Abstract
Multiple stored Cross-Site Scripting vulnerabilities were found in the Easy Testimonials WordPress Plugin. These issues can be exploited by an authenticated Contributor (or higher). It allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf.
Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE ID
OVE-20160712-0010
Tested versions
These issues were successfully tested on Easy Testimonials WordPress Plugin version 1.36.1.
Fix
This issue is resolved in Easy Testimonials WordPress Plugin version 1.37.
Introduction
Easy Testimonials is an easy-to-use plugin that allows users to add Testimonials to the sidebar, as a widget, or to embed testimonials into a Page or Post using the shortcode. Multiple stored Cross-Site Scripting vulnerabilities were found in the Easy Testimonials WordPress Plugin. These issues can be exploited by an authenticated Contributor (or higher).
Details
This can be exploited by users with a role lower than the Editor (which has the unfiltered_html privileges) to add scripts and HTML when creating or updating a testimonial. This is possible by the following fields:
- Client Name.
- Position/Web Address/Other.
- Location Reviewed/Product Reviewed/Item Reviewed.
The vulnerability allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website.
