WordPress Easy Table 1.6 Cross Site Scripting

Published
Credit
Risk
2017.02.15
Manuel Garcia Cardenas
Low
CWE
CVE
Local
Remote
CWE-79
N/A
No
Yes

=============================================
MGC ALERT 2017-001
- Original release date: Feb 07, 2017
- Last revised: Feb 12, 2017
- Discovered by: Manuel Garcia Cardenas
- Severity: 4,8/10 (CVSS Base Score)
=============================================

I. VULNERABILITY
-------------------------
WordPress Plugin Easy Table 1.6 - Persistent Cross-Site Scripting

II. BACKGROUND
-------------------------
Easy Table is a WordPress plugin that allow you to insert table in easy way.

III. DESCRIPTION
-------------------------
Has been detected a Persistent XSS vulnerability in Easy Table, that allows
the execution of arbitrary HTML/script code to be executed in the context
of the victim user's browser.

IV. PROOF OF CONCEPT
-------------------------
Malicious Request:
/wordpress/wp-admin/options-general.php?page=easy-table

easy_table_plugin_option[shortcodetag]
easy_table_plugin_option[attrtag]
easy_table_plugin_option[class]
easy_table_plugin_option[width]
easy_table_plugin_option[border]
easy_table_plugin_option[align]
easy_table_plugin_option[limit]
easy_table_plugin_option[nl]
easy_table_plugin_option[terminator]
easy_table_plugin_option[delimiter]
easy_table_plugin_option[escape]

In all of this parameters an attacker can inject for example
"><script>alert(1)</script> to perform a attack of Persistent Cross-Site
Scripting.

V. BUSINESS IMPACT
-------------------------
An attacker can execute arbitrary HTML or script code in a targeted user's
browser, this can leverage to steal sensitive information as user
credentials, personal data, etc.

VI. SYSTEMS AFFECTED
-------------------------
Easy Table <= 1.6

VII. SOLUTION
-------------------------
Disable the plugin until a fix is available.

VIII. REFERENCES
-------------------------
https://wordpress.org/plugins-wp/easy-table/

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).

X. REVISION HISTORY
-------------------------
Feb 07, 2017 1: Initial release
Feb 12, 2017 2: Last revision

XI. DISCLOSURE TIMELINE
-------------------------
Feb 07, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas
Feb 07, 2017 2: Send to vendor
Feb 09, 2017 3: New contact with vendor without response
Feb 12, 2017 4: Sent to lists

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.

XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester



See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com