarea_rows' => 10 ) ); 257 258 echo ' '; 259 260 echo sprintf( ' %s ', $args['desc'] ); 261 } PoC: If a user with permission to add media or edit media uploads a file with "<script>alert(1)</script>" as the title they can XSS the site admin user. Full Advisory: http://www.vapid.dhs.org/advisories/wordpress/plugins/MediaFileRenamer-1.7.0/index.html

References:

http://www.vapid.dhs.org/advisories/wordpress/plugins/MediaFileRenamer-1.7.0/index.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top